www/caddy: imdario-mergo-v0.3.12.tar.gz checksum mismatch

[mrdomino (Jōshin)]

The checksums in caddy's Portfile do not match for that file, but the file size does match. Probably we should figure out why they changed and/or verify that the file's current contents are still trustworthy enough.

A draft pull request that shows the current checksums is here:

​https://github.com/macports/macports-ports/pull/22264

[mrdomino (Jōshin)]

Incredible, darccio and imdario have the same number of characters.

The difference owes to the base folder being either darccio-mergo-29fb3d3 or imdario-mergo-29fb3d3. distfiles.macports.org has the former latter (hence the workflow run failure for that PR on Github) and codeload.github.com has the latter former. There are no diffs reported by diff -ru between those two directories, so this is benign.

What's the resolution here? Update distfiles to match Github I guess?

[mrdomino (Jōshin)]

I got the diff backwards, the current base directory on Github is darccio-mergo-29fb3d3/, which breaks the build after accounting for the checksum because macports is trying and failing to build imdario-mergo-*.

[mrdomino (Jōshin)]

As mentioned in the PR: it looks like the user may have changed their name. codeload.github.com is redirecting imdario/mergo to darccio/mergo, giving the downloaded file the name darccio-mergo-v0.3.12.tar.gz, and using darccio-mergo for its generated base directory name. AFAICT this breaks anyone trying to import github.com/imdario/mergo if they are using codeload.github.com.

[jmroot (Joshua Root)]

This is a problem commonly seen with the github portgroup when using the legacy tarball type. The solution there is to use the newer archive tarballs. I'm not sure how you would do the equivalent with golang.

[mohd-akram (Mohamed Akram)]

In e023ccec4af86c0e48a9a36fe40ca277e2e749e9/macports-ports (master):

caddy: update to 2.7.6

Fixes: #69132

[mrdomino (Jōshin)]

This does not seem to fix the issue. imdario-mergo-v0.3.13.tar.gz is still downloaded from codeload.github.com/imdario/mergo/legacy.tar.gz on my machine, which still redirects to darccio/mergo, which has a different checksum from the one published in the Portfile.

Changing the dependency to darccio/mergo breaks the build, as demonstrated here:

​https://github.com/macports/macports-ports/pull/22282

[mohd-akram (Mohamed Akram)]

Redirects shouldn’t be a problem I think. I imagine the problem was due to the redirect being implemented after the distfile was cached by MacPorts. Since I bumped the version of that dependency, we get new distfiles anyway. Does it not build on your system? Double check that you’re building 2.7.6.

[mrdomino (Jōshin)]

It does not build on my system and I am building 2.7.6. The redirect results in the base folder in the new distfile being darccio-mergo.

[mohd-akram (Mohamed Akram)]

Could you please post the log file or the relevant bit on the checksum mismatch? It builds on the CI and my machine so this is strange.

[mrdomino (Jōshin)]

Specifically, this is what I see when I build caddy from macports-ports master:

:info:checksum --->  Checksumming imdario-mergo-v0.3.13.tar.gz
:debug:checksum Calculated (rmd160) is 65d54781b1014dafe97e40214ead7f6eedd83b1c
:error:checksum Checksum (rmd160) mismatch for imdario-mergo-v0.3.13.tar.gz
:info:checksum Portfile checksum: imdario-mergo-v0.3.13.tar.gz rmd160 2e6fc2ada1f9d67c92a0d23dd0535e53760d7f16
:info:checksum Distfile checksum: imdario-mergo-v0.3.13.tar.gz rmd160 65d54781b1014dafe97e40214ead7f6eedd83b1c
:debug:checksum Calculated (sha256) is 5660b22f540687b245cf9e222ce59ef8bdae2c7843c2547c4824d0771d22990f
:error:checksum Checksum (sha256) mismatch for imdario-mergo-v0.3.13.tar.gz
:info:checksum Portfile checksum: imdario-mergo-v0.3.13.tar.gz sha256 781fa2e7eb42828228bf9c524c955603f25664bb4ae741a34603067084bd0abc
:info:checksum Distfile checksum: imdario-mergo-v0.3.13.tar.gz sha256 5660b22f540687b245cf9e222ce59ef8bdae2c7843c2547c4824d0771d22990f
:debug:checksum Calculated (size) is 22817
:error:checksum Checksum (size) mismatch for imdario-mergo-v0.3.13.tar.gz
:info:checksum Portfile checksum: imdario-mergo-v0.3.13.tar.gz size 22811
:info:checksum Distfile checksum: imdario-mergo-v0.3.13.tar.gz size 22817

[mrdomino (Jōshin)]

And this is the fetch stage:

:info:fetch --->  imdario-mergo-v0.3.13.tar.gz does not exist in /opt/local/var/macports/distfiles/go
:notice:fetch --->  Attempting to fetch imdario-mergo-v0.3.13.tar.gz from https://codeload.github.com/imdario/mergo/legacy.tar.gz/v0.3.13?dummy=

[mohd-akram (Mohamed Akram)]

It's a bit strange that it immediately tries fetching from GitHub for you. This is what I have:

--->  imdario-mergo-v0.3.13.tar.gz does not exist in /opt/local/var/macports/distfiles/go
--->  Attempting to fetch imdario-mergo-v0.3.13.tar.gz from https://distfiles.macports.org/go
...
--->  Checksumming imdario-mergo-v0.3.13.tar.gz
DEBUG: Calculated (rmd160) is 2e6fc2ada1f9d67c92a0d23dd0535e53760d7f16
DEBUG: Correct (rmd160) checksum for imdario-mergo-v0.3.13.tar.gz
DEBUG: Calculated (sha256) is 781fa2e7eb42828228bf9c524c955603f25664bb4ae741a34603067084bd0abc
DEBUG: Correct (sha256) checksum for imdario-mergo-v0.3.13.tar.gz
DEBUG: Calculated (size) is 22811
DEBUG: Correct (size) checksum for imdario-mergo-v0.3.13.tar.gz

[mrdomino (Jōshin)]

Strange, I wonder why.

I guess maybe that distfile is also already cached from someone else depending on it?

[mohd-akram (Mohamed Akram)]

I feel like there was a setting that disabled fetching from distfiles.macports.org but I can't find it. Yes, it was indeed already cached that's why you had different checksums.

[jmroot (Joshua Root)]

Closer sites (as determined by ping time) are tried first. As I mentioned above, this problem is due to github's legacy tarball interface not producing tarballs that are stable over time. That creates a stealth update situation (see PortfileRecipes#stealth-updates).

[Jōshin <git@…>]

In e5469cde19dfaceed28cc7fc2f4e7e8720103dd7/macports-ports (master):

caddy: use darccio/mergo

Closes: #69132