Discussion:
1.63.0: diffenre package with the same version
(too old to reply)
Ivan Kabaivanov
2017-01-15 22:22:17 UTC
Permalink
Hi,
first time poster here.
I've been compiling boost from source for about 8 years now.  I download the packages from sourceforge.net (https://sourceforge.net/projects/boost/files/boost/1.63.0/).
Lately (last few releases) I notice a troubling trend -- the same package, say boost_1_63_0.tar.bz2 will have a different md5 hash if downloaded again a few weeks after being downloaded for the first time.
Case in point:

boost_1_63_0.tar.bz2, downloaded around Fri Dec 30 17:11:50 2016 +0200 (GMT+2) had md5 hash d17537e28aa2131fa192ce2870ce72a3. 
The very same file, dowloaded today (January 15, 2017) has a new md5 hash: 1c837ecd990bb022d07e7aab32b09847.
What's more troubling is that a cursory comparison of the two files' contents reveals differences.
To begin with, the old package had 53599 files, while the new one has 53655.
Further, files that are present in both packages have small differences.
$ diff -Naur ../../OLD/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html ../../NEW/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html--- ../../OLD/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html 2016-12-29 17:12:21.000000000 +0200+++ ../../NEW/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html 2016-12-22 14:47:46.000000000 +0200@@ -7,7 +7,7 @@ <link rel="home" href="../../../index.html" title="Chapter&#160;1.&#160;Boost.Numeric.Odeint"> <link rel="up" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html" title="Header &lt;boost/numeric/odeint/stepper/stepper_categories.hpp&gt;"> <link rel="prev" href="dense_output_stepper_tag.html" title="Struct dense_output_stepper_tag">-<link rel="next" href="base_tag_stepp_idp64335824.html" title="Struct base_tag&lt;stepper_tag&gt;">+<link rel="next" href="base_tag_stepp_idp34699008.html" title="Struct base_tag&lt;stepper_tag&gt;"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> <table cellpadding="2" width="100%"><tr>@@ -20,7 +20,7 @@ </tr></table> <hr> <div class="spirit-nav">-<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp64335824.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>+<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp34699008.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a> </div> <div class="refentry"> <a name="boost.numeric.odeint.base_tag"></a><div class="titlepage"></div>@@ -45,7 +45,7 @@ </tr></table> <hr> <div class="spirit-nav">-<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp64335824.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>+<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp34699008.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a> </div> </body> </html>
I know, these are trivial differences.  But they are differences nevertheless and this is not acceptable for package maintainers.
I've heard stories of how SourceForge is (or used to be ?) modifying packages to include crapware and sponsored content.  So my first reaction was to suspect SF.net of pulling some stupid/shady stuff.
But I'm beginning to wonder it it was SF.net really.
Please, investigate what's happening and please fix it. As a package maintainer I can no longer vouchsafe for the integrity of the upstream package.
Thanks,IvanK.
Daniel James
2017-01-15 23:32:59 UTC
Permalink
Post by Ivan Kabaivanov
Hi,
first time poster here.
I've been compiling boost from source for about 8 years now. I download the
packages from sourceforge.net
(https://sourceforge.net/projects/boost/files/boost/1.63.0/).
Lately (last few releases) I notice a troubling trend -- the same package,
say boost_1_63_0.tar.bz2 will have a different md5 hash if downloaded again
a few weeks after being downloaded for the first time.
boost_1_63_0.tar.bz2, downloaded around Fri Dec 30 17:11:50 2016 +0200
(GMT+2) had md5 hash d17537e28aa2131fa192ce2870ce72a3.
1c837ecd990bb022d07e7aab32b09847.
Checking the copy of that file on the web server:

$ ls -l boost_1_63_0.tar.bz2
-rw-r--r--. 1 dnljms guests 81984414 Dec 26 18:35 boost_1_63_0.tar.bz2
$ md5sum boost_1_63_0.tar.bz2
1c837ecd990bb022d07e7aab32b09847 boost_1_63_0.tar.bz2

So your new download has the same md5 hash as a download from the time
of release.

I wonder if this is related to the email linked below? The dates match.

http://lists.boost.org/Archives/boost/2016/12/232220.php

Another possibility is that your old download is a snapshot. They have
the same file names as releases, which is a bit confusing:

https://sourceforge.net/projects/boost/files/boost/snapshots/master/

The diff you posted suggests it was a different documentation build
(the changes are ids which are different for every build), rather than
sourceforge modifying the file.

Loading...