Subject: Proper follow-up for bad package checksums?
To: None <netbsd-help@netbsd.org>
From: Johan A. van Zanten <johan@ewranglers.com>
List: netbsd-help
Date: 09/05/2002 00:42:17
Greetings and salutations.
So i'm currently seeing a problem with compiling libpng from pkgsrc:
=> Attempting to fetch libpng-1.2.1.tar.gz from http://prdownloads.sourceforge.net/libpng/.
=> [493105 bytes]
Requesting http://prdownloads.sourceforge.net/libpng/libpng-1.2.1.tar.gz
=> Checksum mismatch for libpng-1.2.1.tar.gz.
Make sure the Makefile and checksum file (/local/src/NetBSD/packages/pkgsrc/graphics/png/distinfo)
I have verified that the "distinfo" file is up to date (by doing "cvs
update" in the png directory).
I've read through the NetBSD documentation for packages (pkgsrc) and i'm
not 100% clear on the most desirable procedure for getting checksums
updated for particular packages.
ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/Packages.txt says:
10.15 How to handle modified distfiles with the 'old' name
==========================================================
Sometimes authors of a software package make some modifications after the
software was released, and they put up a new distfile without changing the
package's version number. If a package is already in pkgsrc at that time,
the md5 checksum will no longer match. The correct way to work around this
is to update the package's md5 checksum to match the package on the master
site (beware, any mirrors may not be up to date yet!), and to remove the
old distfile from ftp.netbsd.org's /pub/NetBSD/packages/distfiles directory.
Furthermore, a mail to the package's author seems appropriate making sure
the distfile was really updated on purpose, and that no trojan horse or so
crept in.
I went to the download page for libpng,
http://www.libpng.org/pub/png/libpng.html , but unfortunately, it does not
list a checksum for the libpng archive.
So what's the best way to proceed now? I can contact the author/owner of the
libpng tar file and ask for a checksum, but whom at NetBSD should i supply
that to?
And since this work is being done, how hairy would it be to move up to
the latest revision of libpng (1.2.4) from NetBSD's current package
revision of 1.2.1? I expect there are more than a few that depend upon
libpng.
-johan