Ivan Kabaivanov
2017-01-15 22:22:17 UTC
Hi,
first time poster here.
I've been compiling boost from source for about 8 years now. Â I download the packages from sourceforge.net (https://sourceforge.net/projects/boost/files/boost/1.63.0/).
Lately (last few releases) I notice a troubling trend -- the same package, say boost_1_63_0.tar.bz2 will have a different md5 hash if downloaded again a few weeks after being downloaded for the first time.
Case in point:
boost_1_63_0.tar.bz2, downloaded around Fri Dec 30 17:11:50 2016 +0200 (GMT+2) had md5 hash d17537e28aa2131fa192ce2870ce72a3.Â
The very same file, dowloaded today (January 15, 2017) has a new md5 hash:Â 1c837ecd990bb022d07e7aab32b09847.
What's more troubling is that a cursory comparison of the two files' contents reveals differences.
To begin with, the old package had 53599 files, while the new one has 53655.
Further, files that are present in both packages have small differences.
$ diff -Naur ../../OLD/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html ../../NEW/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html--- ../../OLD/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html 2016-12-29 17:12:21.000000000 +0200+++ ../../NEW/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html 2016-12-22 14:47:46.000000000 +0200@@ -7,7 +7,7 @@Â <link rel="home" href="../../../index.html" title="Chapter 1. Boost.Numeric.Odeint">Â <link rel="up" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html" title="Header <boost/numeric/odeint/stepper/stepper_categories.hpp>">Â <link rel="prev" href="dense_output_stepper_tag.html" title="Struct dense_output_stepper_tag">-<link rel="next" href="base_tag_stepp_idp64335824.html" title="Struct base_tag<stepper_tag>">+<link rel="next" href="base_tag_stepp_idp34699008.html" title="Struct base_tag<stepper_tag>">Â </head>Â <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">Â <table cellpadding="2" width="100%"><tr>@@ -20,7 +20,7 @@Â </tr></table>Â <hr>Â <div class="spirit-nav">-<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp64335824.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>+<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp34699008.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>Â </div>Â <div class="refentry">Â <a name="boost.numeric.odeint.base_tag"></a><div class="titlepage"></div>@@ -45,7 +45,7 @@Â </tr></table>Â <hr>Â <div class="spirit-nav">-<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp64335824.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>+<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp34699008.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>Â </div>Â </body>Â </html>
I know, these are trivial differences. Â But they are differences nevertheless and this is not acceptable for package maintainers.
I've heard stories of how SourceForge is (or used to be ?) modifying packages to include crapware and sponsored content. Â So my first reaction was to suspect SF.net of pulling some stupid/shady stuff.
But I'm beginning to wonder it it was SF.net really.
Please, investigate what's happening and please fix it. As a package maintainer I can no longer vouchsafe for the integrity of the upstream package.
Thanks,IvanK.
first time poster here.
I've been compiling boost from source for about 8 years now. Â I download the packages from sourceforge.net (https://sourceforge.net/projects/boost/files/boost/1.63.0/).
Lately (last few releases) I notice a troubling trend -- the same package, say boost_1_63_0.tar.bz2 will have a different md5 hash if downloaded again a few weeks after being downloaded for the first time.
Case in point:
boost_1_63_0.tar.bz2, downloaded around Fri Dec 30 17:11:50 2016 +0200 (GMT+2) had md5 hash d17537e28aa2131fa192ce2870ce72a3.Â
The very same file, dowloaded today (January 15, 2017) has a new md5 hash:Â 1c837ecd990bb022d07e7aab32b09847.
What's more troubling is that a cursory comparison of the two files' contents reveals differences.
To begin with, the old package had 53599 files, while the new one has 53655.
Further, files that are present in both packages have small differences.
$ diff -Naur ../../OLD/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html ../../NEW/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html--- ../../OLD/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html 2016-12-29 17:12:21.000000000 +0200+++ ../../NEW/boost_1_63_0/./libs/numeric/odeint/doc/html/boost/numeric/odeint/base_tag.html 2016-12-22 14:47:46.000000000 +0200@@ -7,7 +7,7 @@Â <link rel="home" href="../../../index.html" title="Chapter 1. Boost.Numeric.Odeint">Â <link rel="up" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html" title="Header <boost/numeric/odeint/stepper/stepper_categories.hpp>">Â <link rel="prev" href="dense_output_stepper_tag.html" title="Struct dense_output_stepper_tag">-<link rel="next" href="base_tag_stepp_idp64335824.html" title="Struct base_tag<stepper_tag>">+<link rel="next" href="base_tag_stepp_idp34699008.html" title="Struct base_tag<stepper_tag>">Â </head>Â <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">Â <table cellpadding="2" width="100%"><tr>@@ -20,7 +20,7 @@Â </tr></table>Â <hr>Â <div class="spirit-nav">-<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp64335824.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>+<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp34699008.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>Â </div>Â <div class="refentry">Â <a name="boost.numeric.odeint.base_tag"></a><div class="titlepage"></div>@@ -45,7 +45,7 @@Â </tr></table>Â <hr>Â <div class="spirit-nav">-<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp64335824.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>+<a accesskey="p" href="dense_output_stepper_tag.html"><img src="../../../../../../../../doc/src/images/prev.png" alt="Prev"></a><a accesskey="u" href="../../../header/boost/numeric/odeint/stepper/stepper_categories_hpp.html"><img src="../../../../../../../../doc/src/images/up.png" alt="Up"></a><a accesskey="h" href="../../../index.html"><img src="../../../../../../../../doc/src/images/home.png" alt="Home"></a><a accesskey="n" href="base_tag_stepp_idp34699008.html"><img src="../../../../../../../../doc/src/images/next.png" alt="Next"></a>Â </div>Â </body>Â </html>
I know, these are trivial differences. Â But they are differences nevertheless and this is not acceptable for package maintainers.
I've heard stories of how SourceForge is (or used to be ?) modifying packages to include crapware and sponsored content. Â So my first reaction was to suspect SF.net of pulling some stupid/shady stuff.
But I'm beginning to wonder it it was SF.net really.
Please, investigate what's happening and please fix it. As a package maintainer I can no longer vouchsafe for the integrity of the upstream package.
Thanks,IvanK.