Source hash mismatch with aggregator + possible guix bug with hashes.

  • Done
  • quality assurance status badge
Details
5 participants
  • Brendan Tildesley
  • Marius Bakke
  • Tobias Geerinckx-Rice
  • phodina
  • zimoun
Owner
unassigned
Submitted by
Brendan Tildesley
Severity
normal
B
B
Brendan Tildesley wrote on 16 Oct 2022 05:42
(address . bug-guix@gnu.org)
0df50579-d645-5a43-d558-4c49e503bb57@brendan.scot
I'm getting this after the recent updates:

sha256 hash mismatch for
/gnu/store/iv6ixlrvh0swq22fjal0cbfbr9ayaq7m-akregator-22.04.3.tar.xz:
  expected hash: 1yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8
  actual hash: 08n713271i7ifnbrgwrqmxvcpvj45wfqjiidw8zf9rpwxg2m2m9g


However what concerned me more is that when I look in the source code it
looks like this:

(sha256
        (base32 "9yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8"))


Notice how at the start its a '9', not a '1'?

I've tried with both guix pull local repo and building from source.


Is there a bug with how guix is reading/writing sha256 hashes?
'
'
'Brendan Tildesley wrote on 16 Oct 2022 06:13
[PATCH 1/2] gnu: akregator: Correct source hash.
(address . 58561@debbugs.gnu.org)
20221016041301.2055-1-mail@brendan.scot
From: Brendan Tildesley <mail@brendan.scot>

* gnu/packages/kde.scm (akregator): Use correct hash.
---
gnu/packages/kde.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (15 lines)
diff --git a/gnu/packages/kde.scm b/gnu/packages/kde.scm
index 1d4321237a..37125b1d0b 100644
--- a/gnu/packages/kde.scm
+++ b/gnu/packages/kde.scm
@@ -158,7 +158,7 @@ (define-public akregator
(uri (string-append "mirror://kde/stable/release-service/" version
"/src/akregator-" version ".tar.xz"))
(sha256
- (base32 "9yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8"))))
+ (base32 "08n713271i7ifnbrgwrqmxvcpvj45wfqjiidw8zf9rpwxg2m2m9g"))))
(build-system qt-build-system)
(arguments
`(#:phases
--
2.37.2
'
'
'Brendan Tildesley wrote on 16 Oct 2022 06:33
[PATCH 2/2] gnu: akregator: Fix build.
(address . 58561@debbugs.gnu.org)
20221016043321.23138-1-mail@brendan.scot
From: Brendan Tildesley <mail@brendan.scot>

* gnu/packages/kde.scm (akregator)[phases]: Fix finding
QtWebEngineProcess path.
---
gnu/packages/kde.scm | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

Toggle diff (18 lines)
diff --git a/gnu/packages/kde.scm b/gnu/packages/kde.scm
index 37125b1d0b..d0ffb28505 100644
--- a/gnu/packages/kde.scm
+++ b/gnu/packages/kde.scm
@@ -167,9 +167,8 @@ (define-public akregator
(lambda* (#:key inputs outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
(bin (string-append out "/bin/akregator"))
- (qt-process-path (string-append
- (assoc-ref inputs "qtwebengine-5")
- "/lib/qt5/libexec/QtWebEngineProcess")))
+ (qt-process-path (search-input-file
+ inputs "/lib/qt5/libexec/QtWebEngineProcess")))
(wrap-program bin
`("QTWEBENGINEPROCESS_PATH" = (,qt-process-path)))))))))
(native-inputs
--
2.37.2
P
P
phodina wrote on 16 Oct 2022 07:39
(name . 'Brendan Tildesley)(address . mail@brendan.scot)(address . 58561@debbugs.gnu.org)
qMv1jTO83l-VeFp2xUua6OBkyPS0Ys41BbsxuOYIlCPgWmvrHcEmZKXBKcXuQvqeyVZNbs5Uy8hGEX7xvJbRRr9IwWlE19DNvqCWbKYhmZE=@protonmail.com
Hi,

unfortunately incorrect hash was pushed in the last patchset.

The patch is already part of the next patch series [1].

Also it's tracked here [2].


