Обсуждение: BUG #17918: Checksum failed while sync repos for a package

Поиск
Список
Период
Сортировка

BUG #17918: Checksum failed while sync repos for a package

От
PG Bug reporting form
Дата:
The following bug has been logged on the website:

Bug reference:      17918
Logged by:          Sureshkumar G
Email address:      suresh.kumar@d4t4solutions.com
PostgreSQL version: 12.0
Operating system:   CentOS7
Description:

We're using Foreman satellite server and we tried to sync posgresql 12 repo
from https://download.postgresql.org/ and facing failed checksum error for
below package

Package: pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm

Error:
"A file located at the url

http://download.postgresql.org/pub/repos/yum/12/redhat/rhel-7.0-x86_64/pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
failed validation due to checksum."

We're validated checksum and looks it both're different. 

sha256sum pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
cd752ab10807898f4451c2a9cbf9782f6ed91273b0d62fb0d8746dcfee067bb9
pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm

</package>
<package
pkgid="899efe5f0c404d870c7fd8900b66bb72c54548c0cd5152a60b09d5133514d559"
name="pg_auto_failover_12-llvmjit" arch="x86_64">

Can you please look on it and also let me know if any security risk being
there if we skip checksum for this package?

Re: BUG #17918: Checksum failed while sync repos for a package

От
Devrim Gündüz
Дата:
Hi,

Thanks for the  report.

It looks like a rsync issue, but please don't skip checksums until I
confirm (which will happen until later tonight(

Regards, Devrim
On Wed, 2023-05-03 at 11:43 +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference:      17918
> Logged by:          Sureshkumar G
> Email address:      suresh.kumar@d4t4solutions.com
> PostgreSQL version: 12.0
> Operating system:   CentOS7
> Description:       
>
> We're using Foreman satellite server and we tried to sync posgresql 12
> repo
> from https://download.postgresql.org/ and facing failed checksum error
> for
> below package
>
> Package: pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
>
> Error:
> "A file located at the url
>
http://download.postgresql.org/pub/repos/yum/12/redhat/rhel-7.0-x86_64/pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
> failed validation due to checksum."
>
> We're validated checksum and looks it both're different.
>
> sha256sum pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
> cd752ab10807898f4451c2a9cbf9782f6ed91273b0d62fb0d8746dcfee067bb9
> pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
>
> </package>
> <package
> pkgid="899efe5f0c404d870c7fd8900b66bb72c54548c0cd5152a60b09d5133514d55
> 9"
> name="pg_auto_failover_12-llvmjit" arch="x86_64">
>
> Can you please look on it and also let me know if any security risk
> being
> there if we skip checksum for this package?
>

--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR

Re: BUG #17918: Checksum failed while sync repos for a package

От
Devrim Gündüz
Дата:
Hi,

On Wed, 2023-05-03 at 11:43 +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference:      17918
> Logged by:          Sureshkumar G
> Email address:      suresh.kumar@d4t4solutions.com
> PostgreSQL version: 12.0
> Operating system:   CentOS7
> Description:       
>
> We're using Foreman satellite server and we tried to sync posgresql 12
> repo
> from https://download.postgresql.org/ and facing failed checksum error
> for
> below package
>
> Package: pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
>
> Error:
> "A file located at the url
>
http://download.postgresql.org/pub/repos/yum/12/redhat/rhel-7.0-x86_64/pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
> failed validation due to checksum."
>
> We're validated checksum and looks it both're different.
>
> sha256sum pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
> cd752ab10807898f4451c2a9cbf9782f6ed91273b0d62fb0d8746dcfee067bb9
> pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
>
> </package>
> <package
> pkgid="899efe5f0c404d870c7fd8900b66bb72c54548c0cd5152a60b09d5133514d55
> 9"
> name="pg_auto_failover_12-llvmjit" arch="x86_64">
>
> Can you please look on it and also let me know if any security risk
> being
> there if we skip checksum for this package?
>

I can confirm that this is caused by signing unsigned packages last
week, but rsync failing to update main server(s). So this is *not* a
security issue.

However, as a precaution, I removed problematic packages from the
repository. They were too old anyway. I did not want to push updated
checksums for the same packages.

Please let me know if this solves your problem.

Again, thanks for the report.

Regards,
--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR