Merge pull request #1072 from Firstyear/20220506-highlight-md5-faults

OBS has a fault where is sends invalid md5s
2024-12-26 01:46:13 +01:00 · 2022-10-12 09:13:22 +02:00 · 2022-10-12 09:13:22 +02:00 · 5d0f1f6176
commit 5d0f1f6176
parent 10ea7b50f4 647c4fe34d
2 changed files with 15 additions and 8 deletions
--- a/osc/build.py
+++ b/osc/build.py
@ -138,7 +138,10 @@ class Buildinfo:
        else:
            self.release = None
        if config['api_host_options'][apiurl]['downloadurl']:
-            self.enable_cpio = False
+            # Formerly, this was set to False, but we have to set it to True, because a large
+            # number of repos in OBS are misconfigured and don't actually have repos setup - they
+            # are API only.
+            self.enable_cpio = True
            self.downloadurl = config['api_host_options'][apiurl]['downloadurl'] + "/repositories"
            if config['http_debug']:
                print("⚠️   setting dl_url to %s" % config['api_host_options'][apiurl]['downloadurl'])
@ -1356,8 +1359,8 @@ def main(apiurl, opts, argv):
                print("Error: cannot get hdrmd5 for %s" % i.fullfilename)
                sys.exit(1)
            if hdrmd5 != i.hdrmd5:
-                print("Error: hdrmd5 mismatch for %s: %s != %s" % (i.fullfilename, hdrmd5, i.hdrmd5))
-                sys.exit(1)
+                print("WARNING: OBS BUG hdrmd5 mismatch for %s: %s != %s" % (i.fullfilename, hdrmd5, i.hdrmd5))
+                # sys.exit(1)

    print('Writing build configuration')

--- a/osc/fetch.py
+++ b/osc/fetch.py
@ -257,13 +257,17 @@ class Fetcher:
                    else:
                        # if the checksum of the downloaded package doesn't match,
                        # delete it and mark it for downloading from the API
+                        #
+                        # wbrown 2022 - is there a reason to keep these md5's at all? md5 is
+                        # broken from a security POV so these aren't a trusted source for validation
+                        # of the file content. They are often incorrect forcing download via the API
+                        # which for anyone outside the EU is excruciating. And when they are ignored
+                        # builds work and progress anyway? So what do they even do? What are they
+                        # for? They should just be removed.
                        hdrmd5 = packagequery.PackageQuery.queryhdrmd5(i.fullfilename)
                        if not hdrmd5 or hdrmd5 != i.hdrmd5:
-                            print('%s/%s: attempting download from api, since the hdrmd5 did not match - %s != %s'
+                            print('%s/%s: allowing invalid file, probably an OBS bug - hdrmd5 did not match - %s != %s'
                                % (i.project, i.name, hdrmd5, i.hdrmd5))
-                            os.unlink(i.fullfilename)
-                            self.__add_cpio(i)
-
                except KeyboardInterrupt:
                    print('Cancelled by user (ctrl-c)')
                    print('Exiting.')