----
Petr




Sent with Proton Mail secure email.

------- Original Message -------
On Sunday, October 16th, 2022 at 6:33 AM, 'Brendan Tildesley <mail@brendan.scot> wrote:


Toggle quote (27 lines)
> From: Brendan Tildesley mail@brendan.scot
>
>
> * gnu/packages/kde.scm (akregator)[phases]: Fix finding
> QtWebEngineProcess path.
> ---
> gnu/packages/kde.scm | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/gnu/packages/kde.scm b/gnu/packages/kde.scm
> index 37125b1d0b..d0ffb28505 100644
> --- a/gnu/packages/kde.scm
> +++ b/gnu/packages/kde.scm
> @@ -167,9 +167,8 @@ (define-public akregator
> (lambda* (#:key inputs outputs #:allow-other-keys)
> (let* ((out (assoc-ref outputs "out"))
> (bin (string-append out "/bin/akregator"))
> - (qt-process-path (string-append
> - (assoc-ref inputs "qtwebengine-5")
> - "/lib/qt5/libexec/QtWebEngineProcess")))
> + (qt-process-path (search-input-file
> + inputs "/lib/qt5/libexec/QtWebEngineProcess")))
> (wrap-program bin
> `("QTWEBENGINEPROCESS_PATH" = (,qt-process-path)))))))))
> (native-inputs
> --
> 2.37.2
T
T
Tobias Geerinckx-Rice wrote on 16 Oct 2022 11:45
Re: bug#58561: Source hash mismatch with aggregator + possible guix bug with hashes.
(address . mail@brendan.scot)
87y1tgulqk.fsf@nckx
Hi Brendan,

Oh! This is a fun one!

Brendan Tildesley ???
Toggle quote (10 lines)
> However what concerned me more is that when I look in the source
> code
> it looks like this:
>
> (sha256
>         (base32
> "9yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8"))
>
>
> Notice how at the start its a '9', not a '1'?
[…]
Toggle quote (2 lines)
> Is there a bug with how guix is reading/writing sha256 hashes?

It's… not a bug. It's the opposite, kind of, although maybe
(probably) Guix could (should) reject clearly bogus input like
this.

What's happening is this:

In what can be described only as a bizarre coincidence, sha256
produces hashes that are 256 bits long.

Base32¹ encodes 5 bits per character. Our ‘hash’ strings are
currently 52 characters long, meaning they encode 260 bits.

If you poke around Guix, you'll notice that every valid base32
‘sha256’ hash starts with a 0 or a 1, because those 4 leftmost
bits are never used, and hence set to zero.

In the case of this "9…" ‘hash’ (which was random data, I guess?),
Guix still reads only 256 bits of the 260, and ignores those 4
‘extra’ leftmost bits.

When it later prints the hash, it converts those 256 bits back to
base32, now padded with zeroes, and you see a ‘hash’ starting with
1.

What Guix could do is refuse to continue when it detects set
higher bits, as they always indicate programmer error.

Kind regards,

T G-R

1: Guix uses ‘nix-base32’ which uses a slightly different alphabet
from the more common base32 variant, but is otherwise identical in
operation.
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCY0vXcw0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15c10BAO5xfaxF596dkXKYFwiyK69C6UJNNSt5BU7cQSkY
E7T8AQCRXN+NGyaaE5UuIrJsVusUp22uf0rny4EtIYp8Kpx7Cw==
=A3ki
-----END PGP SIGNATURE-----

Z
Z
zimoun wrote on 17 Oct 2022 10:44
87y1ten8jy.fsf@gmail.com
Hi,

I am also confused.

On dim., 16 oct. 2022 at 14:42, Brendan Tildesley <mail@brendan.scot> wrote:

Toggle quote (15 lines)
> sha256 hash mismatch for
> /gnu/store/iv6ixlrvh0swq22fjal0cbfbr9ayaq7m-akregator-22.04.3.tar.xz:
>   expected hash: 1yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8
>   actual hash: 08n713271i7ifnbrgwrqmxvcpvj45wfqjiidw8zf9rpwxg2m2m9g
>
>
> However what concerned me more is that when I look in the source code it
> looks like this:
>
> (sha256
>         (base32 "9yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8"))
>
> Notice how at the start its a '9', not a '1'?


