Skip to content

Comments

juicefs: update checksum#231393

Merged
BrewTestBot merged 2 commits intomainfrom
juicefs-update-checksum
Jul 28, 2025
Merged

juicefs: update checksum#231393
BrewTestBot merged 2 commits intomainfrom
juicefs-update-checksum

Conversation

@stefanb
Copy link
Member

@stefanb stefanb commented Jul 27, 2025

  • Have you followed the guidelines for contributing?
  • Have you ensured that your commits follow the commit style guide?
  • Have you checked that there aren't other open pull requests for the same formula update/change?
  • Have you built your formula locally with HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
  • Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
  • Does your build pass brew audit --strict <formula> (after doing HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>)? If this is a new formula, does it pass brew audit --new <formula>?

Found in

Upstream issue:

@stefanb stefanb added upstream issue An upstream issue report is needed checksum mismatch SHA-256 doesn't match the download labels Jul 27, 2025
@github-actions github-actions bot added the go Go use is a significant feature of the PR or issue label Jul 27, 2025
@yuhr123
Copy link
Contributor

yuhr123 commented Jul 28, 2025

Hello, I am JuiceFS team responsible for maintaining third-party software repositories, may I ask why you want to modify the checksum of this package? If you need any collaboration, feel free to contact me.

@stefanb
Copy link
Member Author

stefanb commented Jul 28, 2025

@yuhr123, thanks for asking.

In

The hash apparently changed since

Now we're trying to fix the inconsistency, but would like to know the reason for hash change. Was the tag moved (bad git practice) or was the repository compromised or something else happened?

In

@daeho-ro suggests the git tag was possibly moved due to multiple workflow runs for some reason (eg workflow failure). In such cases it would be better to tag a patch release (eg 1.3.1, 1.3.2...) and run the workflow on those instead of moving the release tag.

Can you please investigate and confirm what happened?

@yuhr123
Copy link
Contributor

yuhr123 commented Jul 28, 2025

Can I understand it this way: a version change in a maintained go formula has affected a series of projects that depend on go (juicefs is one of them). Due to different go versions, compiling the same source code will produce different checksum values. Therefore, the current problem has occurred?

@bevanjkay
Copy link
Member

The issue is that checksum for the release tarball https://github.com/juicedata/juicefs/archive/refs/tags/v1.3.0.tar.gz has changed since it was released. This suggests that something changed with the tag, so we need to work out the reason to make sure the release hasn't been compromised.

@yuhr123
Copy link
Contributor

yuhr123 commented Jul 28, 2025

Hi @bevanjkay, thank you for clarifying the cause further, I have also informed our engineering team and we will work with you to investigate possible causes.

@zhijian-pro
Copy link

Hello, I'm an engineer from juicefs. We haven't moved the tag v1.3.0.
I have a question about how this checksum value is calculated. Does your program first obtain the tag, then download the code archive, and finally calculate the sha256 to get this result?

@bevanjkay
Copy link
Member

bevanjkay commented Jul 28, 2025

Yes the checksum is calculated by downloading the release tarball (https://github.com/juicedata/juicefs/archive/refs/tags/v1.3.0.tar.gz).

For context, in order for the existing checksum (currently incorrect value) to be merged, the checksum was first calculated during the 'version bump', and then reproduced across 8 CI runs on different architecture.

@jiefenghuang
Copy link

Hello, I am the engineer from JuiceFS. The 1.3.0 version was packaged three weeks ago, specifically in this CI run: https://github.com/juicedata/juicefs/actions/runs/16106096397. The tag has not been modified. The only change made was marking release 1.3.0 "Set as the latest release" after v1.2.4 was published.

@daeho-ro
Copy link
Member

We are using source tarball and it was create a month ago. And

image

And this is why I am suspecting the branch release-1.3.

image

@jiefenghuang
Copy link

Yes, the last commit is 30190ca, made on July 3. After completing verification, the release was published on July 7.

@daeho-ro
Copy link
Member

I don't understand what is happened here, maybe release ci can replace source tarball or not. 🤔

Anyway, I think this is enough to confirm that the current tarball is fine.

Thank you, @yuhr123 , @jiefenghuang .

@daeho-ro daeho-ro added CI-checksum-change-confirmed A checksum change was confirmed by upstream and removed upstream issue An upstream issue report is needed labels Jul 28, 2025
@github-actions
Copy link
Contributor

🤖 An automated task has requested bottles to be published to this PR.

Caution

Please do not push to this PR branch before the bottle commits have been pushed, as this results in a state that is difficult to recover from. If you need to resolve a merge conflict, please use a merge commit. Do not force-push to this PR branch.

@github-actions github-actions bot added the CI-published-bottle-commits The commits for the built bottles have been pushed to the PR branch. label Jul 28, 2025
@BrewTestBot BrewTestBot enabled auto-merge July 28, 2025 14:09
@BrewTestBot BrewTestBot added this pull request to the merge queue Jul 28, 2025
Merged via the queue into main with commit 85c5c7f Jul 28, 2025
22 checks passed
@BrewTestBot BrewTestBot deleted the juicefs-update-checksum branch July 28, 2025 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

checksum mismatch SHA-256 doesn't match the download CI-checksum-change-confirmed A checksum change was confirmed by upstream CI-published-bottle-commits The commits for the built bottles have been pushed to the PR branch. go Go use is a significant feature of the PR or issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants