Re: pkg-ugprade checksums

From: Sysadmin Lists <sysadmin.lists_at_mailfence.com>
Date: Mon, 05 Jun 2023 20:18:40 UTC
Top-posting a partial answer since I'm the OP. Finally had some time to compile
`pkg' with full debug symbols and run it under gdb.

# pkg info vim-x11 | grep Insta
Installed on   : Mon Apr 17 21:24:26 2023 PDT

# stat -f %Sm tmpdir/pkg_project/All/vim-x11-9.0.1366.pkg 
May 27 02:17:07 2023

Which means the package was installed prior to the newest build.

Checking the local repo database:
# pkg shell
  sqlite> .open /var/db/pkg/repo-Poudriere-quarterly.sqlite
  sqlite> select name,version,cksum from packages where name is 'vim-x11';
     name = vim-x11
  version = 9.0.1366
    cksum = ae560492c77e7629a4c7b8162b256acbd39e4656c55516afcb8729121afc94dd

The cksum matches the sha256 fingerprint of the recently built package.

Which means:
1. My local repo is up-to-date.
2. My local cache isn't.
3. pkg doesn't notice.

pkg_checksum.c:pkg_checksum_generate() describes how the fingerprint is
generated for `pkg query %X' (the "internal package checksum"):

Thread 2.1 hit Breakpoint 2, pkg_checksum_calculate (pkg=0x801519800, db=0x0, inc_scripts=true, inc_version=false, inc_files=true)
    at /wrkdirs/usr/ports/ports-mgmt/pkg/work/pkg-1.19.1/libpkg/pkg_checksum.c:606
(gdb) c
Continuing.
    
Thread 2.1 hit Breakpoint 1, pkg_checksum_generate (pkg=0x801519800, dest=0x8014416f0 "h", destlen=112, type=PKG_HASH_TYPE_BLAKE2_BASE32, inc_scripts=true, inc_version=false,
    inc_files=true) at /wrkdirs/usr/ports/ports-mgmt/pkg/work/pkg-1.19.1/libpkg/pkg_checksum.c:189
(gdb) break pkg_checksum.c:553
Breakpoint 3 at 0x4b1b15: pkg_checksum.c:553. (2 locations) 
(gdb) c     
Continuing.
        
Thread 2.1 hit Breakpoint 3.1, pkg_checksum_encode_base32 (
    in=0x801516900 "\246n&_K5\031\322\025R\242\347\tt\265y`\234\251*\303a\t\\\2558\334`\345e\300&\301o:H\253ɚ\3460\220\351\205T\250", inlen=64,
    out=0x8014416f4 "gi5c1xpjijgr7kekn73uy4is3daa3wkfdqa1yqiiabzbs1zcysjnhzj8e4kucp4hobru6n1kefyhj8gobouo1w96xb3fjzqafc9b8f", outlen=108)
    at /wrkdirs/usr/ports/ports-mgmt/pkg/work/pkg-1.19.1/libpkg/pkg_checksum.c:553

These are the variables used to generate the checksum:

/*  
 * At the moment we use the following fields to calculate the unique checksum
 * of the following fields:
 * - name
 * - origin
 * - version
 * - arch
 * - options
 * - required_shlibs
 * - provided_shlibs
 * - users
 * - groups
 * - dependencies
 */             

For vim-x11, it's "archfreebsd:13:x86:64namevim-x11origineditors/vim"
        
And letting it run to completion, we get:
    
1: pkg->digest = 0x801441450 "2$2$bpgamyc8d17g7qm1orycj4qjq18xe9kbzhqctwuqugejakj7ppqoo7i7kokimc33h5ejb168nb13m7tgr1ggang4krgcsyicskzjs1y"
2: new_digest = 0x8014416f0 "2$2$gi5c1xpjijgr7kekn73uy4is3daa3wkfdqa1yqiiabzbs1zcysjnhzj8e4kucp4hobru6n1kefyhj8gobouo1w96xb3fjzqafc9b8fb"

pkg->digest is the value found inside local.sqlite (named "manifestdigest"),
and new_digest is the one generated during this run.

There's a directive to update the database with the new digest value, but it
doesn't get executed on '%X' queries.

Now, to ask pkg@ what the intention behind that is.


> ----------------------------------------
> From: Sysadmin Lists <sysadmin.lists@mailfence.com>
> Date: May 30, 2023, 2:22:49 AM
> To: <questions@freebsd.org>
> Subject: pkg-ugprade checksums
> 
> 
> How does pkg-upgrade check checksums?
> 
> From man 8 pkg-upgrade:
> 
>      Packages are fetched from the repositories into the local package cache
>      if they are not already present, or if the checksum of the cached package
>      file differs from the one in the repository.
> 
> But, the packagesite.yaml of my Poudriere repo has:
> "name":"vim-x11"
> "version":"9.0.1366"
> "sum":"ae560492c77e7629a4c7b8162b256acbd39e4656c55516afcb8729121afc94dd"
> 
> And the locally cached package has:
> # sha256 -r /var/cache/pkg/vim-x11*
> 3bbe31951bc5fd6b08c412fcb0c6f8b494cdb15eafdd4bbacdf1657fe567af43 /var/cache/pkg/vim-x11-9.0.1366.pkg
> 
> Yet it doesn't get upgraded:
> 
> # pkg update -fr Poudriere-quarterly
> Updating Poudriere-quarterly repository catalogue...
> Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
> Fetching packagesite.pkg: 100%  153 KiB 157.1kB/s    00:01    
> Processing entries: 100%
> Poudriere-quarterly repository update completed. 568 packages processed.
> All repositories are up to date.
> 
> # pkg upgrade -r Poudriere-quarterly vim-x11
> Updating Poudriere-quarterly repository catalogue...
> Poudriere-quarterly repository is up to date.
> All repositories are up to date.
> Checking integrity... done (0 conflicting)
> Your packages are up to date.
> 
> # truss -fs 256 pkg update -fr Poudriere-quarterly 
> Shows packagesite.yaml.pkg downloaded to /tmp/, presumably runs its checks,
> then deletes it.
> 
> If I force re-installation, it downloads the new package and installs it.
> # pkg install -fr Poudriere-quarterly vim-x11 
> 
> So, why is pkg-upgrade's checksums check failing? And why isn't there a
> persistent packagesite.pkg on the client for pkg-update to compare to (to see
> if it needs updating) as implied by:
> 
>      Package repository catalogues will be automatically updated whenever pkg
>      upgrade is run by a user ID with write access to the package database
> 
> I looked at pkghash.h and upgrade.c but don't see where the hash check is
> failing.
> 
> 
> -- 
> Sent with https://mailfence.com  
> Secure and private email
> 


-- 
Sent with https://mailfence.com  
Secure and private email