<div dir="ltr"><div>Thanks Markus</div><div><br></div><div>that topic is trend in mastodon now. Complicated not to read about it.</div><div><br></div><div>Not only the latest versions are disabled: the whole repo <a href="https://github.com/tukaani-project/xz/">https://github.com/tukaani-project/xz/</a>  O_O</div><div>I find strange that it complains about a different hash, when it cannot download the file at all.</div><div></div><div>And it only fails on windows! Are we using a different library in Linux?</div><div><br></div><div>Cheers<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 1 Apr 2024 at 11:55, Markus Neteler <<a href="mailto:neteler@osgeo.org">neteler@osgeo.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Apr 1, 2024 at 11:50 AM Javier Jimenez Shaw via PROJ<br>
<<a href="mailto:proj@lists.osgeo.org" target="_blank">proj@lists.osgeo.org</a>> wrote:<br>
><br>
> I just updated my master branch of PROJ, and got emails about windows failing<br>
> <a href="https://github.com/jjimenezshaw/PROJ/actions/runs/8506414730/job/23296571430" rel="noreferrer" target="_blank">https://github.com/jjimenezshaw/PROJ/actions/runs/8506414730/job/23296571430</a><br>
><br>
> Downloading <a href="https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz" rel="noreferrer" target="_blank">https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz</a><br>
> [DEBUG] Trying to hash C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part<br>
> [DEBUG] C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part has hash 7e3f1d71073b8e63db9aed60da80545ac06ee4c5177d6ecab528ebd16efc1bb1e4280b6ed5211dcba1069392d4023fa3356b1cc9aff57b9537f7fc4d6b3fa989<br>
> error: Failed to download from mirror set<br>
> error: File does not have the expected hash:<br>
> url: <a href="https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz" rel="noreferrer" target="_blank">https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz</a><br>
> File: C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part<br>
> Expected hash: 0aa74e01c019c1d3893cf16f53b300ba4e74c6aa9febabf57ddb49b28615d76862eeb746c54c2085efd37c7e8cc0829014d9b7ad481a76294bc929b3cca91336<br>
> Actual hash: 7e3f1d71073b8e63db9aed60da80545ac06ee4c5177d6ecab528ebd16efc1bb1e4280b6ed5211dcba1069392d4023fa3356b1cc9aff57b9537f7fc4d6b3fa989<br>
><br>
> ... interesting.<br>
<br>
The latest xz library version(s) have been backdoored and hence<br>
disabled on GitHub.<br>
Random page:<br>
<a href="https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/" rel="noreferrer" target="_blank">https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/</a><br>
<br>
Markus<br>
</blockquote></div>