Обсуждение: RHEL repo package crc mismatches
At our site we use reposync to copy the postgresql repositories to a local repository.
When doing this on April 28 (and since) I exprience the following package checksum matching errors.
For the pgdg13 RHEL 8 repository
[MIRROR] pg_auto_failover_13-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: 5196edcfe1d6af6c0e90ad9a25667613bdfa0731a84fa9a1dbaa7080b4a3caac(sha256) Expected: 8d4527c96e9c8a3ff86d75aa85c166899ee895e9522c6720223f0f93b658f8d6(sha256)
[MIRROR] e-maj_13-4.0.1-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: f7576cb1cd22303cb3dbb2a86911ad3f9e57afa8472a31f1a6a1f176f708fa1d(sha256) Expected: 8c56cacb99771c4f06be2551988e553a70ea5e5459202e12e0e92fdeb7371621(sha256)
For the pgdg12 RHEL 8 repository
[MIRROR] pg_auto_failover_12-llvmjit-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: 9bfdaccc3a151fd847bbb5e622a9384648cf963faacd90dc9b31cd433e23a3c0(sha256) Expected: aa5e3dc99cabfe22839ed0b9501a0099af139bf8551344a3b198ac048218ceee(sha256)
I think it is just metadata information, but it sounds scary.
Can anyone comment?
-- Evan
Hello Evan, we have exactly the same problem and don't feel comfortable with it at the moment either. We even synchronise several versions and this problem occurs with all of them. Can anyone confirm that the packages have not been changed inadvertently but only the metadata is wrong? Here are the changes with us. For the pgdg11 RHEL 7 repository: [MIRROR] ogr_fdw_11-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: c61d0bb8cdc2c386b57d8968b509f9fe7bf7693b3f86af730128797d087c0caa(sha256) Expected: a963ae2eb874da055db63953cf0eb0d62e24d16abd6e8d4dab615ba4fadaefd8(sha256) [MIRROR] ogr_fdw_11-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: 1be687c8721e7683f7efbfe51b9bd9532f7c7326d344e83e8928667cbc524cd3(sha256) Expected: 52aa7c905fd802bfea5cf7e89b80b7523b2a16309575cdbe9d68df4179ec1f6b(sha256) [MIRROR] pg_auto_failover_11-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: abd1ede633fe8dc7721e1e09783e300c8d5a5e9b226257c67969e2bfbf7ce4f9(sha256) Expected: 0b29fc748639210c76af4b1870772780ba13a04698886e78514e7fb1baac9781(sha256) For the pgdg13 RHEL 7 repository: [MIRROR] ogr_fdw_13-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: d2ea23dc8b866c09eb620187e40147daae1a60f2a31370a88fd119b08a5f8816(sha256) Expected: a39bc56ebc34de96321af69f99862819fe36516775cb155f599c839c098a0030(sha256) [MIRROR] ogr_fdw_13-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: f2d981ba5ae5e54ac420f881c27eaba3af6b506638feed9f686273272083b479(sha256) Expected: 5e6baa1e8169da8251f4a3c47c8db0ab4344977c0ed4a8f1042d353a50e4e304(sha256) [MIRROR] pg_auto_failover_13-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: 01ce463c8487d52986e347025266167135f0a866c37590c784e7e3e5d8e43817(sha256) Expected: e35c32a27f5c97596d74fca03e416cb743bf188fdc0dfaf736cc68a20801a5c9(sha256) For the pgdg14 RHEL 7 repository: [MIRROR] pg_auto_failover_14-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: 7b72deadb029a8752717c832cde2e23d87e341037765086d88ac6d96816ebe89(sha256) Expected: 55de94cebb1967c4f1edb1a0be14246173c05168261a76d141e819f607e83ee3(sha256) Thank you for checking. Greetings Michael 3. Mai 2023 09:00, "Evan Rempel" <erempel@uvic.ca> schrieb: > At our site we use reposync to copy the postgresql repositories to a local repository. > > When doing this on April 28 (and since) I exprience the following package checksum matching errors. > > For the pgdg13 RHEL 8 repository > > [MIRROR] pg_auto_failover_13-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't > match. Calculated: 5196edcfe1d6af6c0e90ad9a25667613bdfa0731a84fa9a1dbaa7080b4a3caac(sha256) > Expected: 