[Buildroot] [PATCH 3/3] cargo-bin: bump version to 0.30.0
Eric Le Bihan
eric.le.bihan.dev at free.fr
Sun Oct 21 17:41:57 UTC 2018
Hi!
On 2018-10-21 00:02, Thomas Petazzoni wrote:
> Hello Eric,
>
> On Thu, 18 Oct 2018 22:58:35 +0200, Eric Le Bihan wrote:
> > Signed-off-by: Eric Le Bihan <eric.le.bihan.dev at free.fr>
>
> I had to revert this patch, it was causing build failures due to the
> hashes. See below.
>
> > diff --git a/package/cargo-bin/cargo-bin.hash b/package/cargo-bin/cargo-bin.hash
> > index ad2da2bc00..96e90c6603 100644
> > --- a/package/cargo-bin/cargo-bin.hash
> > +++ b/package/cargo-bin/cargo-bin.hash
> > @@ -1,9 +1,9 @@
> > -# From https://static.rust-lang.org/dist/cargo-0.27.0-i686-unknown-linux-gnu.tar.xz.sha256
> > -sha256 64c2262c0577ef1824d3d885753362d68c04f36ea85a195894894c37e2445ef5 cargo-0.27.0-i686-unknown-linux-gnu.tar.xz
> > -# From https://static.rust-lang.org/dist/cargo-0.27.0-powerpc64le-unknown-linux-gnu.tar.xz.sha256
> > -sha256 3688bea3d971615d9c4b33612c20783bd9a385539aa7f754e6543c196e1bcec2 cargo-0.27.0-powerpc64le-unknown-linux-gnu.tar.xz
> > -# From https://static.rust-lang.org/dist/cargo-0.27.0-x86_64-unknown-linux-gnu.tar.xz.sha256
> > -sha256 d09c061daaafd735742e0b18a4da6eb656f61d4c57504d100a6ca9f766b38c71 cargo-0.27.0-x86_64-unknown-linux-gnu.tar.xz
> > +# From https://static.rust-lang.org/dist/cargo-0.30.0-i686-unknown-linux-gnu.tar.xz.sha256
> > +sha256 4b828c263283241ad1c99f30e0b5d8554b6dac2737d09cfd466b4c15b0d7296a cargo-0.30.0-i686-unknown-linux-gnu.tar.xz
> > +# From https://static.rust-lang.org/dist/cargo-0.30.0-powerpc64le-unknown-linux-gnu.tar.xz.sha256
> > +sha256 3718a63fa744d9cd856d72a4fe3ac3b84ff34575a77da72667474c4726d56155 cargo-0.30.0-powerpc64le-unknown-linux-gnu.tar.xz
> > +# From https://static.rust-lang.org/dist/cargo-0.30.0-x86_64-unknown-linux-gnu.tar.xz.sha256
> > +sha256 9524db722356307669c9068bb7df8dbd57e153717e62071b62560eb22ce2f3cd cargo-0.30.0-x86_64-unknown-linux-gnu.tar.xz
>
> So you updated all those hashes, but they are all wrong. They not match
> the tarballs, they do not match the .sha256 files provided on the
> upstream site. The upstream site tarballs do match the .sha256 file
> that they provide, but they are different hashes than yours.
Looking at the official archive web page [1], we can see that all the
cargo-0.30.0.*.xz files have been generated on 2018-10-12T16:33, i.e.
the same day as rust-1.29.2 was released.
But my initial patch series was for rust-1.29.1 and cargo-0.30.0,
generated on 2018-10-08 [2] and cargo-0.30.0 was tagged on 2018-09-18.
So it looks like upstream did regenerate the cargo-0.30.0 tarballs for
rust-1.29.2 release.
> This looks weird and suspicious. Has upstreaming modified their tarball
> after releasing them ? Has their server been hacked, and the tarballs
> replaced with some bad thing inside ?
Void Linux seems to have the same issue [4]. They reverted a commit
where the initial hash for cargo-0.30.0-i686 was
4b828c263283241ad1c99f30e0b5d8554b6dac2737d09cfd466b4c15b0d7296a (just
like in my patch) to
43a5754d13fa0436b33c48b1f562b4198d6930efad3dc36284b88289ff20d74d (the
new one). Sames goes for x86_64.
> Could you check if you still have a copy of those tarballs locally on
> your machine ? Do they have the hash that you wrote in the .hash file ?
> If so, could you carefully keep such tarballs, and compare their
> contents with the tarballs currently provided by the upstream site ?
I'll have a look.
> Note: we really don't want to blindly update those hashes so that they
> patch upstream. We need to understand why the hashes that they provide
> now don't match the ones that you provided in this patch.
