RHEL repo package crc mismatches
At our site we use reposync to copy the postgresql repositories to a
local repository.
When doing this on April 28 (and since) I exprience the following
package checksum matching errors.
For the pgdg13 RHEL 8 repository
[MIRROR] pg_auto_failover_13-1.6.3-1.rhel8.x86_64.rpm: Downloading
successful, but checksum doesn't match. Calculated:
5196edcfe1d6af6c0e90ad9a25667613bdfa0731a84fa9a1dbaa7080b4a3caac(sha256)
Expected:
8d4527c96e9c8a3ff86d75aa85c166899ee895e9522c6720223f0f93b658f8d6(sha256)
[MIRROR] e-maj_13-4.0.1-1.rhel8.x86_64.rpm: Downloading successful, but
checksum doesn't match. Calculated:
f7576cb1cd22303cb3dbb2a86911ad3f9e57afa8472a31f1a6a1f176f708fa1d(sha256)
Expected:
8c56cacb99771c4f06be2551988e553a70ea5e5459202e12e0e92fdeb7371621(sha256)
For the pgdg12 RHEL 8 repository
[MIRROR] pg_auto_failover_12-llvmjit-1.6.3-1.rhel8.x86_64.rpm:
Downloading successful, but checksum doesn't match. Calculated:
9bfdaccc3a151fd847bbb5e622a9384648cf963faacd90dc9b31cd433e23a3c0(sha256)
Expected:
aa5e3dc99cabfe22839ed0b9501a0099af139bf8551344a3b198ac048218ceee(sha256)
I think it is just metadata information, but it sounds scary.
Can anyone comment?
--
Evan
Hello Evan,
we have exactly the same problem and don't feel comfortable with it at the moment either.
We even synchronise several versions and this problem occurs with all of them.
Can anyone confirm that the packages have not been changed inadvertently but only the metadata is
wrong?
Here are the changes with us.
For the pgdg11 RHEL 7 repository:
[MIRROR] ogr_fdw_11-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match.
Calculated: c61d0bb8cdc2c386b57d8968b509f9fe7bf7693b3f86af730128797d087c0caa(sha256) Expected:
a963ae2eb874da055db63953cf0eb0d62e24d16abd6e8d4dab615ba4fadaefd8(sha256)
[MIRROR] ogr_fdw_11-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 1be687c8721e7683f7efbfe51b9bd9532f7c7326d344e83e8928667cbc524cd3(sha256)
Expected: 52aa7c905fd802bfea5cf7e89b80b7523b2a16309575cdbe9d68df4179ec1f6b(sha256)
[MIRROR] pg_auto_failover_11-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: abd1ede633fe8dc7721e1e09783e300c8d5a5e9b226257c67969e2bfbf7ce4f9(sha256)
Expected: 0b29fc748639210c76af4b1870772780ba13a04698886e78514e7fb1baac9781(sha256)
For the pgdg13 RHEL 7 repository:
[MIRROR] ogr_fdw_13-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match.
Calculated: d2ea23dc8b866c09eb620187e40147daae1a60f2a31370a88fd119b08a5f8816(sha256) Expected:
a39bc56ebc34de96321af69f99862819fe36516775cb155f599c839c098a0030(sha256)
[MIRROR] ogr_fdw_13-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: f2d981ba5ae5e54ac420f881c27eaba3af6b506638feed9f686273272083b479(sha256)
Expected: 5e6baa1e8169da8251f4a3c47c8db0ab4344977c0ed4a8f1042d353a50e4e304(sha256)
[MIRROR] pg_auto_failover_13-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 01ce463c8487d52986e347025266167135f0a866c37590c784e7e3e5d8e43817(sha256)
Expected: e35c32a27f5c97596d74fca03e416cb743bf188fdc0dfaf736cc68a20801a5c9(sha256)
For the pgdg14 RHEL 7 repository:
[MIRROR] pg_auto_failover_14-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 7b72deadb029a8752717c832cde2e23d87e341037765086d88ac6d96816ebe89(sha256)
Expected: 55de94cebb1967c4f1edb1a0be14246173c05168261a76d141e819f607e83ee3(sha256)
Thank you for checking.
