Re: [cross-project-issues-dev] md5 checksums not matching on some eclips

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cross-project-issues-dev] md5 checksums not matching on some eclipse.org downloads

From: John Arthorne <John_Arthorne@xxxxxxxxxx>
Date: Tue, 21 Dec 2010 13:19:23 -0500
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/cross-project-issues-dev>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>

I don't know anything about this particular case, but wanted to emphasize that replacing a file with different bytes of the same name is generally bad practice. In case of plugins and features, p2 will not detect that something new is available if the version doesn't change, so anyone that already installed the "bad" copy will never have a way to upgrade to the "good" copy. Also as Denis points out, the download infrastructure, including mirroring, digests, and maybe even web server memory caches, might make assumptions that cause the "bad" copy of the bytes to continue being served to users long after they have been replaced. On top of that it creates serviceability problems ("I hit this error using EMF M4a". Was that with the "good" EMF M4a or the bad one?). EPP packages, and others building products on top of the train have no way to verify that they built against the good set of bits, etc.

John

Kenn Hussey <kenn.hussey@xxxxxxxxx>
Sent by: cross-project-issues-dev-bounces@xxxxxxxxxxx

12/21/2010 11:06 AM

Please respond to
Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>

To	Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>
cc
Subject	Re: [cross-project-issues-dev] md5 checksums not matching on some eclipse.org downloads

I replaced one of the download zips (the existing one had missing content) and regenerated the digest.

Kenn

On Tue, Dec 21, 2010 at 11:01 AM, Jesse McConnell <jesse.mcconnell@xxxxxxxxx> wrote:
I am with Denis on this one and it would be good to find out what
caused this in the first place? From a security standpoint this
shouldn't have had to be fixed and the fact that it was detected only
because it was stored in a cache somewhere is bothersome in its own
right...

cheers,
jesse

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx

On Thu, Dec 16, 2010 at 21:21, Denis Roy <denis.roy@xxxxxxxxxxx> wrote:
> Our servers cache the checksums for optimal performance. Checksums are
> queued for computation after the first ever download of any given file. I
> have cleared them for this file, waited a bit, and they were recreated. The
> retrieved checksums are now correct.
>
> This means that, at some point, the file on disk was altered.
>
> Is this a glitch? I don't know. In a security mindset, I can see how this
> can be a feature. In my unqualified opinion, once a file is on
> download.eclipse.org it should never be altered, but instead replaced with a
> new version.
>
> Denis
>
>
>
> On 16/12/2010 7:17 PM, Konstantin Komissarchik wrote:
>
> The build system we use for Sapphire verifies downloads of various
> dependencies by checking published md5 checksums. We’ve been having trouble
> today moving to Indigo M4 because for at least one of the files, eclipse.org
> download server is consistently reporting the wrong checksum.
>
>
>
> This is the file in question:
>
>
>
> http://www.eclipse.org/downloads/download.php?file=/modeling/emf/emf/downloads/drops/2.7.0/S201012150940/emf-xsd-Update-2.7.0M4a.zip
>
> Actual Checksum: 353f7c08746bcd6ab336c2ca9b3e7556
>
>
>
> This is the how we fetch the checksum:
>
>
>
> http://www.eclipse.org/downloads/sums.php?file=/modeling/emf/emf/downloads/drops/2.7.0/S201012150940/emf-xsd-Update-2.7.0M4a.zip&type=md5
>
> Retrieved Checksum: aca8645f904c11ee2ba4cfe84f5253c4
>
>
>
> Curiously, if I go to EMF download site directly and hit their link for md5
> checksum, I get the checksum that actually matches the downloaded file. Here
> is that URL:
>
>
>
> http://download.eclipse.org/modeling/emf/emf/downloads/drops/2.7.0/S201012150940/emf-xsd-Update-2.7.0M4a.zip.md5
>
>
>
> This appears to be a case of a glitch in eclipse.org infrastructure. Yes?
> Can this be fixed?
>
>
>
> - Konstantin
>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
>
>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
>
>
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@xxxxxxxxxxxhttps://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev

References:
- Re: [cross-project-issues-dev] md5 checksums not matching on some eclipse.org downloads
  - From: Denis Roy
- Re: [cross-project-issues-dev] md5 checksums not matching on some eclipse.org downloads
  - From: Jesse McConnell
- Re: [cross-project-issues-dev] md5 checksums not matching on some eclipse.org downloads
  - From: Kenn Hussey

Prev by Date: Re: [cross-project-issues-dev] md5 checksums not matching on some eclipse.org downloads
Next by Date: [cross-project-issues-dev] Disk usage report for Hudson/Build
Previous by thread: Re: [cross-project-issues-dev] md5 checksums not matching on some eclipse.org downloads
Next by thread: [cross-project-issues-dev] Galileo p2 repository http://download.eclipse.org/releases/galileo broken ?
Index(es):
- Date
- Thread

Breadcrumbs