Indeed, commit 6971feca53a19d60fdd2b39fb2a8966ccf1d6598 pushed on
core-updates reads,

Toggle snippet (16 lines)
(define-public akregator
(package
(name "akregator")
- (version "21.12.3")
+ (version "22.04.3")
(source
(origin
(method url-fetch)
(uri (string-append "mirror://kde/stable/release-service/" version
"/src/akregator-" version ".tar.xz"))
(sha256
- (base32 "1yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8"))))
+ (base32 "9yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8"))))
(build-system qt-build-system)

Toggle quote (2 lines)
> Is there a bug with how guix is reading/writing sha256 hashes?

Is it a mistake here? A human-typo replacing ’1’ by ’9’? Or
something else? Petr?


Then, indeed KDE did a in-place replacement since the hash is now,

Toggle snippet (9 lines)
$ guix download https://mirrors.xtom.de/kde/stable/release-service/22.04.3/src/akregator-22.04.3.tar.xz

Starting download of /tmp/guix-file.JTZn04
From https://mirrors.xtom.de/kde/stable/release-service/22.04.3/src/akregator-22.04.3.tar.xz...
….04.3.tar.xz 2.2MiB 22.2MiB/s 00:00 [##################] 100.0%
/gnu/store/w4jqrza9ffsflim5ilwq7jr75rxicn1g-akregator-22.04.3.tar.xz
08n713271i7ifnbrgwrqmxvcpvj45wfqjiidw8zf9rpwxg2m2m9g

as submitted in patch#57608 [1].



Cheers,
simon
Z
Z
zimoun wrote on 17 Oct 2022 10:49
(address . 58561@debbugs.gnu.org)
87tu42n8ch.fsf@gmail.com
Hi Tobias,

On dim., 16 oct. 2022 at 11:45, Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:

Toggle quote (2 lines)
> Oh! This is a fun one!

Oh, cool! Thanks for explaining.


Toggle quote (3 lines)
> What Guix could do is refuse to continue when it detects set
> higher bits, as they always indicate programmer error.

Do you mean another linter? Or something else? As a field checker?


Cheers,
simon
M
M
Marius Bakke wrote on 17 Oct 2022 13:42
Re: bug#58561: [PATCH 2/2] gnu: akregator: Fix build.
(address . 58561@debbugs.gnu.org)
87pmeqvfqo.fsf@gnu.org
phodina via Bug reports for GNU Guix <bug-guix@gnu.org> skriver:

Toggle quote (11 lines)
> Hi,
>
> unfortunately incorrect hash was pushed in the last patchset.
>
> The patch is already part of the next patch series [1].
>
> Also it's tracked here [2].
>
> 1 https://github.com/phodina/guix/commit/4636279dfb3b96eb5836baad0d8ea36e58ff79ee
> 2 https://issues.guix.gnu.org/57608#8

Whoops, I had missed these patches and pushed similar fixes to 'master':

8681d90d50 gnu: akgregator: Fix source hash.
3d8c243efb gnu: akgregator: Fix build.

Sorry for the duplicate work Brendan & Petr!
-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCY00/kA8cbWFyaXVzQGdu
dS5vcmcACgkQ6HGLpZEUEHfxCQEAlSB4Na7mgTUUburrKUnn2XUQew/g2ZWdumJV
CkjTIs8A/Rc5dDnjmtaTfXDtXkwmfvMqwNllKoZM6CWWs2ifnm4L
=Rhy5
-----END PGP SIGNATURE-----

P
P
phodina wrote on 17 Oct 2022 20:29
Re: bug#58561: Source hash mismatch with aggregator + possible guix bug with hashes.
(name . zimoun)(address . zimon.toutoune@gmail.com)
muCLn_HU-VEtXeZqesLqhiEToNBiXSY7zLfLZGlUbib8EsEJ2oNvjH4PYU4Zq36Si7HS-KkfUGozEUys-gZycFxvIef54FQf5h1OjBq7SUM=@protonmail.com
Hi Simon,