Greetings
Michael
3. Mai 2023 09:00, "Evan Rempel" <erempel@uvic.ca> schrieb:
Show quoted text
At our site we use reposync to copy the postgresql repositories to a local repository.
When doing this on April 28 (and since) I exprience the following package checksum matching errors.
For the pgdg13 RHEL 8 repository
[MIRROR] pg_auto_failover_13-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 5196edcfe1d6af6c0e90ad9a25667613bdfa0731a84fa9a1dbaa7080b4a3caac(sha256)
Expected: 8d4527c96e9c8a3ff86d75aa85c166899ee895e9522c6720223f0f93b658f8d6(sha256)[MIRROR] e-maj_13-4.0.1-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't match.
Calculated: f7576cb1cd22303cb3dbb2a86911ad3f9e57afa8472a31f1a6a1f176f708fa1d(sha256) Expected:
8c56cacb99771c4f06be2551988e553a70ea5e5459202e12e0e92fdeb7371621(sha256)For the pgdg12 RHEL 8 repository
[MIRROR] pg_auto_failover_12-llvmjit-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum
doesn't match. Calculated: 9bfdaccc3a151fd847bbb5e622a9384648cf963faacd90dc9b31cd433e23a3c0(sha256)
Expected: aa5e3dc99cabfe22839ed0b9501a0099af139bf8551344a3b198ac048218ceee(sha256)I think it is just metadata information, but it sounds scary.
Can anyone comment?
--
Evan
Hi,
On Tue, 2023-05-02 at 12:38 -0700, Evan Rempel wrote:
At our site we use reposync to copy the postgresql repositories to a
local repository.When doing this on April 28 (and since) I exprience the following
package checksum matching errors.
<snip>
Thanks for the report.
This definitely does not look like a security issue, but need run
further checks. I think it is an rsync issue.
I'll reply again as soon as I'm done.
Regards,
--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR
The packagers are researching this problem now.
---------------------------------------------------------------------------
On Wed, May 3, 2023 at 07:33:02AM +0000, Brainmue wrote:
Hello Evan,
we have exactly the same problem and don't feel comfortable with it at the moment either.
We even synchronise several versions and this problem occurs with all of them.
Can anyone confirm that the packages have not been changed inadvertently but only the metadata is
wrong?
Here are the changes with us.For the pgdg11 RHEL 7 repository:
[MIRROR] ogr_fdw_11-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match.
Calculated: c61d0bb8cdc2c386b57d8968b509f9fe7bf7693b3f86af730128797d087c0caa(sha256) Expected:
a963ae2eb874da055db63953cf0eb0d62e24d16abd6e8d4dab615ba4fadaefd8(sha256)
[MIRROR] ogr_fdw_11-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 1be687c8721e7683f7efbfe51b9bd9532f7c7326d344e83e8928667cbc524cd3(sha256)
Expected: 52aa7c905fd802bfea5cf7e89b80b7523b2a16309575cdbe9d68df4179ec1f6b(sha256)
[MIRROR] pg_auto_failover_11-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: abd1ede633fe8dc7721e1e09783e300c8d5a5e9b226257c67969e2bfbf7ce4f9(sha256)
Expected: 0b29fc748639210c76af4b1870772780ba13a04698886e78514e7fb1baac9781(sha256)For the pgdg13 RHEL 7 repository:
[MIRROR] ogr_fdw_13-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match.
