Bug #70847 Checksums differ on mysql-5.6.14.tar.gz files provided by Oracle
Submitted: 7 Nov 2013 1:04 Modified: 2 Oct 2020 20:23
Reporter: Simon Mudd (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Packaging Severity:S3 (Non-critical)
Version:5.6.14 OS:Linux (RHEL6)
Assigned to: CPU Architecture:Any
Tags: checksum, rpm, versioning

[7 Nov 2013 1:04] Simon Mudd 
Description:
No room to put this in the subject but this relates to tarballs in the RHEL6 src rpms provided in the original Download MySQL Community Server page and from the  new MySQL yum repository you recently announced.

I downloaded the 2 files:

$ md5sum MySQL-5.6.14-1.el6.src.rpm
2b3f3bad8ceb13959098522f1be30405  MySQL-5.6.14-1.el6.src.rpm
$ md5sum mysql-community-5.6.14-3.el6.src.rpm
427b696cc67078963377633eaa001f65  mysql-community-5.6.14-3.el6.src.rpm

I then ran rpm -ivh on each file to see the contents of the src.rpm.

$ md5sum MySQL/mysql-5.6.14.tar.gz
52224ce51dbf6ffbcef82be30688cc04 MySQL/mysql-5.6.14.tar.gz
$ md5sum mysql-community/mysql-5.6.14.tar.gz
c9d329b5eabf7127d60a1ea2c8e48377 mysql-community/mysql-5.6.14.tar.gz

The first checksum matches that on the community download page.

$ ls -la MySQL/mysql-5.6.14.tar.gz
-rw-r--r-- 1 sjmudd sjmudd 36005278 Sep 10 09:43 MySQL/mysql-5.6.14.tar.gz
$ ls -la mysql-community/mysql-5.6.14.tar.gz
-rw-r--r-- 1 sjmudd sjmudd 59388513 Oct 16 13:11 mysql-community/mysql-5.6.14.tar.gz
$

I would expect these checksums to be the same and the tarball's contents to also be identical.
However, I am quite surprised by the difference in size in the tar balls. The difference is
quite significant.

How to repeat:
See above.

Suggested fix:
Perhaps I am missing something?

If not, please provide a single tarball with the same name so that we can reproduce builds if that is needed. Providing mysql-a.b.c.tar.gz files with different checksums and hugely different sizes means that we can not easily reproduce building binaries from source.

See bug#69512 and bug#69987 for previous times this has happened.
[7 Nov 2013 6:48] Simon Mudd 
As per http://dev.mysql.com/downloads/repo/ I also checked and validated the rpm signagures:

$ ls -la *5.6.14*
-rw-rw-r-- 1 root   root   34355996 Oct  5 12:01 MySQL-5.6.14-1.el6.src.rpm
-rw-r--r-- 1 root   root   81075390 Oct 24 15:58 mysql-community-5.6.14-3.el6.src.rpm
$ rpm --checksig *5.6.14*
MySQL-5.6.14-1.el6.src.rpm: sha1 md5 gpg OK
mysql-community-5.6.14-3.el6.src.rpm: sha1 md5 gpg OK
$
[7 Nov 2013 7:24] Simon Mudd 
See also: http://blog.wl0.org/2013/11/mysql-rpms-and-the-new-yum-repository/
[7 Nov 2013 7:37] Simon Mudd 
Note: as per my post it seems the reasons for the difference in size of the tar balls is due to the fact that the mysql-community src rpm's tar ball also includes the mysql-5.1.70.tar.gz tar ball.

To some extent the source tar ball's version is not that important. If you want or have to produce multiple tar balls of the same "a.b.c" version then why not just suffix this with a date, so produce files like mysql-5.6.14.20131001.tar.gz and mysql-5.6.14.20131214.tar.gz.

MySQL Enterprise Monitor (http://dev.mysql.com/doc/mysql-monitor/3.0/en/) seems to follow that sort of numbering method of 3.0.2.2901 or 3.0.3.3456 and generally we just talk about 3.0.2 or 3.0.3, so no-one would really care about this extra digits in the version and it would remove the ambiguity we see from time to time. rpm also would not care as it already knows how to compare versions with multiple components.
[7 Nov 2013 18:00] Sveta Smirnova 
Thank you for the report.

Please send us link from which you downloaded these packages: I don't see them in the list of available packages of mysql-community repositories:

