Bug#1023811: golang-github-grpc-ecosystem-go-grpc-middleware_1.3.0-1 sources changed in the archive?

Thu, 10 Nov 2022 10:18:18 -0800 

On Thu, 2022-11-10 at 15:53 +0200, Adrian Bunk wrote:
> 
Get:1 https://deb.debian.org/debian experimental/main golang-github-
> grpc-ecosystem-go-grpc-middleware 1.3.0-1 (dsc) [2857 B]
> Err:1 https://deb.debian.org/debian experimental/main golang-github-
> grpc-ecosystem-go-grpc-middleware 1.3.0-1 (dsc)
>   Hash Sum mismatch
>   Hashes of expected file:
>    -
> SHA256:8e86e0a9cc31461c0f564e8feefb2e1e9ec05c265ab06e96fd32b7de787bc5
> 04
>    - Filesize:2857 [weak]
>    - MD5Sum:c4d33ab09e4f4a95c819dd1de88d0876 [weak]
>   Hashes of received file:
>    -
> SHA256:8bbee530bbdb11a58a275c34878c372558223c294384897822eba1338b84db
> 82
>    - MD5Sum:8d6eee1b2b773c9be12536396ba949a6 [weak]
>    - Filesize:2857 [weak]
>   Last modification reported: Wed, 26 Oct 2022 14:32:16 +0000
> Get:2 https://deb.debian.org/debian experimental/main golang-github-
> grpc-ecosystem-go-grpc-middleware 1.3.0-1 (tar) [104 kB]
> Get:3 https://deb.debian.org/debian experimental/main golang-github-
> grpc-ecosystem-go-grpc-middleware 1.3.0-1 (diff) [2652 B]
> E: Failed to fetch 
> https://deb.debian.org/debian/pool/main/g/golang-github-grpc-ecosystem-go-grpc-middleware/golang-github-grpc-ecosystem-go-grpc-middleware_1.3.0-1.dsc
>   Hash Sum mismatch
>    Hashes of expected file:
>     -
> SHA256:8e86e0a9cc31461c0f564e8feefb2e1e9ec05c265ab06e96fd32b7de787bc5
> 04
>     - Filesize:2857 [weak]
>    Fetched 109 kB in 0s (416 kB/s)
>  - MD5Sum:c4d33ab09e4f4a95c819dd1de88d0876 [weak]
>    Hashes of received file:
>     -
> SHA256:8bbee530bbdb11a58a275c34878c372558223c294384897822eba1338b84db
> 82
>     - MD5Sum:8d6eee1b2b773c9be12536396ba949a6 [weak]
>     - Filesize:2857 [weak]
>    Last modification reported: Wed, 26 Oct 2022 14:32:16 +0000
> E: Failed to fetch some archives.
> E: apt-get for sources failed
> ...
> 
> 
> I can reproduce the problem locally with
> $ apt-get source golang-github-grpc-ecosystem-go-grpc-
> middleware/experimental
> 
> This is not supposed to happen, and I haven't seen this before.

So far as I can tell, the timeline is:

- 2022-10-26 package is uploaded
- 2022-10-31 package is removed as obsolete
- 2022-11-03 the same package is re-uploaded, with a different GPG
signature

The file in the archive matches the "expected" hashes, whereas deb.d.o
is returning the original file.

Regards,

Adam

Reply via email to