Calculated: d2ea23dc8b866c09eb620187e40147daae1a60f2a31370a88fd119b08a5f8816(sha256) Expected:
a39bc56ebc34de96321af69f99862819fe36516775cb155f599c839c098a0030(sha256)
[MIRROR] ogr_fdw_13-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: f2d981ba5ae5e54ac420f881c27eaba3af6b506638feed9f686273272083b479(sha256)
Expected: 5e6baa1e8169da8251f4a3c47c8db0ab4344977c0ed4a8f1042d353a50e4e304(sha256)
[MIRROR] pg_auto_failover_13-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 01ce463c8487d52986e347025266167135f0a866c37590c784e7e3e5d8e43817(sha256)
Expected: e35c32a27f5c97596d74fca03e416cb743bf188fdc0dfaf736cc68a20801a5c9(sha256)For the pgdg14 RHEL 7 repository:
[MIRROR] pg_auto_failover_14-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 7b72deadb029a8752717c832cde2e23d87e341037765086d88ac6d96816ebe89(sha256)
Expected: 55de94cebb1967c4f1edb1a0be14246173c05168261a76d141e819f607e83ee3(sha256)Thank you for checking.
Greetings
Michael3. Mai 2023 09:00, "Evan Rempel" <erempel@uvic.ca> schrieb:
At our site we use reposync to copy the postgresql repositories to a local repository.
When doing this on April 28 (and since) I exprience the following package checksum matching errors.
For the pgdg13 RHEL 8 repository
[MIRROR] pg_auto_failover_13-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 5196edcfe1d6af6c0e90ad9a25667613bdfa0731a84fa9a1dbaa7080b4a3caac(sha256)
Expected: 8d4527c96e9c8a3ff86d75aa85c166899ee895e9522c6720223f0f93b658f8d6(sha256)[MIRROR] e-maj_13-4.0.1-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't match.
Calculated: f7576cb1cd22303cb3dbb2a86911ad3f9e57afa8472a31f1a6a1f176f708fa1d(sha256) Expected:
8c56cacb99771c4f06be2551988e553a70ea5e5459202e12e0e92fdeb7371621(sha256)For the pgdg12 RHEL 8 repository
[MIRROR] pg_auto_failover_12-llvmjit-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum
doesn't match. Calculated: 9bfdaccc3a151fd847bbb5e622a9384648cf963faacd90dc9b31cd433e23a3c0(sha256)
Expected: aa5e3dc99cabfe22839ed0b9501a0099af139bf8551344a3b198ac048218ceee(sha256)I think it is just metadata information, but it sounds scary.
Can anyone comment?
--
Evan
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Embrace your flaws. They make you human, rather than perfect,
which you will never be.
Hello Bruce,
Thanks for the update. Let's see what will come out.
Greetings
Michael
3. Mai 2023 18:57, "Bruce Momjian" <bruce@momjian.us> schrieb:
Show quoted text
The packagers are researching this problem now.
---------------------------------------------------------------------------
On Wed, May 3, 2023 at 07:33:02AM +0000, Brainmue wrote:
Hello Evan,
we have exactly the same problem and don't feel comfortable with it at the moment either.
We even synchronise several versions and this problem occurs with all of them.
Can anyone confirm that the packages have not been changed inadvertently but only the metadata is
wrong?
Here are the changes with us.For the pgdg11 RHEL 7 repository:
[MIRROR] ogr_fdw_11-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match.
Calculated: c61d0bb8cdc2c386b57d8968b509f9fe7bf7693b3f86af730128797d087c0caa(sha256) Expected:
a963ae2eb874da055db63953cf0eb0d62e24d16abd6e8d4dab615ba4fadaefd8(sha256)
[MIRROR] ogr_fdw_11-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 1be687c8721e7683f7efbfe51b9bd9532f7c7326d344e83e8928667cbc524cd3(sha256)
Expected: 52aa7c905fd802bfea5cf7e89b80b7523b2a16309575cdbe9d68df4179ec1f6b(sha256)
[MIRROR] pg_auto_failover_11-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: abd1ede633fe8dc7721e1e09783e300c8d5a5e9b226257c67969e2bfbf7ce4f9(sha256)
Expected: 0b29fc748639210c76af4b1870772780ba13a04698886e78514e7fb1baac9781(sha256)For the pgdg13 RHEL 7 repository:
[MIRROR] ogr_fdw_13-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match.