Toggle quote (27 lines)
> Indeed, commit 6971feca53a19d60fdd2b39fb2a8966ccf1d6598 pushed on
> core-updates reads,
>
> --8<---------------cut here---------------start------------->8---
>
> (define-public akregator
> (package
> (name "akregator")
> - (version "21.12.3")
> + (version "22.04.3")
> (source
> (origin
> (method url-fetch)
> (uri (string-append "mirror://kde/stable/release-service/" version
> "/src/akregator-" version ".tar.xz"))
> (sha256
> - (base32 "1yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8"))))
> + (base32 "9yy5c29zxpli4cddknmdvjkgii3j7pvw6lhwqfrqjc8jh83gm8f8"))))
> (build-system qt-build-system)
> --8<---------------cut here---------------end--------------->8---
>
> > Is there a bug with how guix is reading/writing sha256 hashes?
>
>
> Is it a mistake here? A human-typo replacing ’1’ by ’9’? Or
> something else? Petr?

It's just typo. I used mostly guix refresh for large part of the packages. Guess I updated this one manually or somehow cast wrong incantation in Vim.

Sorry for my mistake. I tried to check most of the changes I made in the patch series but this one slipped through in the many rounds of rebuilding Qt and KDE.


----
Petr
B
B
Brendan Tildesley wrote on 17 Oct 2022 23:19
Re: [PATCH 2/2] gnu: akregator: Fix build.
(name . phodina)(address . phodina@protonmail.com)(address . 58561@debbugs.gnu.org)
E65573B3-5827-4D61-AD6C-1B30C0CCE5C4@brendan.scot
On October 16, 2022 4:39:16 PM GMT+11:00, phodina <phodina@protonmail.com> wrote:
Toggle quote (51 lines)
>Hi,
>
>unfortunately incorrect hash was pushed in the last patchset.
>
>The patch is already part of the next patch series [1].
>
>Also it's tracked here [2].
>
>1 https://github.com/phodina/guix/commit/4636279dfb3b96eb5836baad0d8ea36e58ff79ee
>2 https://issues.guix.gnu.org/57608#8
>
>----
>Petr
>
>
>
>
>Sent with Proton Mail secure email.
>
>------- Original Message -------
>On Sunday, October 16th, 2022 at 6:33 AM, 'Brendan Tildesley <mail@brendan.scot> wrote:
>
>
>> From: Brendan Tildesley mail@brendan.scot
>>
>>
>> * gnu/packages/kde.scm (akregator)[phases]: Fix finding
>> QtWebEngineProcess path.
>> ---
>> gnu/packages/kde.scm | 5 ++---
>> 1 file changed, 2 insertions(+), 3 deletions(-)
>>
>> diff --git a/gnu/packages/kde.scm b/gnu/packages/kde.scm
>> index 37125b1d0b..d0ffb28505 100644
>> --- a/gnu/packages/kde.scm
>> +++ b/gnu/packages/kde.scm
>> @@ -167,9 +167,8 @@ (define-public akregator
>> (lambda* (#:key inputs outputs #:allow-other-keys)
>> (let* ((out (assoc-ref outputs "out"))
>> (bin (string-append out "/bin/akregator"))
>> - (qt-process-path (string-append
>> - (assoc-ref inputs "qtwebengine-5")
>> - "/lib/qt5/libexec/QtWebEngineProcess")))
>> + (qt-process-path (search-input-file
>> + inputs "/lib/qt5/libexec/QtWebEngineProcess")))
>> (wrap-program bin
>> `("QTWEBENGINEPROCESS_PATH" = (,qt-process-path)))))))))
>> (native-inputs
>> --
>> 2.37.2

I think the correct way is to use something like search-input-file instead ungexping qtwebengine-5, right? Input transformations well not work otherwise?
Attachment: file
B
B
Brendan Tildesley wrote on 13 May 2023 03:56
Source hash mismatch with aggregator + possible guix bug with hashes.
(address . 58561-close@debbugs.gnu.org)
fdf80509-a5c9-77bf-df2a-040dc70c0a5e@brendan.scot
Issue was fixed and Tobias explained the hash issue.
?