8d4527c96e9c8a3ff86d75aa85c166899ee895e9522c6720223f0f93b658f8d6(sha256) > > [MIRROR] e-maj_13-4.0.1-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't match. > Calculated: f7576cb1cd22303cb3dbb2a86911ad3f9e57afa8472a31f1a6a1f176f708fa1d(sha256) Expected: > 8c56cacb99771c4f06be2551988e553a70ea5e5459202e12e0e92fdeb7371621(sha256) > > For the pgdg12 RHEL 8 repository > > [MIRROR] pg_auto_failover_12-llvmjit-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum > doesn't match. Calculated: 9bfdaccc3a151fd847bbb5e622a9384648cf963faacd90dc9b31cd433e23a3c0(sha256) > Expected: aa5e3dc99cabfe22839ed0b9501a0099af139bf8551344a3b198ac048218ceee(sha256) > > I think it is just metadata information, but it sounds scary. > > Can anyone comment? > > -- > Evan
Hi, On Tue, 2023-05-02 at 12:38 -0700, Evan Rempel wrote: > At our site we use reposync to copy the postgresql repositories to a > local repository. > > When doing this on April 28 (and since) I exprience the following > package checksum matching errors. <snip> Thanks for the report. This definitely does not look like a security issue, but need run further checks. I think it is an rsync issue. I'll reply again as soon as I'm done. Regards, -- Devrim Gündüz Open Source Solution Architect, PostgreSQL Major Contributor Twitter: @DevrimGunduz , @DevrimGunduzTR
The packagers are researching this problem now. --------------------------------------------------------------------------- On Wed, May 3, 2023 at 07:33:02AM +0000, Brainmue wrote: > Hello Evan, > > we have exactly the same problem and don't feel comfortable with it at the moment either. > We even synchronise several versions and this problem occurs with all of them. > Can anyone confirm that the packages have not been changed inadvertently but only the metadata is > wrong? > Here are the changes with us. > > For the pgdg11 RHEL 7 repository: > > [MIRROR] ogr_fdw_11-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. > Calculated: c61d0bb8cdc2c386b57d8968b509f9fe7bf7693b3f86af730128797d087c0caa(sha256) Expected: > a963ae2eb874da055db63953cf0eb0d62e24d16abd6e8d4dab615ba4fadaefd8(sha256) > [MIRROR] ogr_fdw_11-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't > match. Calculated: 1be687c8721e7683f7efbfe51b9bd9532f7c7326d344e83e8928667cbc524cd3(sha256) > Expected: 52aa7c905fd802bfea5cf7e89b80b7523b2a16309575cdbe9d68df4179ec1f6b(sha256) > [MIRROR] pg_auto_failover_11-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't > match. Calculated: abd1ede633fe8dc7721e1e09783e300c8d5a5e9b226257c67969e2bfbf7ce4f9(sha256) > Expected: 0b29fc748639210c76af4b1870772780ba13a04698886e78514e7fb1baac9781(sha256) > > For the pgdg13 RHEL 7 repository: > > [MIRROR] ogr_fdw_13-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. > Calculated: d2ea23dc8b866c09eb620187e40147daae1a60f2a31370a88fd119b08a5f8816(sha256) Expected: > a39bc56ebc34de96321af69f99862819fe36516775cb155f599c839c098a0030(sha256) > [MIRROR] ogr_fdw_13-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't > match. Calculated: f2d981ba5ae5e54ac420f881c27eaba3af6b506638feed9f686273272083b479(sha256) > Expected: 5e6baa1e8169da8251f4a3c47c8db0ab4344977c0ed4a8f1042d353a50e4e304(sha256) > [MIRROR] pg_auto_failover_13-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't > match. Calculated: 01ce463c8487d52986e347025266167135f0a866c37590c784e7e3e5d8e43817(sha256) > Expected: e35c32a27f5c97596d74fca03e416cb743bf188fdc0dfaf736cc68a20801a5c9(sha256) > > For the pgdg14 RHEL 7 repository: > > [MIRROR] pg_auto_failover_14-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't > match. Calculated: 7b72deadb029a8752717c832cde2e23d87e341037765086d88ac6d96816ebe89(sha256) > Expected: 