-
Bug
-
Resolution: Won't Fix
-
P3
-
None
-
14.0.1
-
x86_64
-
linux
ADDITIONAL SYSTEM INFORMATION :
Linux, Fedora31
A DESCRIPTION OF THE PROBLEM :
Hello;
I maintain the OpenJDK package for Buildroot, an Embedded Linux SDK which allows users to build their own embedded Linux firmware from scratch. Recently I discovered that the sha256sum for jdk-14+36.tar.gz has changed from
6815dbac7dd0f86291254e84ed17565c89477eeb6b0847a9648b00ecb4f07634
to
fcd13ebd63d40c1c2f3cabfb7bc368962ff7b5935523be2a0e769352987145ae
Which is quite concerning! Buildroot maintains a mirror for all packages it currently supports, so after failing the initial SHA256sum check, Buildroot re-downloads the tarball from:
http://sources.buildroot.net/openjdk/jdk-14+36.tar.gz
Examining the tarball from https://hg.openjdk.java.net/jdk-updates/jdk14u/archive/jdk-14+36.tar.gz reveals that the tarball has indeed changed, and the .hg_archival.txt file now has a new line:
`tag: jdk-14-ga`
Is this a common occurrence with upstream tarballs? Changing an already released tarball seems like a really REALLY bad idea.
REGRESSION : Last worked in version 14.0.1
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Download the upstream jdk-14+36.tar.gz tarball from https://hg.openjdk.java.net/jdk-updates/jdk14u/archive/jdk-14+36.tar.gz and the original from http://sources.buildroot.net/openjdk/jdk-14+36.tar.gz
Unpack both
Diff both extracted directories
Notice that .hg_archival.txt has changed.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Released tarballs are never changed.
ACTUAL -
The upstream released tarball is changed.
FREQUENCY : always
Linux, Fedora31
A DESCRIPTION OF THE PROBLEM :
Hello;
I maintain the OpenJDK package for Buildroot, an Embedded Linux SDK which allows users to build their own embedded Linux firmware from scratch. Recently I discovered that the sha256sum for jdk-14+36.tar.gz has changed from
6815dbac7dd0f86291254e84ed17565c89477eeb6b0847a9648b00ecb4f07634
to
fcd13ebd63d40c1c2f3cabfb7bc368962ff7b5935523be2a0e769352987145ae
Which is quite concerning! Buildroot maintains a mirror for all packages it currently supports, so after failing the initial SHA256sum check, Buildroot re-downloads the tarball from:
http://sources.buildroot.net/openjdk/jdk-14+36.tar.gz
Examining the tarball from https://hg.openjdk.java.net/jdk-updates/jdk14u/archive/jdk-14+36.tar.gz reveals that the tarball has indeed changed, and the .hg_archival.txt file now has a new line:
`tag: jdk-14-ga`
Is this a common occurrence with upstream tarballs? Changing an already released tarball seems like a really REALLY bad idea.
REGRESSION : Last worked in version 14.0.1
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Download the upstream jdk-14+36.tar.gz tarball from https://hg.openjdk.java.net/jdk-updates/jdk14u/archive/jdk-14+36.tar.gz and the original from http://sources.buildroot.net/openjdk/jdk-14+36.tar.gz
Unpack both
Diff both extracted directories
Notice that .hg_archival.txt has changed.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Released tarballs are never changed.
ACTUAL -
The upstream released tarball is changed.
FREQUENCY : always