Upstream offers GPG signatures so I checked the contents of the *.sha256
files to the values locally generated after checking the signatures:
```
$ gpg --keyserver-options auto-key-retrieve --verify cargo-0.30.0-i686-unknown-linux-gnu.tar.xz.asc cargo-0.30.0-i686-unknown-linux-gnu.tar.xz
gpg: Signature made Fri Oct 12 18:13:36 2018 CEST using RSA key ID 7B3B09DC
gpg: requesting key 7B3B09DC from hkp server keys.gnupg.net
gpg: key FA1BE5FE: public key "Rust Language (Tag and Release Signing Key) <rust-key at rust-lang.org>" imported
gpg: key C46ACCF5: public key "Shukhrat Mukimov <mukimov at gmail.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2034-07-25
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 2)
gpg: Good signature from "Rust Language (Tag and Release Signing Key) <rust-key at rust-lang.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 108F 6620 5EAE B0AA A8DD 5E1C 85AB 96E6 FA1B E5FE
Subkey fingerprint: C134 66B7 E169 A085 1886 3216 5CB4 A934 7B3B 09DC
$ gpg --verify cargo-0.30.0-powerpc64le-unknown-linux-gnu.tar.xz.asc cargo-0.30.0-powerpc64le-unknown-linux-gnu.tar.xz
gpg: Signature made Fri Oct 12 18:16:33 2018 CEST using RSA key ID 7B3B09DC
gpg: Good signature from "Rust Language (Tag and Release Signing Key) <rust-key at rust-lang.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 108F 6620 5EAE B0AA A8DD 5E1C 85AB 96E6 FA1B E5FE
Subkey fingerprint: C134 66B7 E169 A085 1886 3216 5CB4 A934 7B3B 09DC
$ gpg --verify cargo-0.30.0-x86_64-unknown-linux-gnu.tar.xz.asc cargo-0.30.0-x86_64-unknown-linux-gnu.tar.xz
gpg: Signature made Fri Oct 12 18:14:44 2018 CEST using RSA key ID 7B3B09DC
gpg: Good signature from "Rust Language (Tag and Release Signing Key) <rust-key at rust-lang.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 108F 6620 5EAE B0AA A8DD 5E1C 85AB 96E6 FA1B E5FE
Subkey fingerprint: C134 66B7 E169 A085 1886 3216 5CB4 A934 7B3B 09DC
```
```
$ cat *.sha256
43a5754d13fa0436b33c48b1f562b4198d6930efad3dc36284b88289ff20d74d cargo-0.30.0-i686-unknown-linux-gnu.tar.xz
f8d7c27a40bba6343ee7dd39a324fe772b77824921adf3e9514a44d4e49059c8 cargo-0.30.0-powerpc64le-unknown-linux-gnu.tar.xz
cb7c63c166baa42ab0be08429e29fa59fc7108efd17ca512462b2645b1655a7f cargo-0.30.0-x86_64-unknown-linux-gnu.tar.xz
$ sha256sum *.xz
43a5754d13fa0436b33c48b1f562b4198d6930efad3dc36284b88289ff20d74d cargo-0.30.0-i686-unknown-linux-gnu.tar.xz
f8d7c27a40bba6343ee7dd39a324fe772b77824921adf3e9514a44d4e49059c8 cargo-0.30.0-powerpc64le-unknown-linux-gnu.tar.xz
cb7c63c166baa42ab0be08429e29fa59fc7108efd17ca512462b2645b1655a7f cargo-0.30.0-x86_64-unknown-linux-gnu.tar.xz
```
The key is listed among the official ones [5,6].
Should the new patch with proper hashes mentions something like this?
```
# From https://static.rust-lang.org/dist/cargo-0.30.0-i686-unknown-linux-gnu.tar.xz.sha256
# Verified using https://static.rust-lang.org/dist/cargo-0.30.0-i686-unknown-linux-gnu.tar.xz.asc
sha256 43a5754d13fa0436b33c48b1f562b4198d6930efad3dc36284b88289ff20d74d cargo-0.30.0-i686-unknown-linux-gnu.tar.xz
```
[1] https://static.rust-lang.org/dist/index.html
[2] https://github.com/elebihan/buildroot/commit/607827d362f8e5b073df2dc0fb5deb50fc213aaf
[3] https://github.com/rust-lang/cargo/releases/tag/0.30.0
[4] https://github.com/void-linux/void-packages/commit/65eb57a59a878483bb1678b7058f0065c42e19cd
[5] https://github.com/rust-lang-deprecated/rustup.sh/issues/65#issuecomment-242205887
[6] http://pgp.mit.edu/pks/lookup?op=vindex&search=0x85AB96E6FA1BE5FE
Regards,
--
ELB
More information about the buildroot
mailing list