[PROJ] CI problems with xz

Markus Neteler neteler at osgeo.org
Mon Apr 1 02:55:35 PDT 2024


On Mon, Apr 1, 2024 at 11:50 AM Javier Jimenez Shaw via PROJ
<proj at lists.osgeo.org> wrote:
>
> I just updated my master branch of PROJ, and got emails about windows failing
> https://github.com/jjimenezshaw/PROJ/actions/runs/8506414730/job/23296571430
>
> Downloading https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz
> [DEBUG] Trying to hash C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part
> [DEBUG] C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part has hash 7e3f1d71073b8e63db9aed60da80545ac06ee4c5177d6ecab528ebd16efc1bb1e4280b6ed5211dcba1069392d4023fa3356b1cc9aff57b9537f7fc4d6b3fa989
> error: Failed to download from mirror set
> error: File does not have the expected hash:
> url: https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz
> File: C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part
> Expected hash: 0aa74e01c019c1d3893cf16f53b300ba4e74c6aa9febabf57ddb49b28615d76862eeb746c54c2085efd37c7e8cc0829014d9b7ad481a76294bc929b3cca91336
> Actual hash: 7e3f1d71073b8e63db9aed60da80545ac06ee4c5177d6ecab528ebd16efc1bb1e4280b6ed5211dcba1069392d4023fa3356b1cc9aff57b9537f7fc4d6b3fa989
>
> ... interesting.

The latest xz library version(s) have been backdoored and hence
disabled on GitHub.
Random page:
https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

Markus


More information about the PROJ mailing list