On Thu, 2022-11-10 at 15:53 +0200, Adrian Bunk wrote: > Get:1 https://deb.debian.org/debian experimental/main golang-github- > grpc-ecosystem-go-grpc-middleware 1.3.0-1 (dsc) [2857 B] > Err:1 https://deb.debian.org/debian experimental/main golang-github- > grpc-ecosystem-go-grpc-middleware 1.3.0-1 (dsc) > Hash Sum mismatch > Hashes of expected file: > - > SHA256:8e86e0a9cc31461c0f564e8feefb2e1e9ec05c265ab06e96fd32b7de787bc5 > 04 > - Filesize:2857 [weak] > - MD5Sum:c4d33ab09e4f4a95c819dd1de88d0876 [weak] > Hashes of received file: > - > SHA256:8bbee530bbdb11a58a275c34878c372558223c294384897822eba1338b84db > 82 > - MD5Sum:8d6eee1b2b773c9be12536396ba949a6 [weak] > - Filesize:2857 [weak] > Last modification reported: Wed, 26 Oct 2022 14:32:16 +0000 > Get:2 https://deb.debian.org/debian experimental/main golang-github- > grpc-ecosystem-go-grpc-middleware 1.3.0-1 (tar) [104 kB] > Get:3 https://deb.debian.org/debian experimental/main golang-github- > grpc-ecosystem-go-grpc-middleware 1.3.0-1 (diff) [2652 B] > E: Failed to fetch > https://deb.debian.org/debian/pool/main/g/golang-github-grpc-ecosystem-go-grpc-middleware/golang-github-grpc-ecosystem-go-grpc-middleware_1.3.0-1.dsc > Hash Sum mismatch > Hashes of expected file: > - > SHA256:8e86e0a9cc31461c0f564e8feefb2e1e9ec05c265ab06e96fd32b7de787bc5 > 04 > - Filesize:2857 [weak] > Fetched 109 kB in 0s (416 kB/s) > - MD5Sum:c4d33ab09e4f4a95c819dd1de88d0876 [weak] > Hashes of received file: > - > SHA256:8bbee530bbdb11a58a275c34878c372558223c294384897822eba1338b84db > 82 > - MD5Sum:8d6eee1b2b773c9be12536396ba949a6 [weak] > - Filesize:2857 [weak] > Last modification reported: Wed, 26 Oct 2022 14:32:16 +0000 > E: Failed to fetch some archives. > E: apt-get for sources failed > ... > > > I can reproduce the problem locally with > $ apt-get source golang-github-grpc-ecosystem-go-grpc- > middleware/experimental > > This is not supposed to happen, and I haven't seen this before.
So far as I can tell, the timeline is: - 2022-10-26 package is uploaded - 2022-10-31 package is removed as obsolete - 2022-11-03 the same package is re-uploaded, with a different GPG signature The file in the archive matches the "expected" hashes, whereas deb.d.o is returning the original file. Regards, Adam