55de94cebb1967c4f1edb1a0be14246173c05168261a76d141e819f607e83ee3(sha256) > > Thank you for checking. > > Greetings > Michael > > 3. Mai 2023 09:00, "Evan Rempel" <erempel@uvic.ca> schrieb: > > > At our site we use reposync to copy the postgresql repositories to a local repository. > > > > When doing this on April 28 (and since) I exprience the following package checksum matching errors. > > > > For the pgdg13 RHEL 8 repository > > > > [MIRROR] pg_auto_failover_13-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't > > match. Calculated: 5196edcfe1d6af6c0e90ad9a25667613bdfa0731a84fa9a1dbaa7080b4a3caac(sha256) > > Expected: 8d4527c96e9c8a3ff86d75aa85c166899ee895e9522c6720223f0f93b658f8d6(sha256) > > > > [MIRROR] e-maj_13-4.0.1-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't match. > > Calculated: f7576cb1cd22303cb3dbb2a86911ad3f9e57afa8472a31f1a6a1f176f708fa1d(sha256) Expected: > > 8c56cacb99771c4f06be2551988e553a70ea5e5459202e12e0e92fdeb7371621(sha256) > > > > For the pgdg12 RHEL 8 repository > > > > [MIRROR] pg_auto_failover_12-llvmjit-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum > > doesn't match. Calculated: 9bfdaccc3a151fd847bbb5e622a9384648cf963faacd90dc9b31cd433e23a3c0(sha256) > > Expected: aa5e3dc99cabfe22839ed0b9501a0099af139bf8551344a3b198ac048218ceee(sha256) > > > > I think it is just metadata information, but it sounds scary. > > > > Can anyone comment? > > > > -- > > Evan > > -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Embrace your flaws. They make you human, rather than perfect, which you will never be.
Hello Bruce, Thanks for the update. Let's see what will come out. Greetings Michael 3. Mai 2023 18:57, "Bruce Momjian" <bruce@momjian.us> schrieb: > The packagers are researching this problem now. > > --------------------------------------------------------------------------- > > On Wed, May 3, 2023 at 07:33:02AM +0000, Brainmue wrote: > >> Hello Evan, >> >> we have exactly the same problem and don't feel comfortable with it at the moment either. >> We even synchronise several versions and this problem occurs with all of them. >> Can anyone confirm that the packages have not been changed inadvertently but only the metadata is >> wrong? >> Here are the changes with us. >> >> For the pgdg11 RHEL 7 repository: >> >> [MIRROR] ogr_fdw_11-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. >> Calculated: c61d0bb8cdc2c386b57d8968b509f9fe7bf7693b3f86af730128797d087c0caa(sha256) Expected: >> a963ae2eb874da055db63953cf0eb0d62e24d16abd6e8d4dab615ba4fadaefd8(sha256) >> [MIRROR] ogr_fdw_11-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't >> match. Calculated: 1be687c8721e7683f7efbfe51b9bd9532f7c7326d344e83e8928667cbc524cd3(sha256) >> Expected: 52aa7c905fd802bfea5cf7e89b80b7523b2a16309575cdbe9d68df4179ec1f6b(sha256) >> [MIRROR] pg_auto_failover_11-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't >> match. Calculated: abd1ede633fe8dc7721e1e09783e300c8d5a5e9b226257c67969e2bfbf7ce4f9(sha256) >> Expected: 0b29fc748639210c76af4b1870772780ba13a04698886e78514e7fb1baac9781(sha256) >> >> For the pgdg13 RHEL 7 repository: >> >> [MIRROR] ogr_fdw_13-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. >> Calculated: d2ea23dc8b866c09eb620187e40147daae1a60f2a31370a88fd119b08a5f8816(sha256) Expected: >> a39bc56ebc34de96321af69f99862819fe36516775cb155f599c839c098a0030(sha256) >> [MIRROR] ogr_fdw_13-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't >> match. Calculated: f2d981ba5ae5e54ac420f881c27eaba3af6b506638feed9f686273272083b479(sha256) >> Expected: 5e6baa1e8169da8251f4a3c47c8db0ab4344977c0ed4a8f1042d353a50e4e304(sha256) >> [MIRROR] pg_auto_failover_13-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't >> match. Calculated: 01ce463c8487d52986e347025266167135f0a866c37590c784e7e3e5d8e43817(sha256) >> Expected: e35c32a27f5c97596d74fca03e416cb743bf188fdc0dfaf736cc68a20801a5c9(sha256) >> >> For the pgdg14 RHEL 7 repository: >> >> [MIRROR] pg_auto_failover_14-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't >> match. Calculated: 7b72deadb029a8752717c832cde2e23d87e341037765086d88ac6d96816ebe89(sha256) >> Expected: 55de94cebb1967c4f1edb1a0be14246173c05168261a76d141e819f607e83ee3(sha256) >> >> Thank you for checking. >> >> Greetings >> Michael >> >> 3. Mai 2023 09:00, "Evan Rempel" <erempel@uvic.ca> schrieb: >> >> At our site we use reposync to copy the postgresql repositories to a local repository. >> >> When doing this on April 28 (and since) I exprience the following package checksum matching errors. >> >> For the pgdg13 RHEL 8 repository >> >> [MIRROR] pg_auto_failover_13-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't >> match. Calculated: 5196edcfe1d6af6c0e90ad9a25667613bdfa0731a84fa9a1dbaa7080b4a3caac(sha256) >> Expected: 8d4527c96e9c8a3ff86d75aa85c166899ee895e9522c6720223f0f93b658f8d6(sha256) >> >> [MIRROR] e-maj_13-4.0.1-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't match. >> Calculated: f7576cb1cd22303cb3dbb2a86911ad3f9e57afa8472a31f1a6a1f176f708fa1d(sha256) Expected: >> 8c56cacb99771c4f06be2551988e553a70ea5e5459202e12e0e92fdeb7371621(sha256) >> >> For the pgdg12 RHEL 8 repository >> >> [MIRROR] pg_auto_failover_12-llvmjit-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum >> doesn't match. Calculated: 9bfdaccc3a151fd847bbb5e622a9384648cf963faacd90dc9b31cd433e23a3c0(sha256) >> Expected: aa5e3dc99cabfe22839ed0b9501a0099af139bf8551344a3b198ac048218ceee(sha256) >> >> I think it is just metadata information, but it sounds scary. >> >> Can anyone comment? >> >> -- >> Evan > > -- > Bruce Momjian <bruce@momjian.us> https://momjian.us > EDB https://enterprisedb.com > > Embrace your flaws. They make you human, rather than perfect, > which you will never be.
Hi again, On Tue, 2023-05-02 at 12:38 -0700, Evan Rempel wrote: > At our site we use reposync to copy the postgresql repositories to a > local repository. > > When doing this on April 28 (and since) I exprience the following > package checksum matching errors. > <snip> I can confirm that this is caused by signing unsigned packages last week, but rsync failing to update main server(s). So this is *not* a security issue. However, as a precaution, I removed problematic packages from the repository. They were too old anyway. I did not want to push updated checksums for the same packages. Please let me know if this solves your problem. Again, thanks for the report. Regards, -- Devrim Gündüz Open Source Solution Architect, PostgreSQL Major Contributor Twitter: @DevrimGunduz , @DevrimGunduzTR
On 2023-05-03 15:23, Devrim Gündüz wrote: > Hi again, > > On Tue, 2023-05-02 at 12:38 -0700, Evan Rempel wrote: >> At our site we use reposync to copy the postgresql repositories to a >> local repository. >> >> When doing this on April 28 (and since) I exprience the following >> package checksum matching errors. >> > <snip> > > I can confirm that this is caused by signing unsigned packages last > week, but rsync failing to update main server(s). So this is *not* a > security issue. > > However, as a precaution, I removed problematic packages from the > repository. They were too old anyway. I did not want to push updated > checksums for the same packages. > > Please let me know if this solves your problem. > > Again, thanks for the report. > > Regards, > -- > Devrim Gündüz Thank you. That does solve my problem. Evan.
