Bug #456
closedcoreboot 4.19 tarballs have bad timestamps
100%
Description
As reported on #coreboot channel, coreboot 4.19 tarballs contain invalid timestamps (year 1901) for all contained files.
Reproducility of issue:
wget https://www.coreboot.org/releases/coreboot-4.19.tar.xz
user@heads-tests:/tmp/test$ ls -al coreboot-4.19.tar.xz
-rw-r--r-- 1 user user 56908588 Jan 26 21:46 coreboot-4.19.tar.xz
user@heads-tests:/tmp/test$ tar Jxvf coreboot-4.19.tar.xz
coreboot-4.19/
coreboot-4.19/.checkpatch.conf
tar: coreboot-4.19/.checkpatch.conf: implausibly old time stamp -9223372036854775808
coreboot-4.19/.clang-format
tar: coreboot-4.19/.clang-format: implausibly old time stamp -9223372036854775808
coreboot-4.19/.coreboot-version
tar: coreboot-4.19/.coreboot-version: implausibly old time stamp -9223372036854775808
coreboot-4.19/.crossgcc-version
tar: coreboot-4.19/.crossgcc-version: implausibly old time stamp -9223372036854775808
coreboot-4.19/.editorconfig
tar: coreboot-4.19/.editorconfig: implausibly old time stamp -9223372036854775808
Cause:
@Nico Huber investigated and said "d05ea79e40c4 util/release/build-release: Fix style issues
at least that change to the tstamp variable looks very suspicious"
flx suggested to recreate the archive: "I think 4.19-2 would be better. There are no changes to coreboot or anything. It also doesn't need a new git tag"
Related links
Thank you for the fixes. Could you document the old and new hashes somewhere?
Updated by Martin Roth about 1 year ago
- Subject changed from coreboot 4.19 tarballs are unusable to coreboot 4.19 tarballs have bad timestamps
Updated by Martin Roth about 1 year ago
I'll re-create the archive. I'd fixed the bug with the timestamps, but it must not have been included in the script that generated these tarballs.
For naming, I'd rather not go with -2 unless we create a new tag. I think something like coreboot-4.19.fixed.tar.xz would be more appropriate.
Updated by Martin Roth about 1 year ago
- Status changed from New to Feedback
New 4.19 tarballs have been pushed, but they use the same name. I updated the release notes stating that they had been updated.
I looked at changing the name, but to do that, the actual release number needs to be changed on the website. The names are tightly coupled. Since this is still the 4.19 release, just a repack of the tarballs, the names needed to remain the same. I felt that changing the release name would create more long-term confusion, so at least for now, the binaries are posted with the same name.
I have preserved the old binaries, but moved them out of the download folder.
Let me know if this is a satisfactory resolution. I'll mark this issue fixed after any further discussion or lack of discussion.
Updated by Martin Roth about 1 year ago
Hashes for all of the tarballs, old and new have been added to the bottom of the release notes.
Hashes for tarballs & signatures¶
Old tarballs:
- a1f9ec1252a3cc19f0b4ba1a2b9d66ea9327499cbeecebd85377db7d5c68555d coreboot-4.19.tar.xz
- 6ceaa39429a2094d75e4c8a94615ae60664ddad7b4115570b65b9bb516cbd96d coreboot-4.19.tar.xz.sig
- 881a3477221d1b77e161759344df14eccda115086af3ef54e66485ae0eb2e5d9 coreboot-blobs-4.19.tar.xz
- 16f4f1f7acc6203ce915ffea64edce8512bd9eb9e94e65db22a0cb5282a6e157 coreboot-blobs-4.19.tar.xz.sig
New tarballs:
- 65ccb2f46535b996e0066a1b76f81c8cf1ff3e27df84b3f97d8ad7b3e7cf0a43 coreboot-4.19.tar.xz
- d3c52a209b8ccb49049960318f04f158dd47db52ebe6019d6a3dffe3196d9cbe coreboot-4.19.tar.xz.sig
- 30214caed07b25f11e47bec022ff6234841376e36689eb674de2330a3e980cbc coreboot-blobs-4.19.tar.xz
- 023d511d074703beab98c237c3e964dc7c598af86d5a0e2091195c68980b6c5d coreboot-blobs-4.19.tar.xz.sig
Updated by Thierry Laurion about 1 year ago
Martin Roth wrote in #note-3:
New 4.19 tarballs have been pushed, but they use the same name. I updated the release notes stating that they had been updated.
I looked at changing the name, but to do that, the actual release number needs to be changed on the website. The names are tightly coupled. Since this is still the 4.19 release, just a repack of the tarballs, the names needed to remain the same. I felt that changing the release name would create more long-term confusion, so at least for now, the binaries are posted with the same name.
I have preserved the old binaries, but moved them out of the download folder.
Let me know if this is a satisfactory resolution. I'll mark this issue fixed after any further discussion or lack of discussion.
coreboot 4.19 and coreboot-blobs tarballs are now correct.
This issue can now be closed!
Thanks!
Updated by Felix Singer about 1 year ago
- Status changed from Feedback to Resolved
Thanks for confirming :)