Bug #69987 mysql-5.7.1_m11.tar.gz does not match the file in src rpms
Submitted: 11 Aug 2013 21:47 Modified: 17 Sep 2013 13:33
Reporter: Simon Mudd (OCA) Email Updates:
Status: Won't fix Impact on me:
Category:MySQL Server: Packaging Severity:S3 (Non-critical)
Version:5.7.1_m11 OS:Linux
Assigned to: CPU Architecture:Any

[11 Aug 2013 21:47] Simon Mudd
While this may be a detail it's a bit confusing and caught me out while trying to look at making some patches to the 5.7.1 version, I noticed the source tar ball included in the source rpm files is different to the tar ball provided on the website.

How to repeat:
Download mysql-5.7.1-m11.tar.gz from the MySQL downloads page (http://dev.mysql.com/get/Downloads/MySQL-5.7/mysql-5.7.1-m11.tar.gz/from/http://cdn.mysql....
). It does have the indicated md5sum of bad2f6832db3a3feec7ccdbc79d436ba.

Download the MySQL-5.7.1_m11-2.rhel5.src.rpm or el6 version of the source rpm from http://dev.mysql.com/get/Downloads/MySQL-5.7/MySQL-5.7.1_m11-2.rhel5.src.rpm/from/http://c... and unpackage the sources with rpm -ivh MySQL-5.7.1_m11-2.rhel5.src.rpm. There is an included file called mysql-5.7.1-m11.tar.gz. However, it's md5sum is different:

$ md5sum ~/RPM/SRC/MySQL/mysql-5.7.1*
a0da50f0f4e4db942f180ee203c2265d  /home/sjmudd/RPM/SRC/MySQL/mysql-5.7.1-m11.tar.gz

Doing a diff -uNr on the 2 untarred trees gives:

$ diff -uNr a0da50f0f4e4db942f180ee203c2265d.mysql-5.7.1-m11 bad2f6832db3a3feec7ccdbc79d436ba.mysql-5.7.1-m11 | head -30
diff -uNr a0da50f0f4e4db942f180ee203c2265d.mysql-5.7.1-m11/Docs/INFO_SRC bad2f6832db3a3feec7ccdbc79d436ba.mysql-5.7.1-m11/Docs/INFO_SRC
--- a0da50f0f4e4db942f180ee203c2265d.mysql-5.7.1-m11/Docs/INFO_SRC      2013-06-21 12:48:01.000000000 +0200
+++ bad2f6832db3a3feec7ccdbc79d436ba.mysql-5.7.1-m11/Docs/INFO_SRC      2013-06-27 15:30:31.000000000 +0200
@@ -1,7 +1,7 @@
-revision-id: balasubramanian.kandasamy@oracle.com-20130429181254-qo7eeq46b00juvo3
-date: 2013-04-29 20:12:54 +0200
-build-date: 2013-06-21 12:37:21 +0200
-revno: 5217
+revision-id: balasubramanian.kandasamy@oracle.com-20130621124454-57h108p56tspz2y5
+date: 2013-06-21 14:44:54 +0200
+build-date: 2013-06-27 15:22:21 +0200
+revno: 5218
 branch-nick: mysql-5.7.1-m11-br16708067

This indicates that indeed the source tar ball is indeed different, and the build dates at least are 6 days apart.

Suggested fix:
We have seen in bug#69512 that repackaging different sources with the same file name is not helpful as it can lead to confusion, and the same goes here for this development version.

Indeed rpm is unaware of this as the .spec file does not have a way to indicate the expected checksum, so I have created a feature request for RedHat to make rpm be able to provide some sort of checksum for the source files it includes.

You can see that here: https://bugzilla.redhat.com/show_bug.cgi?id=995822.

So please when packaging your software ensure that the source tar ball matches the version you include in the source rpms as otherwise we have to either hope they will be the same or check them each time and that should not be necessary.
[11 Aug 2013 22:06] Simon Mudd
So please ensure, by updating the rpm release level and rebuilding the binary packages, that the mysql-5.7.1-m11.tar.gz included in the src rpms you have built, and used to build the binary packages does indeed have the expected md5sum of bad2f6832db3a3feec7ccdbc79d436ba.
[17 Sep 2013 13:33] Erlend Dahl
[4 Sep 2013 2:57] Yngve Svendsen

This was caused by the series of rebuilds done to accommodate the man page
licensing slip-up. We will in the future make sure to bump RPM build numbers,
since it has become abundantly clear that the "silent replace" strategy
causes endless problems. 

However, we will not respin 5.7.1 for this, so closing as "won't fix".