Hello Devrim, The problem is fixed in most of the repositories I synchronise, but in one I now have a new one. With the package: postgresql13-odbc-13.00.0000-1PGDG.rhel7.x86_64.rpm For the pgdg13 RHEL 7 repository: [MIRROR] postgresql13-odbc-13.00.0000-1PGDG.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated:2fa1642932c950ca5597d64a129fc78d2fb3909c898ade5f9bff4db73fb39ae5(sha256) Expected: 9ed5b91c12e072d871314bfa5e8ec991bb312f360f7d1e3af8ece78945931900(sha256) It would be great if you could correct that too. Thank you very much. Greetings Michael 4. Mai 2023 00:23, "Devrim Gündüz" <devrim@gunduz.org> schrieb: > Hi again, > > On Tue, 2023-05-02 at 12:38 -0700, Evan Rempel wrote: > >> At our site we use reposync to copy the postgresql repositories to a >> local repository. >> >> When doing this on April 28 (and since) I exprience the following >> package checksum matching errors. > > <snip> > > I can confirm that this is caused by signing unsigned packages last > week, but rsync failing to update main server(s). So this is *not* a > security issue. > > However, as a precaution, I removed problematic packages from the > repository. They were too old anyway. I did not want to push updated > checksums for the same packages. > > Please let me know if this solves your problem. > > Again, thanks for the report. > > Regards, > -- > Devrim Gündüz > Open Source Solution Architect, PostgreSQL Major Contributor > Twitter: @DevrimGunduz , @DevrimGunduzTR
Hi Michael, On Thu, 2023-05-04 at 04:46 +0000, Brainmue wrote: > The problem is fixed in most of the repositories I synchronise, but in > one I now have a new one. With the package: postgresql13-odbc- > 13.00.0000-1PGDG.rhel7.x86_64.rpm > > For the pgdg13 RHEL 7 repository: > > [MIRROR] postgresql13-odbc-13.00.0000-1PGDG.rhel7.x86_64.rpm: > Downloading successful, but checksum doesn't match. Calculated: > 2fa1642932c950ca5597d64a129fc78d2fb3909c898ade5f9bff4db73fb39ae5(sha25 > 6) Expected: > 9ed5b91c12e072d871314bfa5e8ec991bb312f360f7d1e3af8ece78945931900(sha25 > 6) > > It would be great if you could correct that too. This package does not exist on main side, I believe you may need to sync again. Regards, -- Devrim Gündüz Open Source Solution Architect, PostgreSQL Major Contributor Twitter: @DevrimGunduz , @DevrimGunduzTR
Hello Devrim, You were absolutely right. Resynchronising solved the problem. Now everything is OK again. Thanks for the quick help. Greetings Michael 4. Mai 2023 20:43, "Devrim Gündüz" <devrim@gunduz.org> schrieb: > Hi Michael, > > On Thu, 2023-05-04 at 04:46 +0000, Brainmue wrote: > >> The problem is fixed in most of the repositories I synchronise, but in >> one I now have a new one. With the package: postgresql13-odbc- >> 13.00.0000-1PGDG.rhel7.x86_64.rpm >> >> For the pgdg13 RHEL 7 repository: >> >> [MIRROR] postgresql13-odbc-13.00.0000-1PGDG.rhel7.x86_64.rpm: >> Downloading successful, but checksum doesn't match. Calculated: >> 2fa1642932c950ca5597d64a129fc78d2fb3909c898ade5f9bff4db73fb39ae5(sha25 >> 6) Expected: >> 9ed5b91c12e072d871314bfa5e8ec991bb312f360f7d1e3af8ece78945931900(sha25 >> 6) >> >> It would be great if you could correct that too. > > This package does not exist on main side, I believe you may need to sync > again. > > Regards, > -- > Devrim Gündüz > Open Source Solution Architect, PostgreSQL Major Contributor > Twitter: @DevrimGunduz , @DevrimGunduzTR