From 647c4fe34d9345b43621dc8daa260128ae0cd0d2 Mon Sep 17 00:00:00 2001
From: William Brown <wbrown@suse.de>
Date: Tue, 21 Jun 2022 10:20:50 +1000
Subject: [PATCH] OBS has a fault where is sends invalid md5s

This causes downloads to come from the api, generally on noarch packages.
However, in countries like australia, due to OBS' high latency, and poor
bandwidth, these faults can cause downloads to take more than an hour, compared
to using a local mirror which can take minutes. There is actually nothing
wrong with the packages it all, OBS just sends the wrong md5.

As a result, ignore the problem and complain about it, because OBS is broken
here, not osc, and this wastes a lot of time.
---
 osc/build.py |  9 ++++++---
 osc/fetch.py | 14 +++++++++-----
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/osc/build.py b/osc/build.py
index 043a9f11..0f9d1a94 100644
--- a/osc/build.py
+++ b/osc/build.py
@@ -137,7 +137,10 @@ class Buildinfo:
         else:
             self.release = None
         if config['api_host_options'][apiurl]['downloadurl']:
-            self.enable_cpio = False
+            # Formerly, this was set to False, but we have to set it to True, because a large
+            # number of repos in OBS are misconfigured and don't actually have repos setup - they
+            # are API only.
+            self.enable_cpio = True
             self.downloadurl = config['api_host_options'][apiurl]['downloadurl'] + "/repositories"
             if config['http_debug']:
                 print("⚠️   setting dl_url to %s" % config['api_host_options'][apiurl]['downloadurl'])
@@ -1354,8 +1357,8 @@ def main(apiurl, opts, argv):
                 print("Error: cannot get hdrmd5 for %s" % i.fullfilename)
                 sys.exit(1)
             if hdrmd5 != i.hdrmd5:
-                print("Error: hdrmd5 mismatch for %s: %s != %s" % (i.fullfilename, hdrmd5, i.hdrmd5))
-                sys.exit(1)
+                print("WARNING: OBS BUG hdrmd5 mismatch for %s: %s != %s" % (i.fullfilename, hdrmd5, i.hdrmd5))
+                # sys.exit(1)
 
     print('Writing build configuration')
 
diff --git a/osc/fetch.py b/osc/fetch.py
index 1770508c..fbc0f8ae 100644
--- a/osc/fetch.py
+++ b/osc/fetch.py
@@ -257,13 +257,17 @@ class Fetcher:
                     else:
                         # if the checksum of the downloaded package doesn't match,
                         # delete it and mark it for downloading from the API
+                        #
+                        # wbrown 2022 - is there a reason to keep these md5's at all? md5 is
+                        # broken from a security POV so these aren't a trusted source for validation
+                        # of the file content. They are often incorrect forcing download via the API
+                        # which for anyone outside the EU is excruciating. And when they are ignored
+                        # builds work and progress anyway? So what do they even do? What are they
+                        # for? They should just be removed.
                         hdrmd5 = packagequery.PackageQuery.queryhdrmd5(i.fullfilename)
                         if not hdrmd5 or hdrmd5 != i.hdrmd5:
-                            print('%s/%s: attempting download from api, since the hdrmd5 did not match - %s != %s'
-                                  % (i.project, i.name, hdrmd5, i.hdrmd5))
-                            os.unlink(i.fullfilename)
-                            self.__add_cpio(i)
-
+                            print('%s/%s: allowing invalid file, probably an OBS bug - hdrmd5 did not match - %s != %s'
+                                % (i.project, i.name, hdrmd5, i.hdrmd5))
                 except KeyboardInterrupt:
                     print('Cancelled by user (ctrl-c)')
                     print('Exiting.')