add font-tibetan-machine

[anushkamittal20]

No description provided.

[octo-sts]

🔍 Build Failed: Checksum Verification Failed

fetch: Expected sha256 does not match found: db5b27df7bbb318036ebdb75acd3e98f1bd6eb6608fb70a67d478cd243d178dc

Build Details

Category	Details
Build System	melange
Failure Point	SHA256 verification during source download of ttf-bitstream-vera-1.10.tar.bz2

Root Cause Analysis 🔍

The checksum of the downloaded source archive (ttf-bitstream-vera-1.10.tar.bz2) does not match the expected checksum. The build expects SHA256 '0bbeb9a3287b3c4f40b1b0b693b0a359bcdccf1da08897f5db4d548e694fd320' but the actual file has SHA256 'db5b27df7bbb318036ebdb75acd3e98f1bd6eb6608fb70a67d478cd243d178dc'. This could indicate that either the source file has changed at the remote location or the expected checksum in the package definition is incorrect.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• imlib2/1.12.5 package update #49264
• openipmi/2.0.37 package update #51942
• quota-tools/4.10 package update #51762

Suggested Changes

File: font-bitstream-vera.yaml

• replace at line pipeline section, fetch uses block (pipeline.fetch.expected-sha256)
  Original:

expected-sha256: 0bbeb9a3287b3c4f40b1b0b693b0a359bcdccf1da08897f5db4d548e694fd320

Replacement:

expected-sha256: db5b27df7bbb318036ebdb75acd3e98f1bd6eb6608fb70a67d478cd243d178dc

Click to expand fix analysis

Analysis

The pattern across all three similar fixed build failures is consistent: when a SHA256 checksum mismatch occurs, it's typically because the upstream source has been updated or changed without updating the corresponding package definition. In all three examples, the fix involved:

1. Updating the SHA256 checksum in the package definition to match the actual checksum of the current file
2. In most cases, also updating the package version to reflect the newer version available upstream

In the current failure, we have a SHA256 mismatch for ttf-bitstream-vera-1.10.tar.bz2. The build expects SHA256 '0bbeb9a3287b3c4f40b1b0b693b0a359bcdccf1da08897f5db4d548e694fd320' but found 'db5b27df7bbb318036ebdb75acd3e98f1bd6eb6608fb70a67d478cd243d178dc'. Since the version number in the filename remains the same (1.10), it's likely that the file at the source URL has been modified without a version change.

Click to expand fix explanation

Explanation

The build failure is specifically a SHA256 checksum mismatch where the expected value (0bbeb9a3287b3c4f40b1b0b693b0a359bcdccf1da08897f5db4d548e694fd320) doesn't match the actual downloaded file's checksum (db5b27df7bbb318036ebdb75acd3e98f1bd6eb6608fb70a67d478cd243d178dc).

This suggests that the source file at the download URL (https://download.gnome.org/sources/ttf-bitstream-vera/1.10/ttf-bitstream-vera-1.10.tar.bz2) has been modified or replaced since the package definition was originally created, but the version number wasn't changed. This is common with mirror sites where files might be repackaged or slightly modified without changing the version number.

By updating the expected SHA256 value in the package definition to match the actual file's checksum, we allow the build process to correctly verify the integrity of the downloaded file and proceed with the build. This approach is consistent with how similar checksum mismatch issues were resolved in the examples provided.

Since the file's name still includes version 1.10, and there's no indication that a new version is available, we're only updating the checksum without changing the version number.

Click to expand alternative approaches

Alternative Approaches

• Verify if a newer version of ttf-bitstream-vera is available from the upstream source, and if so, update both the version and checksum.
• Check if the file is available from an alternative trusted source with the original checksum, which would allow keeping the current expected checksum value.
• Download the file manually, verify its contents for correctness and security, then host it in a controlled repository to ensure consistency.

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[Dentrax]

Upstream font name is TibetanMachineUni.ttf, whereas we put it as TibMachUni-1.901b.ttf, is that correct?

https://packages.debian.org/sid/all/fonts-tibetan-machine/filelist