Bug 123262
| Summary: | graphics/png - md5/ sha checksum failure | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Michael Scheidell <scheidell> | ||||
| Component: | Individual Port(s) | Assignee: | Andrey A. Chernov <ache> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
Michael Scheidell
2008-04-30 16:20:06 UTC
I don't think that Sourceforge has been hacked, after
a cursory look at the new distfile. A summary of
changes, from old to new:
Younger: png.c
Younger: pngerror.c
Younger: pngtest.c
Younger: configure
Younger: libpngpf.3
Younger: pnggccrd.c
Younger: INSTALL
Younger: pngwrite.c
New : configure.diff
Younger: pngwutil.c
Younger: libpng-1.2.27.txt
Younger: pngrtran.c
Younger: KNOWNBUG
Younger: pngvcrd.c
Younger: README
Younger: LICENSE
New : aclocal.diff
Younger: pngwio.c
Younger: pngpread.c
Younger: config.h.in
Younger: example.c
Younger: pngread.c
Younger: Y2KINFO
Younger: png.5
New : configure.orig
Younger: Makefile.am
Younger: libpng.3
Younger: pngget.c
Younger: png.h
Younger: pngmem.c
Younger: Makefile.in
New : aclocal.m4.orig
Younger: pngtrans.c
Younger: pngconf.h
Younger: configure.ac
Younger: pngrio.c
Younger: ANNOUNCE
Younger: pngset.c
Younger: pngrutil.c
Younger: pngwtran.c
Younger: CHANGES
Younger: aclocal.m4
It appears that they've silently changed the distfile
upstream, by:
1)falling back to autoconf 2.61 from 2.62; and
2)fixing an Amiga OS bug.
The new distfile is substantially larger because, for
some odd reason, they bundled the patches AND both new
and old configuration files.
Try the attached patch.
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Oh, yeah, and I should mention that:
-after a quick look, there don't appear to be any
changes to *.c, *.h source code other than changes in
the date;
-the library's homepage also has the larger, newer
distfile, although some of the file size descriptions
on the webpage have not yet been updated from the
earlier numbers;
-any difference in the size of the distfile on
Sourceforge mirrors is probably due to the fact that
they haven't been synch'ed yet.
-this PR should be given to ache@, the graphics/png
maintainer.
b.
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
On Wed, Apr 30, 2008 at 10:32:50AM -0700, bf wrote: > -the library's homepage also has the larger, newer > distfile, although some of the file size descriptions > on the webpage have not yet been updated from the > earlier numbers; > > -any difference in the size of the distfile on > Sourceforge mirrors is probably due to the fact that > they haven't been synch'ed yet. I check right now and don't notice any file size / MD5 changes stated at the homepage, they match distfile. Lets wait for a while and see how they syncs later. -- http://ache.pp.ru/ Andrey Chernov wrote: > On Wed, Apr 30, 2008 at 10:32:50AM -0700, bf wrote: > >> -the library's homepage also has the larger, newer >> distfile, although some of the file size descriptions >> on the webpage have not yet been updated from the >> earlier numbers; >> >> -any difference in the size of the distfile on >> Sourceforge mirrors is probably due to the fact that >> they haven't been synch'ed yet. >> > > I check right now and don't notice any file size / MD5 changes stated at > the homepage, they match distfile. Lets wait for a while and see how they > syncs later. > > yes, they do match distfile, but follow any of their download links.. its the larger size and different checksums. here is the explain I got earlier: Michael Scheidell wrote: > (note below, libpng says file size for libpng-1.2.27.tar.bz2 with > scripts should be 641193) heanet has a bigger file. > other sourceforge.net mirrors have it right. > I've pulled the file from the SURFnet and University of Kent mirrors and the simplesystems.org mirror referenced on the site. All have the same 804821 bytes big file. The tar.gz also doesn't match. If you have the right and the supposedly wrong version, why not untar them and diff them to see what the differences are? -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 > *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ <http://www.technosium.com/hotcompanies/> _____________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com. _____________________________________________________________________________ On Wed, Apr 30, 2008 at 03:22:05PM -0400, Michael Scheidell wrote: > I've pulled the file from the SURFnet and University of Kent mirrors and > the simplesystems.org mirror referenced on the site. All have the same > 804821 bytes big file. The tar.gz also doesn't match. Sooner or later libpng author will notice this thing and fix it in one or another way. Mailing him may also help. > If you have the right and the supposedly wrong version, why not untar them > and diff them to see what the differences are? I don't think it wrong, but some beta can be leaked out instead of release. Without surely know which variant libpng author treats as ring, I don't want to change anything, especially when some mirrors match one distributive and others anoter one. -- http://ache.pp.ru/ Responsible Changed From-To: freebsd-ports-bugs->ache Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=123262 Date: Wed, 30 Apr 2008 11:45:01 -0400 State Changed From-To: open->closed Upgraded to 1.2.28 |