Calculated: d2ea23dc8b866c09eb620187e40147daae1a60f2a31370a88fd119b08a5f8816(sha256) Expected:
a39bc56ebc34de96321af69f99862819fe36516775cb155f599c839c098a0030(sha256)
[MIRROR] ogr_fdw_13-llvmjit-1.1.0-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: f2d981ba5ae5e54ac420f881c27eaba3af6b506638feed9f686273272083b479(sha256)
Expected: 5e6baa1e8169da8251f4a3c47c8db0ab4344977c0ed4a8f1042d353a50e4e304(sha256)
[MIRROR] pg_auto_failover_13-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 01ce463c8487d52986e347025266167135f0a866c37590c784e7e3e5d8e43817(sha256)
Expected: e35c32a27f5c97596d74fca03e416cb743bf188fdc0dfaf736cc68a20801a5c9(sha256)For the pgdg14 RHEL 7 repository:
[MIRROR] pg_auto_failover_14-1.6.3-1.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 7b72deadb029a8752717c832cde2e23d87e341037765086d88ac6d96816ebe89(sha256)
Expected: 55de94cebb1967c4f1edb1a0be14246173c05168261a76d141e819f607e83ee3(sha256)Thank you for checking.
Greetings
Michael3. Mai 2023 09:00, "Evan Rempel" <erempel@uvic.ca> schrieb:
At our site we use reposync to copy the postgresql repositories to a local repository.
When doing this on April 28 (and since) I exprience the following package checksum matching errors.
For the pgdg13 RHEL 8 repository
[MIRROR] pg_auto_failover_13-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't
match. Calculated: 5196edcfe1d6af6c0e90ad9a25667613bdfa0731a84fa9a1dbaa7080b4a3caac(sha256)
Expected: 8d4527c96e9c8a3ff86d75aa85c166899ee895e9522c6720223f0f93b658f8d6(sha256)[MIRROR] e-maj_13-4.0.1-1.rhel8.x86_64.rpm: Downloading successful, but checksum doesn't match.
Calculated: f7576cb1cd22303cb3dbb2a86911ad3f9e57afa8472a31f1a6a1f176f708fa1d(sha256) Expected:
8c56cacb99771c4f06be2551988e553a70ea5e5459202e12e0e92fdeb7371621(sha256)For the pgdg12 RHEL 8 repository
[MIRROR] pg_auto_failover_12-llvmjit-1.6.3-1.rhel8.x86_64.rpm: Downloading successful, but checksum
doesn't match. Calculated: 9bfdaccc3a151fd847bbb5e622a9384648cf963faacd90dc9b31cd433e23a3c0(sha256)
Expected: aa5e3dc99cabfe22839ed0b9501a0099af139bf8551344a3b198ac048218ceee(sha256)I think it is just metadata information, but it sounds scary.
Can anyone comment?
--
Evan--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.comEmbrace your flaws. They make you human, rather than perfect,
which you will never be.
Hi again,
On Tue, 2023-05-02 at 12:38 -0700, Evan Rempel wrote:
At our site we use reposync to copy the postgresql repositories to a
local repository.When doing this on April 28 (and since) I exprience the following
package checksum matching errors.
<snip>
I can confirm that this is caused by signing unsigned packages last
week, but rsync failing to update main server(s). So this is *not* a
security issue.
However, as a precaution, I removed problematic packages from the
repository. They were too old anyway. I did not want to push updated
checksums for the same packages.
Please let me know if this solves your problem.
Again, thanks for the report.
