Re: upload of rebuilt packages to the repository

Hi all,

it happened again. Altered rpm packages were uploaded to the repository
without bumping the version string. Why do you do this? Mirrors haven
been shattered, breaking our own repositories and yum caches.

If you need to add a gpg signature to your packages, increase the
release number and delete the unsigned package.
If you released a faulty/corrupt package, increase the release number
and delete the previous package.
If after uploading your package to the repository you find out your
package is missing a bugfix, increase the release number.
If you need to rebuild your package against a different library set,
increase the release number.
If you need to rebuild your package with different compiler flags,
increase the release number.
Even if hell freezes over, increase the release number.

That's what I found so far:
> 0_existing/osm2pgrouting_10-2.3.3-1.rhel7.x86_64.rpm
> # osm2pgrouting_10-2.3.3-1.rhel7.x86_64
>   built: Tue Dec 19 22:56:36 2017
>   signature: (none)
>   md5: 3eeff0d2547711082c465880ba710cfc
>   size: 137028
> 
> 1_online/osm2pgrouting_10-2.3.3-1.rhel7.x86_64.rpm
> # osm2pgrouting_10-2.3.3-1.rhel7.x86_64
>   built: Tue Dec 19 22:56:36 2017
>   signature: DSA/SHA1, Mon Jun 18 15:17:19 2018, Key ID 1f16d2e1442df0f8
>   md5: cad0d9aedf3608e50f6cfb0221b3119b
>   size: 137028
> 
> 0_existing/osm2pgrouting_10-debuginfo-2.3.3-1.rhel7.x86_64.rpm
> # osm2pgrouting_10-debuginfo-2.3.3-1.rhel7.x86_64
>   built: Tue Dec 19 22:56:36 2017
>   signature: (none)
>   md5: a410f47dab9a087c99decef93e282eb7
>   size: 17680
> 
> 1_online/osm2pgrouting_10-debuginfo-2.3.3-1.rhel7.x86_64.rpm
> # osm2pgrouting_10-debuginfo-2.3.3-1.rhel7.x86_64
>   built: Tue Dec 19 22:56:36 2017
>   signature: DSA/SHA1, Mon Jun 18 15:17:19 2018, Key ID 1f16d2e1442df0f8
>   md5: 0d8467f42671e341fe2f7d17111dffc7
>   size: 17680
> 
> 0_existing/pgadmin4-python-pbr-3.1.1-1.rhel7.noarch.rpm
> # pgadmin4-python-pbr-3.1.1-1.rhel7.noarch
>   built: Wed Apr 11 02:44:54 2018
>   signature: DSA/SHA1, Wed Apr 11 02:44:55 2018, Key ID 1f16d2e1442df0f8
>   md5: bccdf4366e5cf371312741509024eef2
>   size: 77368
> 
> 1_online/pgadmin4-python-pbr-3.1.1-1.rhel7.noarch.rpm
> # pgadmin4-python-pbr-3.1.1-1.rhel7.noarch
>   built: Wed Apr 11 02:45:00 2018
>   signature: DSA/SHA1, Wed Apr 11 02:45:01 2018, Key ID 1f16d2e1442df0f8
>   md5: 4a75384dd952d7654f5c2597baf80234
>   size: 77364
> 
> 0_existing/pgadmin4-python-simplejson-3.13.2-1.rhel7.x86_64.rpm
> # pgadmin4-python-simplejson-3.13.2-1.rhel7.x86_64
>   built: Wed Apr 11 02:49:44 2018
>   signature: DSA/SHA1, Wed Apr 11 02:49:47 2018, Key ID 1f16d2e1442df0f8
>   md5: 364341231594bc82aa203315d8fe8db6
>   size: 188664
> 
> 1_online/pgadmin4-python-simplejson-3.13.2-1.rhel7.x86_64.rpm
> # pgadmin4-python-simplejson-3.13.2-1.rhel7.x86_64
>   built: Wed Apr 11 02:49:54 2018
>   signature: DSA/SHA1, Wed Apr 11 02:49:56 2018, Key ID 1f16d2e1442df0f8
>   md5: 517f5e3bcf2086be16e04e0b8a736ebd
>   size: 188664
> 
> 0_existing/pgadmin4-python-simplejson-debuginfo-3.13.2-1.rhel7.x86_64.rpm
> # pgadmin4-python-simplejson-debuginfo-3.13.2-1.rhel7.x86_64
>   built: Wed Apr 11 02:49:44 2018
>   signature: DSA/SHA1, Wed Apr 11 02:49:47 2018, Key ID 1f16d2e1442df0f8
>   md5: ec13ec30d9958ac87d8a0410019734b1
>   size: 56512
> 
> 1_online/pgadmin4-python-simplejson-debuginfo-3.13.2-1.rhel7.x86_64.rpm
> # pgadmin4-python-simplejson-debuginfo-3.13.2-1.rhel7.x86_64
>   built: Wed Apr 11 02:49:54 2018
>   signature: DSA/SHA1, Wed Apr 11 02:49:57 2018, Key ID 1f16d2e1442df0f8
>   md5: 37e02e71c1b3231d7028c9fea8a56f24
>   size: 56488
> 
> 0_existing/pgadmin4-python-sshtunnel-0.1.3-1.rhel7.noarch.rpm
> # pgadmin4-python-sshtunnel-0.1.3-1.rhel7.noarch
>   built: Wed Jun 27 01:04:30 2018
>   signature: DSA/SHA1, Wed Jun 27 01:04:30 2018, Key ID 1f16d2e1442df0f8
>   md5: 27bd4760e4424a02d2d24f2d92a2d411
>   size: 37460
> 
> 1_online/pgadmin4-python-sshtunnel-0.1.3-1.rhel7.noarch.rpm
> # pgadmin4-python-sshtunnel-0.1.3-1.rhel7.noarch
>   built: Wed Jun 27 01:04:34 2018
>   signature: DSA/SHA1, Wed Jun 27 01:04:34 2018, Key ID 1f16d2e1442df0f8
>   md5: 645328bcb6a353ce832f940643625628
>   size: 37456

Kind regards

Philippe



On 06.03.2018 13:36, Philippe Kueck wrote:
> Hi all,
> 
> 
> I've noticed that from time to time PostgreSQL pushes rebuilds of
> already existing packages[1] – i.e. same %{name}, %{epoch}, %{version},
> %{release} and same filename but different content – into the yum
> repository.
> 
> Please don't to that.
> 
> If the existing package is buggy or corrupt, just increase %{release}
> and push the new package to the repo.
> Otherwise yum and mirrors might not handle it correctly. With cached
> metadata, yum will complain about checksum mismatches. Mirrors that are
> using e.g. reposync will create a corrupted file if the former package
> was smaller than the updated one by appending additional bytes to the
> existing file. If the former package was larger than the updated one,
> your the servers will respond with a "416 range not satisfiable".
> 
> 
> Best,
> 
> Philippe
> 
> [1] for example amcheck_next10-1.3-1.rhel7.x86_64 on march 1st
>