Forum

Recently, I discovered that the FreeBSD port complained that the distfile of hiawatha 7.3 on the official webserver changed completely and grew a bit in size. What is the reason for doing this without changing version numbers?

Thanks for keeping us updated.

I haven't changed anything...

Then, something is extremely strange here. Originally -- at upgrade time -- the files signatures were:

MD5 (hiawatha-7.3.tar.gz) = 0a16d97a51ac8bc3559f165cb6ce97e9
SHA256 (hiawatha-7.3.tar.gz) = 43453ffa1a8beffe4b5cb9bec9720704294235b5962aaae1d6ba22d8df44858f
SIZE (hiawatha-7.3.tar.gz) = 273120

Now, with the current file on your server we get the following hashes:

MD5 (hiawatha-7.3.tar.gz) = 52fd6bf798c07298e12ff69b882f3d76
SHA256 (hiawatha-7.3.tar.gz) = 23f01940cf24872cd804c564c5c3fe8704f336ed39112853b8d8c81865a9aabc
SIZE (hiawatha-7.3.tar.gz) = 274427

If you did not change the release file, somebody has tampered with it!

I just run a diff -ruN between the old and the new version of the distfile:

> diff -ruN hiawatha-7.3 hiawatha.new
diff -ruN hiawatha-7.3/ChangeLog hiawatha.new/ChangeLog
--- hiawatha-7.3/ChangeLog 2010-06-06 23:18:56.000000000 +0200
+++ hiawatha.new/ChangeLog 2010-07-08 11:24:45.000000000 +0200
@@ -5,7 +5,7 @@
* Support for Haiku OS.
* Small security bugfixes.

- -- Hugo Leisink <hugo@leisink.net> Sun, 6 Sun 2010 23:18:37 +0200
+ -- Hugo Leisink <hugo@leisink.net> Sun, 6 Jun 2010 23:18:37 +0200

hiawatha (7.2) stable; urgency=low


Hence, I guess that I can safely take your new distfile. I would appreciate it very much if you would not update the distfile quietly again.

Again, I haven't changed the file.

Huh? How do you explain the different Hash keys then?

Maybe you've received a beta version in the past? I don't know.

The hash keys that I posted above are the original hash keys of your first distfile for version 7.3. They are the ones we use in the FreeBSD port system since 8. June 2010: http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/hiawatha/distinfo

The distfile that I have on my server as a backup download server is still the correct one from the release with the right hash keys. You can get it at: http://www.c-s.li/ports/hiawatha-7.3.tar.gz (note that I uploaded it to the server on Jun 7)

This original file does not match the one that is served from your main server. As this issue is not resolved, we -- me as a FreeBSD port maintainer and my mentor glarkin@ -- decided not to trust the file that is on your server and go with the original one served from my server with the original unchanged hash keys from the time of release in June.

I really think this is an important issue that we have to figure out where it comes from.

Since the only difference is the ChangeLog file, I don't see a big issue. It's very likely that I forgot those two lines and added them shortly after release. Since june the 8th is a few months ago, I don't remember. Let's consider it my mistake.

I can assure you that my server has not, is not an will not be hacked. Not then, not now, not ever. And if you russian 1337 h@x0rs are reading this, try me!

You know that I trust you a lot and I also think the reason you mentioned must have been the issue.

Let's forget about it then and I'll update the distfile informations in FreeBSD as soon as possible (unless you post version 7.4 soon anyway :-)

Thanks a lot for taking your time and for this absolutely amazing project!