Subject: Proper follow-up for bad package checksums?
To: None <netbsd-help@netbsd.org>
From: Johan A. van Zanten <johan@ewranglers.com>
List: netbsd-help
Date: 09/05/2002 00:42:17
 Greetings and salutations.

So i'm currently seeing a problem with compiling libpng from pkgsrc:

 => Attempting to fetch libpng-1.2.1.tar.gz from http://prdownloads.sourceforge.net/libpng/.
=> [493105 bytes]
Requesting http://prdownloads.sourceforge.net/libpng/libpng-1.2.1.tar.gz
=> Checksum mismatch for libpng-1.2.1.tar.gz.
Make sure the Makefile and checksum file (/local/src/NetBSD/packages/pkgsrc/graphics/png/distinfo)

 I have verified that the "distinfo" file is up to date (by doing "cvs
update" in the png directory).

 I've read through the NetBSD documentation for packages (pkgsrc) and i'm
not 100% clear on the most desirable procedure for getting checksums
updated for particular packages.

ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/Packages.txt says:

10.15 How to handle modified distfiles with the 'old' name
 ==========================================================

 Sometimes authors of a software package make some modifications after the
 software was released, and they put up a new distfile without changing the
 package's version number. If a package is already in pkgsrc at that time, 
 the md5 checksum will no longer match. The correct way to work around this
 is to update the package's md5 checksum to match the package on the master
 site (beware, any mirrors may not be up to date yet!), and to remove the 
 old distfile from ftp.netbsd.org's /pub/NetBSD/packages/distfiles directory.
 Furthermore, a mail to the package's author seems appropriate making sure
 the distfile was really updated on purpose, and that no trojan horse or so
 crept in.


 I went to the download page for libpng,
http://www.libpng.org/pub/png/libpng.html , but unfortunately, it does not
list a checksum for the libpng archive.

So what's the best way to proceed now?  I can contact the author/owner of the
libpng tar file and ask for a checksum, but whom at NetBSD should i supply
that to?

 And since this work is being done, how hairy would it be to move up to
the latest revision of libpng (1.2.4) from NetBSD's current package
revision of 1.2.1?  I expect there are more than a few that depend upon
libpng.

 -johan