[sveta@delly bug70847]$ yum --disablerepo="*" --enablerepo="mysql-community" list available
Loaded plugins: downloadonly, refresh-packagekit
Available Packages
mysql-community-client.x86_64                                                           5.6.14-3.el6                                                    mysql-community
mysql-community-common.i686                                                             5.6.14-3.el6                                                    mysql-community
mysql-community-common.x86_64                                                           5.6.14-3.el6                                                    mysql-community
mysql-community-devel.i686                                                              5.6.14-3.el6                                                    mysql-community
mysql-community-devel.x86_64                                                            5.6.14-3.el6                                                    mysql-community
mysql-community-embedded.i686                                                           5.6.14-3.el6                                                    mysql-community
mysql-community-embedded.x86_64                                                         5.6.14-3.el6                                                    mysql-community
mysql-community-embedded-devel.i686                                                     5.6.14-3.el6                                                    mysql-community
mysql-community-embedded-devel.x86_64                                                   5.6.14-3.el6                                                    mysql-community
mysql-community-libs.i686                                                               5.6.14-3.el6                                                    mysql-community
mysql-community-libs.x86_64                                                             5.6.14-3.el6                                                    mysql-community
mysql-community-libs-compat.i686                                                        5.6.14-3.el6                                                    mysql-community
mysql-community-libs-compat.x86_64                                                      5.6.14-3.el6                                                    mysql-community
mysql-community-server.x86_64                                                           5.6.14-3.el6                                                    mysql-community
mysql-community-test.x86_64                                                             5.6.14-3.el6                                                    mysql-community
mysql-connector-odbc.x86_64                                                             5.2.6-1.el6                                                     mysql-community
mysql-workbench-community.x86_64                                                        6.0.8-1.el6                                                     mysql-community
[sveta@delly bug70847]$ yum --disablerepo="*" --enablerepo="mysql-community-src" list available
Loaded plugins: downloadonly, refresh-packagekit
[7 Nov 2013 19:04] Simon Mudd 
The "original" src rpms can be found here: http://dev.mysql.com/downloads/mirror.php?id=414445,
see:  http://merlin.wl0.org/201311/07/2241092893.png
[7 Nov 2013 19:18] Simon Mudd 
For the new rpms
# rpm -qa | grep community
mysql-community-release-el6-3.noarch

You'll notice from the /etc/yum.repos.d/mysql-community.repo that the src rpms are under:

http://repo.mysql.com/yum/mysql-community/el/6/SRPMS/  however, if you look at that URL you simply get: File not found."  . It seems you really don't want to let people find the packages or see what's there. I'm not entirely sure why.

Anyway wget http://repo.mysql.com/yum/mysql-community/el/6/SRPMS/mysql-community-5.6.14-3.el6.src.rpm will get you the file you need, and that's the one that has the checksum I mention.

Note: yum's never been terribly good at allowing you to download src rpms. If you install yum-utils you
get: /usr/bin/yumdownloader and you can do something like this:

$ yumdownloader --source mysql-community
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
...
./mysql-community-5.6.14-3.el6.src.rpm already exists and appears to be complete
$ 

If the file is not there it'll get pulled down.
[7 Nov 2013 20:11] Sveta Smirnova 
Thank you for the feedback.

Verified as described.
[22 Dec 2013 10:15] Terje Røsten 
> http://repo.mysql.com/yum/mysql-community/el/6/SRPMS/  however, if you look at > that URL you simply get: File not found."  . It seems you really don't want to > let people find the packages or see what's there. I'm not entirely sure why.

It was due to a technical problem, it has been fixed now: http://repo.mysql.com/
[17 Mar 2020 15:25] Terje Røsten 
Posted by developer:
 

Source tarball inside SRPM (soruce RPM) is now identical to source tarball at upstream location
(dev.mysql.com/cdn.mysql.com)

Verified by:

# Download and install SRPM to ~/rpmbuild/

$ wget -q  http://repo.mysql.com/yum/mysql-8.0-community/el/7/SRPMS/mysql-community-8.0.19-1.el7.src.... 
$ rpm -ivh mysql-community-8.0.19-1.el7.src.rpm 

Updating / installing...
   1:mysql-community-8.0.19-1.el7     ################################# [100%]

# Check urls to sources

$ spectool -l rpmbuild/SPECS/mysql.spec 
Source0: https://cdn.mysql.com/Downloads/MySQL-8.0/mysql-8.0.19.tar.gz
Source10: https://downloads.sourceforge.net/boost/boost_1_70_0.tar.bz2
Source7: https://cdn.mysql.com/Downloads/MySQL-5.6/mysql-5.6.45.tar.gz
Source90: filter-provides.sh
Source91: filter-requires.sh

# Download upstream source:
$ wget -q https://cdn.mysql.com/Downloads/MySQL-8.0/mysql-8.0.19.tar.gz

# Check sha of upstream source and source included in SRPM:

$ sha1sum mysql-8.0.19.tar.gz rpmbuild/SOURCES/mysql-8.0.19.tar.gz 
97fde10d454379e7fe2f16f8e9cd54678130a072  mysql-8.0.19.tar.gz
97fde10d454379e7fe2f16f8e9cd54678130a072  rpmbuild/SOURCES/mysql-8.0.19.tar.gz
[2 Oct 2020 20:23] Philip Olson 
Posted by developer:
 
This was fixed as of the MySQL Router 8.0.19 release, and here's the proposed changelog entry from the documentation team:

The source tarball inside SRPM (Source RPM) is now identical to source
tarball at the upstream locations (dev.mysql.com/cdn.mysql.com);
previously there were differences causing different checksum values.

Thank you for the bug report.