Skip to content

tk/9.0.2 package update #58215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aborrero merged 2 commits into from
Jul 8, 2025
Merged

tk/9.0.2 package update #58215

aborrero merged 2 commits into from
Jul 8, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jul 2, 2025

@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr tk labels Jul 2, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jul 2, 2025

🔍 Build Failed: Checksum Verification Failed

fetch: Expected sha256 does not match found: 76fb852b2f167592fe8b41aa6549ce4e486dbf3b259a269646600e3894517c76

Build Details

Category Details
Build System melange
Failure Point Checksum verification of downloaded tk9.0.2-src.tar.gz file

Root Cause Analysis 🔍

The downloaded source tarball tk9.0.2-src.tar.gz has a different SHA256 checksum (76fb852b2f167592fe8b41aa6549ce4e486dbf3b259a269646600e3894517c76) than what was expected in the package definition (293e93dd43678ff9d17264e1211422f91787e9620d97d28cd96ff303ec7acf6a). This could indicate that the source file has been updated at the upstream location without updating the package definition, or that the wrong checksum was specified in the package definition.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: tk.yaml

  • modify at line 41 (pipeline.fetch.expected-sha256)
    Original:
expected-sha256: 293e93dd43678ff9d17264e1211422f91787e9620d97d28cd96ff303ec7acf6a

Replacement:

expected-sha256: 76fb852b2f167592fe8b41aa6549ce4e486dbf3b259a269646600e3894517c76

Content:

Update the expected SHA256 checksum to match the actual file's checksum
Click to expand fix analysis

Analysis

The pattern in the similar fixed build failures is consistent: both examples involve checksum mismatches due to updated upstream source packages. In both cases, the fix was to update the package version and the expected SHA256 checksum to match the current file available from the source. This is a common issue when upstream packages are updated but the package definition in the build system hasn't been updated to reflect these changes. The fix in both examples involved:

  1. Updating the package version to the latest available
  2. Updating the expected SHA256 checksum to match the actual file's checksum

In the current failure, we're seeing the same pattern - the tk source tarball has likely been updated at the upstream location, resulting in a different checksum than what's specified in the package definition.

Click to expand fix explanation

Explanation

The error clearly indicates that the downloaded tk9.0.2-src.tar.gz file has a different SHA256 checksum (76fb852b2f167592fe8b41aa6549ce4e486dbf3b259a269646600e3894517c76) than what was expected in the package definition (293e93dd43678ff9d17264e1211422f91787e9620d97d28cd96ff303ec7acf6a).

This is likely because the upstream source has been updated or repackaged without changing the version number. This happens occasionally with source distributions, where minor changes are made to the package (perhaps fixing small issues or updating documentation) without incrementing the version number.

The simplest and most direct fix is to update the expected SHA256 checksum in the package definition to match the actual checksum of the file currently available from the source. This approach is consistent with the fixes applied in the similar build failures, where the expected SHA256 was updated to match the actual checksum of the downloaded file.

Since the version number is still 9.0.2 and we're not seeing indications that a newer version is available, we should maintain the current version but update the checksum to match what's being served from the sourceforge repository. This allows the build to proceed with the current version of the package.

Click to expand alternative approaches

Alternative Approaches

  • Verify if a newer version of tk is available and update both the version and checksum. This would be appropriate if 9.0.2 is no longer the latest version.
  • If possible, contact the upstream maintainers to understand why the package was updated without a version change, and consider pinning to a specific commit or archive snapshot for better reproducibility.
  • Add a checksum verification bypass for this specific package, though this would be a less secure approach and should be avoided unless absolutely necessary.
  • Try an alternative download source for the tk package if available, which might still have the original file with the expected checksum.

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jul 2, 2025
@debasishbsws debasishbsws self-assigned this Jul 4, 2025
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Jul 4, 2025
@debasishbsws debasishbsws requested a review from a team July 8, 2025 04:26
aborrero
aborrero approved these changes Jul 8, 2025
View reviewed changes
Copy link
Member

@aborrero aborrero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

wolfi-bot and others added 2 commits July 8, 2025 09:52
@wolfi-bot @aborrero
tk/9.0.2 package update
28c367b 
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
@debasishbsws @aborrero
Update expected shasum
fe09cc8 
Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
@aborrero aborrero force-pushed the wolfictl-657bc564-60a3-4011-bb41-5a8036811dbc branch from 0d1a9f4 to fe09cc8 Compare July 8, 2025 07:52
@aborrero aborrero enabled auto-merge (squash) July 8, 2025 07:52
@aborrero aborrero merged commit 6b0b38f into main Jul 8, 2025
19 checks passed
@aborrero aborrero deleted the wolfictl-657bc564-60a3-4011-bb41-5a8036811dbc branch July 8, 2025 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aborrero aborrero aborrero approved these changes

Assignees

@debasishbsws debasishbsws

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed request-version-update request for a newer version of a package tk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aborrero @debasishbsws @wolfi-bot