when attempting to update png (for security fix), 'fetch' fails. ---> Upgrading 'png-1.2.23_1' to 'png-1.2.27' (graphics/png) ---> Building '/usr/ports/graphics/png' ===> Cleaning for png-1.2.27 ===> Extracting for png-1.2.27 => MD5 Checksum mismatch for libpng-1.2.27.tar.bz2. => SHA256 Checksum mismatch for libpng-1.2.27.tar.bz2. ===> Refetch for 1 more times files: libpng-1.2.27.tar.bz2 libpng-1.2.27.tar.bz2 => libpng-1.2.27.tar.bz2 doesn't seem to exist in /var/ports/distfiles/. => Attempting to fetch from http://heanet.dl.sourceforge.net/sourceforge/libpng/. fetch: http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.27.tar.bz2: Requested Range Not Satisfiable => Attempting to fetch from http://nchc.dl.sourceforge.net/sourceforge/libpng/. fetch: http://nchc.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.27.tar.bz2: Requested Range Not Satisfiable => Attempting to fetch from http://kent.dl.sourceforge.net/sourceforge/libpng/. fetch: http://kent.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.27.tar.bz2: Requested Range Not Satisfiable => Attempting to fetch from http://easynews.dl.sourceforge.net/sourceforge/libpng/. fetch: http://easynews.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.27.tar.bz2: Requested Range Not Satisfiable => Attempting to fetch from http://ufpr.dl.sourceforge.net/sourceforge/libpng/. fetch: http://ufpr.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.27.tar.bz2: Requested Range Not Satisfiable => Attempting to fetch from http://umn.dl.sourceforge.net/sourceforge/libpng/. fetch: http://umn.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.27.tar.bz2: Moved Temporarily => Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/libpng-1.2.27.tar.bz2: File unavailable (e.g., file not found, no access) => Couldn't fetch it - please try to retrieve this => port manually into /var/ports/distfiles/ and try again. *** Error code 1 erase in from distfiles, try again: Building '/usr/ports/graphics/png' ===> Cleaning for png-1.2.27 => libpng-1.2.27.tar.bz2 doesn't seem to exist in /var/ports/distfiles/. => Attempting to fetch from http://heanet.dl.sourceforge.net/sourceforge/libpng/. fetch: http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.27.tar.bz2: size mismatch: expected 641193, actual 804821 then it can get it from the next one.. is heanet.dl.sourceforge.net hacked? How-To-Repeat: portupgrade png
I don't think that Sourceforge has been hacked, after a cursory look at the new distfile. A summary of changes, from old to new: Younger: png.c Younger: pngerror.c Younger: pngtest.c Younger: configure Younger: libpngpf.3 Younger: pnggccrd.c Younger: INSTALL Younger: pngwrite.c New : configure.diff Younger: pngwutil.c Younger: libpng-1.2.27.txt Younger: pngrtran.c Younger: KNOWNBUG Younger: pngvcrd.c Younger: README Younger: LICENSE New : aclocal.diff Younger: pngwio.c Younger: pngpread.c Younger: config.h.in Younger: example.c Younger: pngread.c Younger: Y2KINFO Younger: png.5 New : configure.orig Younger: Makefile.am Younger: libpng.3 Younger: pngget.c Younger: png.h Younger: pngmem.c Younger: Makefile.in New : aclocal.m4.orig Younger: pngtrans.c Younger: pngconf.h Younger: configure.ac Younger: pngrio.c Younger: ANNOUNCE Younger: pngset.c Younger: pngrutil.c Younger: pngwtran.c Younger: CHANGES Younger: aclocal.m4 It appears that they've silently changed the distfile upstream, by: 1)falling back to autoconf 2.61 from 2.62; and 2)fixing an Amiga OS bug. The new distfile is substantially larger because, for some odd reason, they bundled the patches AND both new and old configuration files. Try the attached patch. ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Oh, yeah, and I should mention that: -after a quick look, there don't appear to be any changes to *.c, *.h source code other than changes in the date; -the library's homepage also has the larger, newer distfile, although some of the file size descriptions on the webpage have not yet been updated from the earlier numbers; -any difference in the size of the distfile on Sourceforge mirrors is probably due to the fact that they haven't been synch'ed yet. -this PR should be given to ache@, the graphics/png maintainer. b. ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
On Wed, Apr 30, 2008 at 10:32:50AM -0700, bf wrote: > -the library's homepage also has the larger, newer > distfile, although some of the file size descriptions > on the webpage have not yet been updated from the > earlier numbers; > > -any difference in the size of the distfile on > Sourceforge mirrors is probably due to the fact that > they haven't been synch'ed yet. I check right now and don't notice any file size / MD5 changes stated at the homepage, they match distfile. Lets wait for a while and see how they syncs later. -- http://ache.pp.ru/
Andrey Chernov wrote: > On Wed, Apr 30, 2008 at 10:32:50AM -0700, bf wrote: > >> -the library's homepage also has the larger, newer >> distfile, although some of the file size descriptions >> on the webpage have not yet been updated from the >> earlier numbers; >> >> -any difference in the size of the distfile on >> Sourceforge mirrors is probably due to the fact that >> they haven't been synch'ed yet. >> > > I check right now and don't notice any file size / MD5 changes stated at > the homepage, they match distfile. Lets wait for a while and see how they > syncs later. > > yes, they do match distfile, but follow any of their download links.. its the larger size and different checksums. here is the explain I got earlier: Michael Scheidell wrote: > (note below, libpng says file size for libpng-1.2.27.tar.bz2 with > scripts should be 641193) heanet has a bigger file. > other sourceforge.net mirrors have it right. > I've pulled the file from the SURFnet and University of Kent mirrors and the simplesystems.org mirror referenced on the site. All have the same 804821 bytes big file. The tar.gz also doesn't match. If you have the right and the supposedly wrong version, why not untar them and diff them to see what the differences are? -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 > *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ <http://www.technosium.com/hotcompanies/> _____________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com. _____________________________________________________________________________
On Wed, Apr 30, 2008 at 03:22:05PM -0400, Michael Scheidell wrote: > I've pulled the file from the SURFnet and University of Kent mirrors and > the simplesystems.org mirror referenced on the site. All have the same > 804821 bytes big file. The tar.gz also doesn't match. Sooner or later libpng author will notice this thing and fix it in one or another way. Mailing him may also help. > If you have the right and the supposedly wrong version, why not untar them > and diff them to see what the differences are? I don't think it wrong, but some beta can be leaked out instead of release. Without surely know which variant libpng author treats as ring, I don't want to change anything, especially when some mirrors match one distributive and others anoter one. -- http://ache.pp.ru/
Responsible Changed From-To: freebsd-ports-bugs->ache Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=123262 Date: Wed, 30 Apr 2008 11:45:01 -0400
State Changed From-To: open->closed Upgraded to 1.2.28