Bug 12611

Summary:	ntp hash is not matching with upstream 4.2.8p13
Product:	buildroot	Reporter:	Michael J. Hammel <mjhammel>
Component:	Other	Assignee:	unassigned
Status:	RESOLVED FIXED
Severity:	normal	CC:	buildroot
Priority:	P5
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Host:		Target:
Build:

Description Michael J. Hammel 2020-03-05 22:30:29 UTC

I was building 2019.05.1 and found ntp 4.2.8p13 hash didn't match with upstream.  I checked 2020.02rc3 and it has the same hash as 2019.05.1.  Then checking upstream ntp I found this.

   [ ]	ntp-4.2.8p13.tar.gz	2020-03-03 19:54 	6.7M	 
   [ ]	ntp-4.2.8p13.tar.gz.md5	2020-03-03 19:54 	61 	 
   [ ]	ntp-4.2.8p13.tar.gz.sha1	2019-03-07 06:18 	62 	 
   [ ]	ntp-4.2.8p13.tar.gz.sha256	2020-03-03 19:54 	96 	 
   [ ]	ntp-4.2.8p13.tar.gz.sha512	2019-03-07 06:18 	150 	 
   [ ]	ntp-4.2.8p14.tar.gz	2020-03-03 20:45 	6.7M	 
   [ ]	ntp-4.2.8p14.tar.gz.md5	2020-03-03 20:45 	61 	 
   [ ]	ntp-4.2.8p14.tar.gz.sha256	2020-03-03 20:45 	96

It looks like both 4.2.8p13 and 4.2.8p14 were updated the same day, except for the former's sha1.  I can also verify that the 4.2.8p13 tar.gz is larger than my local archive.

Not sure what to do with this.  Might be someone upstream just updated the archives and messed it up.  But I wasn't sure how to report that to the upstream.

Comment 1 Michael J. Hammel 2020-03-05 22:35:46 UTC

I just found the ntp email for possible security issues and emailed them about this as well.

Comment 2 Thomas Petazzoni 2020-05-18 07:06:18 UTC

2020.02.x is now using ntp 4.2.8p14, and its hash looks good:

ntp-4.2.8p14.tar.gz: OK (md5: 783edaf1d68ddf651bde64eda54a579d)
ntp-4.2.8p14.tar.gz: OK (sha256: 1960e4f081f6aafd108d721bc3ab15f9e8dfd08dc08339aa95bca9d2545e4eb7)

So, the issue is fixed with the bump to 4.2.8p14.