Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tarball release mutated in place (v1.0.0-rc6) #2895

Closed
Apteryks opened this issue Apr 6, 2021 · 4 comments
Closed

Tarball release mutated in place (v1.0.0-rc6) #2895

Apteryks opened this issue Apr 6, 2021 · 4 comments

Comments

@Apteryks
Copy link

Apteryks commented Apr 6, 2021

Hello,

It was reported to Guix that the tarball for the v1.0.0-rc6 release was mutated in place, and indeed it has:

$ wget https://ci.guix.gnu.org/file/runc-1.0.0-rc6.tar.xz/sha256/1c7832dq70slkjh8qp2civ1wxhhdd2hrx84pq7db1mmqc9fdr3cc -O old.tar.xz

$ wget https://github.com/opencontainers/runc/releases/download/v1.0.0-rc6/runc.tar.xz -O new.tar.xz

$ diffoscope old.tar.xz new.tar.xz

[...]
│ │┄ Files identical despite different names
│ │   --- runc-1.0.0-rc6/vendor/golang.org/x/sys/windows/service.go
│ ├── +++ runc-1.0.0-rc6vendor/golang.org/x/sys/windows/service.go
│ │┄ Files identical despite different names
│ │   --- runc-1.0.0-rc6/vendor/golang.org/x/sys/windows/syscall.go
│ ├── +++ runc-1.0.0-rc6vendor/golang.org/x/sys/windows/syscall.go
│ │┄ Files identical despite different names
│ │   --- runc-1.0.0-rc6/vendor/golang.org/x/sys/windows/syscall_windows.go
│ ├── +++ runc-1.0.0-rc6vendor/golang.org/x/sys/windows/syscall_windows.go
│ │┄ Files identical despite different names
│ │   --- runc-1.0.0-rc6/vendor/golang.org/x/sys/windows/types_windows.go
│ ├── +++ runc-1.0.0-rc6vendor/golang.org/x/sys/windows/types_windows.go
│ │┄ Files identical despite different names
│ │   --- runc-1.0.0-rc6/vendor/golang.org/x/sys/windows/zsyscall_windows.go
│ ├── +++ runc-1.0.0-rc6vendor/golang.org/x/sys/windows/zsyscall_windows.go
│ │┄ Files identical despite different names

It seems a slash went missing in the modified tarball? I'm not sure what was this change motivated by, but in any case, changes to tarballs should go to a new, differently named, tarball (e.g., patch release), otherwise many downstream users will be affected (e.g., those verifying the checksum of the release tarballs).

Thank you!
@cyphar
Copy link
Member

cyphar commented Apr 7, 2021

This happened because of #2537, but the tarballs shouldn't have changed (in fact the tarball is actually malformed now). I will fix it up. (However I would mention that nobody should be using runc-1.0.0-rc6 anymore -- it is hideously out of date and is missing quite a few security critical patches.)

@cyphar
Copy link
Member

cyphar commented Apr 7, 2021

Okay, the 1.0.0-rc6 tarball has been fixed. I will check the other releases as well.

@cyphar cyphar closed this as completed Apr 7, 2021
@cyphar
Copy link
Member

cyphar commented Apr 7, 2021
edited
Loading

Oh no, it looks like all the releases up until -rc92 have malformed tarballs... (Which means they all had their artefacts changed in 2020 as well.)

EDIT: I did a rebuild and re-publish of all releases that had broken archives (from 1.0.0-rc2 up to 1.0.0-rc91, inclusive).

@Apteryks
Copy link
Author

Apteryks commented Apr 7, 2021

This happened because of #2537, but the tarballs shouldn't have changed (in fact the tarball is actually malformed now). I will fix it up. (However I would mention that nobody should be using runc-1.0.0-rc6 anymore -- it is hideously out of date and is missing quite a few security critical patches.)

Agreed; we're now using 1.0.0-rc93. Thanks for fixing the tarballs!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cyphar @Apteryks