You are correct. I found that the filenames in the sha1 do not reflect reality. Typically the files are really only used by sa-update so it doesn't cause an issue.
-- Kevin A. McGrail Asst. Treasurer & VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Mon, Mar 19, 2018 at 5:19 PM, Dave Warren <d...@thedave.ca> wrote: > When investigating the recent report of my mirror returning bad tar.gz > files, I decided to try and validate the tar.gz files against the > tar.gz.sha1 files and I'm initially getting a lot of errors. > > I first tried a sha1sum --check against each of the *.sha1 files (okay, I > rewrote the paths on the fly). This method shows I am missing a ton of > files. A couple examples: > > 1821598.tar.gz.sha1 only has a hash for "update.tgz", which is not a file > I have. 1821598.tar.gz does match though. > > 1083703.tar.gz.sha1 only has a hash for 1083378.tar.gz, a file I also do > not possess. > > If I just compare the *.tar.gz files against a matching *.tar.gz.sha1 file > and only look at the hash (ignoring the filenames completely) then > everything validates correctly, so I don't believe I have any data errors. > This helps to confirm my belief that my issue was due to overly aggressive > caching on the web server and not due to any problems on the underlying > storage. > > Is it expected that the filenames within the .sha1 files don't reflect > reality? >