Regards,
--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR
On 2023-05-03 15:23, Devrim Gündüz wrote:
Hi again,
On Tue, 2023-05-02 at 12:38 -0700, Evan Rempel wrote:
At our site we use reposync to copy the postgresql repositories to a
local repository.When doing this on April 28 (and since) I exprience the following
package checksum matching errors.<snip>
I can confirm that this is caused by signing unsigned packages last
week, but rsync failing to update main server(s). So this is *not* a
security issue.However, as a precaution, I removed problematic packages from the
repository. They were too old anyway. I did not want to push updated
checksums for the same packages.Please let me know if this solves your problem.
Again, thanks for the report.
Regards,
--
Devrim Gündüz
Thank you. That does solve my problem.
Evan.
Hello Devrim,
The problem is fixed in most of the repositories I synchronise, but in one I now have a new one. With the package: postgresql13-odbc-13.00.0000-1PGDG.rhel7.x86_64.rpm
For the pgdg13 RHEL 7 repository:
[MIRROR] postgresql13-odbc-13.00.0000-1PGDG.rhel7.x86_64.rpm: Downloading successful, but checksum doesn't match. Calculated: 2fa1642932c950ca5597d64a129fc78d2fb3909c898ade5f9bff4db73fb39ae5(sha256) Expected: 9ed5b91c12e072d871314bfa5e8ec991bb312f360f7d1e3af8ece78945931900(sha256)
It would be great if you could correct that too.
Thank you very much.
Greetings
Michael
4. Mai 2023 00:23, "Devrim Gündüz" <devrim@gunduz.org> schrieb:
Show quoted text
Hi again,
On Tue, 2023-05-02 at 12:38 -0700, Evan Rempel wrote:
At our site we use reposync to copy the postgresql repositories to a
local repository.When doing this on April 28 (and since) I exprience the following
package checksum matching errors.<snip>
I can confirm that this is caused by signing unsigned packages last
week, but rsync failing to update main server(s). So this is *not* a
security issue.However, as a precaution, I removed problematic packages from the
repository. They were too old anyway. I did not want to push updated
checksums for the same packages.Please let me know if this solves your problem.
Again, thanks for the report.
Regards,
--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR
Hi Michael,
On Thu, 2023-05-04 at 04:46 +0000, Brainmue wrote:
The problem is fixed in most of the repositories I synchronise, but in
one I now have a new one. With the package: postgresql13-odbc-
13.00.0000-1PGDG.rhel7.x86_64.rpmFor the pgdg13 RHEL 7 repository:
[MIRROR] postgresql13-odbc-13.00.0000-1PGDG.rhel7.x86_64.rpm:
Downloading successful, but checksum doesn't match. Calculated:
2fa1642932c950ca5597d64a129fc78d2fb3909c898ade5f9bff4db73fb39ae5(sha25
6) Expected:
9ed5b91c12e072d871314bfa5e8ec991bb312f360f7d1e3af8ece78945931900(sha25
6)It would be great if you could correct that too.
This package does not exist on main side, I believe you may need to sync
again.
Regards,
--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR
Hello Devrim,
You were absolutely right.
Resynchronising solved the problem.
Now everything is OK again.
Thanks for the quick help.
Greetings
Michael
4. Mai 2023 20:43, "Devrim Gündüz" <devrim@gunduz.org> schrieb:
Show quoted text
Hi Michael,
On Thu, 2023-05-04 at 04:46 +0000, Brainmue wrote:
The problem is fixed in most of the repositories I synchronise, but in
one I now have a new one. With the package: postgresql13-odbc-
13.00.0000-1PGDG.rhel7.x86_64.rpmFor the pgdg13 RHEL 7 repository:
[MIRROR] postgresql13-odbc-13.00.0000-1PGDG.rhel7.x86_64.rpm:
Downloading successful, but checksum doesn't match. Calculated:
2fa1642932c950ca5597d64a129fc78d2fb3909c898ade5f9bff4db73fb39ae5(sha25
6) Expected:
9ed5b91c12e072d871314bfa5e8ec991bb312f360f7d1e3af8ece78945931900(sha25
6)It would be great if you could correct that too.
This package does not exist on main side, I believe you may need to sync
again.Regards,
--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR