Did the archive on git.tt-rss.org got updated somehow ?!

Aleks · April 18, 2021, 12:42am

Hey there,

I’m from the Yunohost team where we provide package to install TTRSS easily

A user reported today that the checksum we’re using to check the source integrity changed.

The corresponding file is: https://git.tt-rss.org/fox/tt-rss/archive/9d3c79498368fa99cfde684c759a1c40825aaaa9.tar.gz

About 7 months ago, the sha256sum for this file was

a5f2aae2b566a0d06a7dd6d7d9d39695c09c77e3b4fc76ca2a49c041499b30d5

We’re pretty sure that it didn’t change since at least early April because we have automatic tests that validate all the install process

Yet today it sounds like it’s now:

cb5a39a61f6319734606f06fafbb0eb60aa488cdc911ec84ee6738da533124cb

I’m quite puzzled as the archive is supposed to be the archive for a specific commit, and one can’t just simply create a new commit with the same id yet different content… Did this archive got tweaked manually, or did it somehow get corrupted by an attacker or something ?

imgx64 · April 18, 2021, 8:32am

git.tt-rss.org was switched from gogs to gitea, so it’s possible the way the archive is generated is different between the two.

Anyway I don’t think it’s guaranteed the archives will be bit-for-bit identical forever, unless the host caches the archives the first time they’re generated. Github does cache them, but AFAIK, no other host does. See for example this comment (not gitea, but the same applies to it).

May I suggest using shallow git clones instead of tarballs? As a bonus, the full commit ID is content-addressable so you don’t need to verify the hash yourself.

fox · April 18, 2021, 10:28am

I need to block this archive thing on nginx level I guess