Comments (7)
What is the source of the expected and actual values?
I downloaded the file and its sig from the web site and the tar.gz verifies:
edamame:libdap4 jimg$ gpg --verify /Users/jimg/Downloads/libdap-3.19.1.tar.gz.sig /Users/jimg/Downloads/libdap-3.19.1.tar.gz
gpg: Signature made Sun Dec 3 13:45:32 2017 MST using DSA key ID 737C24C4
gpg: Good signature from "OPeNDAP Security (OPeNDAP, Inc.) [email protected]"
from libdap4.
The expected value were listed in the homebrew formula which I presume was entered by the author of the formula. The concern is if the file was changed maliciously thus causing the checksum to no longer match.
The issue I raised in the homebrew repo can be found here
Here is the formula for libdap in homebrew.
https://github.com/Homebrew/homebrew-core/blob/e7c2ad2850a1beb4b7299c5d0c27520ee80bd2ce/Formula/libdap.rb
from libdap4.
commit e7c2ad2850a1beb4b7299c5d0c27520ee80bd2ce
Author: BrewTestBot <[email protected]>
Date: Sat Sep 30 14:33:47 2017 +0000
libdap: update 3.19.1 bottle.
commit d4326b0430500f51275da33f2b1bc372a3896fe6
Author: ilovezfs <[email protected]>
Date: Sat Sep 30 06:23:57 2017 -0700
libdap 3.19.1
Closes #18773.
Signed-off-by: ilovezfs <[email protected]>
So it seems someone decided to overwrite the original tarball two months after it was originally posted with a different tarball.
from libdap4.
Note that for security reasons we cannot update the checksum in Homebrew until we understand what exactly happened here.
Also, note that Homebrew/homebrew-core#18773 was green on our CI meaning the checksum in the formula matched both my local download and the independent downloads on our three CI servers.
from libdap4.
@ilovezfs thanks for the investigation. Hope it could be resolved soon. It was blocking the completion of my install for gdal. Will look for another solution in the mean time. Thanks.
from libdap4.
Fixed. Here's what happened: In late Sept we planned on releasing our data server and pushed libdap-3.19.1 up to our ftp site. But other commitments meant that some issues in the rest of the server had to wait to be fixed. As a result we didn't release the server until early Dec and I (mistakenly) built a new source dist for libdap on a different host. I've replaced that with the original one and the sha256 of the original matches the one homebrew expects. I also checked that the package that you got that failed the check is not the result of malicious action - it was the source dist I built in early Dec.
Please let me know if this does not fix your build issues.
from libdap4.
Thanks for the detailed explanation @jgallagher59701! It looks like we're all good again:
iMac-TMP:~ joe$ brew fetch -fs libdap
==> Downloading https://www.opendap.org/pub/source/libdap-3.19.1.tar.gz
######################################################################## 100.0%
Downloaded to: /Users/joe/Library/Caches/Homebrew/libdap-3.19.1.tar.gz
SHA256: 5215434bacf385ba3f7445494ce400a5ade3995533d8d38bb97fcef1478ad33e
iMac-TMP:~ joe$
from libdap4.
Related Issues (20)
- 3.20.5: test suite is failing HOT 6
- Clients using DAP4? HOT 3
- Please consider change git tagging convention HOT 1
- This is function should take an unsigned long long type as it's parameter HOT 1
- Grid::get_map_iter() function never returns an iterator for the first map HOT 2
- getdap4 some options not work HOT 3
- test suite fails on big endian arches after recent commit HOT 2
- error: 'uint32_t' does not name a type when compiling Vector.cc with gcc 13 HOT 2
- 404 with `https://www.opendap.org/pub/source/` HOT 2
- new test failures after recent change HOT 10
- Build fails with LTO HOT 2
- support portablexdr HOT 8
- avoid mkstemps HOT 2
- unit-tests/HTTPCacheTest expects filesystem with 4KB blocks HOT 4
- NULL pointer dereference in D4ParserSax2 HOT 2
- heap-buffer-overflow in libdap::XDRFileUnMarshaller::get_vector HOT 2
- 3.19.2 missing? HOT 1
- newly added tests are broken on big endian arches HOT 7
- using libtirpc instead of glibc RPC breaks EXPR tests on big endian arches HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libdap4.