[PROJ] CI problems with xz

Javier Jimenez Shaw j1 at jimenezshaw.com
Mon Apr 1 03:05:35 PDT 2024 

Thanks Markus

that topic is trend in mastodon now. Complicated not to read about it.

Not only the latest versions are disabled: the whole repo
https://github.com/tukaani-project/xz/  O_O
I find strange that it complains about a different hash, when it cannot
download the file at all.
And it only fails on windows! Are we using a different library in Linux?

Cheers

On Mon, 1 Apr 2024 at 11:55, Markus Neteler <neteler at osgeo.org> wrote:

> On Mon, Apr 1, 2024 at 11:50 AM Javier Jimenez Shaw via PROJ
> <proj at lists.osgeo.org> wrote:
> >
> > I just updated my master branch of PROJ, and got emails about windows
> failing
> >
> https://github.com/jjimenezshaw/PROJ/actions/runs/8506414730/job/23296571430
> >
> > Downloading https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz
> > [DEBUG] Trying to hash
> C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part
> > [DEBUG] C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part
> has hash
> 7e3f1d71073b8e63db9aed60da80545ac06ee4c5177d6ecab528ebd16efc1bb1e4280b6ed5211dcba1069392d4023fa3356b1cc9aff57b9537f7fc4d6b3fa989
> > error: Failed to download from mirror set
> > error: File does not have the expected hash:
> > url: https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz
> > File: C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part
> > Expected hash:
> 0aa74e01c019c1d3893cf16f53b300ba4e74c6aa9febabf57ddb49b28615d76862eeb746c54c2085efd37c7e8cc0829014d9b7ad481a76294bc929b3cca91336
> > Actual hash:
> 7e3f1d71073b8e63db9aed60da80545ac06ee4c5177d6ecab528ebd16efc1bb1e4280b6ed5211dcba1069392d4023fa3356b1cc9aff57b9537f7fc4d6b3fa989
> >
> > ... interesting.
>
> The latest xz library version(s) have been backdoored and hence
> disabled on GitHub.
> Random page:
>
> https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
>
> Markus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/proj/attachments/20240401/d3cb17f2/attachment.htm>

More information about the PROJ mailing list