Homebrew-core: nushell: build from source failure due to SHA256 mismatch

Created on 19 Oct 2020 · 11Comments · Source: Homebrew/homebrew-core

Bug report

Please note we will close your issue without comment if you delete, do not read or do not fill out the issue checklist below and provide ALL the requested information. If you repeatedly fail to use the issue template, we will block you from ever submitting issues to Homebrew again.

[x] ran brew update and can still reproduce the problem?
[x] ran brew doctor, fixed all issues and can still reproduce the problem?
[x] ran brew gist-logs <formula> (where <formula> is the name of the formula that failed) and included the output link?
[x] if brew gist-logs didn't work: ran brew config and brew doctor and included their output with your issue?

What you were trying to do (and why)

brew upgrade -s nushell. I'm calling upgrade, not install because I have nushell installed already, and -s here to trigger downloading source tarball with mismatching checksum instead of downloading bottle built from previous version of said 0.21.0 tarball. Linuxbrew users are also affected, and they have no nushell bottle built at all so even brew install/upgrade nushell would suffice to trigger the issue.

What happened (include command output)

Build fails

Command output

brew upgrade -s nushell
==> Upgrading 1 outdated package:
nushell 0.20.0_1 -> 0.21.0_1
==> Upgrading nushell 0.20.0_1 -> 0.21.0_1
==> Downloading https://linuxbrew.bintray.com/bottles/curl-7.73.0.x86_64_linux.bottle.tar.gz
Already downloaded: /home/develop7/.cache/Homebrew/downloads/0edd13e93d2fb8bcb315f507b8ee8aacd781c521623f03ab264dc655f607785a--curl-7.73.0.x86_64_linux.bottle.tar.gz
==> Downloading https://linuxbrew.bintray.com/bottles/binutils-2.34.x86_64_linux.bottle.1.tar.gz
Already downloaded: /home/develop7/.cache/Homebrew/downloads/89689a109fb683160a75fad3a6b3d8a96155e50b37de5ccc3e9f15155d605b93--binutils-2.34.x86_64_linux.bottle.1.tar.gz
==> Downloading https://linuxbrew.bintray.com/bottles/rust-1.46.0_1.x86_64_linux.bottle.tar.gz
Already downloaded: /home/develop7/.cache/Homebrew/downloads/c48164d83f8103c246a9cdfadc1ebdc8fdea84171a4bd55f996072d53534d81c--rust-1.46.0_1.x86_64_linux.bottle.tar.gz
==> Downloading https://github.com/nushell/nushell/archive/0.21.0.tar.gz
Already downloaded: /home/develop7/.cache/Homebrew/downloads/edefa2b76e2d74d588983484f2893482911eaa3a08a3417cf67a4b21e671f66b--nushell-0.21.0.tar.gz
Error: SHA256 mismatch
Expected: 223df54901cf924c8018629827c00c73a3cf45bbb178503484318734e9d99e82
Actual: 24598bcf6e61825fd3b6f17e083952926a4b072efff413748bbd5bc83a3158f1
Archive: /home/develop7/.cache/Homebrew/downloads/edefa2b76e2d74d588983484f2893482911eaa3a08a3417cf67a4b21e671f66b--nushell-0.21.0.tar.gz
To retry an incomplete download, remove the file above.

What you expected to happen

The sha256 in formula matches actual one.

Step-by-step reproduction instructions (by running `brew install` commands)

brew install -s nushell

Required logs

brew doctor

$ brew doctor
Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: "config" scripts exist outside your system or Homebrew directories.
`./configure` scripts often look for *-config scripts to determine if
software packages are installed, and which additional flags to use when
compiling and linking.

Having additional scripts in your path can confuse software installed via
Homebrew if the config script overrides a system or Homebrew-provided
script of the same name. We found the following "config" scripts:
  /home/develop7/.cargo/bin/cargo-install-update-config
  /home/develop7/.cargo/bin/cargo-config

Warning: You have unlinked kegs in your Cellar.
Leaving kegs unlinked can lead to build-trouble and cause brews that depend on
those kegs to fail to run properly once built. Run `brew link` on these:
  ncurses
  bzip2
  pcre2
  sqlite
  xz
  pcre
  pkg-config
  oniguruma
  icu4c
  groff
  expat
  diffutils
  unzip
  [email protected]
  libpng

brew config

$ brew config
HOMEBREW_VERSION: 2.5.6-74-g4e8d374
ORIGIN: https://github.com/Homebrew/brew
HEAD: 4e8d37494231718d501e04c482bdd764f6b2587a
Last commit: 8 hours ago
Core tap ORIGIN: https://github.com/Homebrew/linuxbrew-core
Core tap HEAD: 87d58df277cd3746d572aa77e8e4fb139a8f3fa7
Core tap last commit: 26 hours ago
Core tap branch: master
HOMEBREW_PREFIX: /home/linuxbrew/.linuxbrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_DISPLAY: :1
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_MAKE_JOBS: 6
Homebrew Ruby: 2.6.3 => /home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/vendor/portable-ruby/2.6.3_2/bin/ruby
CPU: hexa-core 64-bit unknown_0x15_0x2
Clang: 10.0 build (parse error)
Git: 2.28.0 => /usr/bin/git
Curl: 7.72.0 => /usr/bin/curl
Kernel: Linux 5.8.14-1-default x86_64 GNU/Linux
OS: openSUSE Tumbleweed (n/a)
Host glibc: 2.32
/usr/bin/gcc: 10.2.1
/usr/bin/ruby: 2.7.1
glibc: N/A
gcc: N/A
xorg: N/A

Source

develop7

Most helpful comment

63173 resolves the SHA256 mismatch and adds a `livecheck` block with a more appropriate check. Having livecheck use the "latest" release will hopefully help to reduce the chance that someone bumps the version before there's a corresponding release in the future.

samford on 20 Oct 2020

🎉2

All 11 comments

Can you confirm with the nushell project if the hash did change intentionally?

SMillerDev on 19 Oct 2020

https://github.com/nushell/nushell/actions?query=workflow%3A%22Create+Release+Draft%22 (note multiple 0.21.0 entries on the top of the list) looks quite intentional. Do you want me to get a confirmation from @jonathandturner?

develop7 on 19 Oct 2020

Please do

SMillerDev on 19 Oct 2020

@SMillerDev while @jonathandturner haven't replied yet, could you explain why https://github.com/nushell/nushell/actions?query=workflow%3A%22Create+Release+Draft%22 does not look intentional enough to you?

develop7 on 20 Oct 2020

Someone could have gotten access to a personal token and ran a github action a second time. Unless there is a post saying "yes we retagged, you can trust the second tag" we're not changing anything.

SMillerDev on 20 Oct 2020

👍1

Yes, we do a few steps for each release: tag, confirm the github action runs correctly, then publish a github release after the CI goes green. Sometimes the release action doesn't go green and we have to redo the tag for that release.

I also confirmed on the nushell repo: https://github.com/nushell/nushell/issues/2680

jonathandturner on 20 Oct 2020

Is it possible to trigger the release off the github release rather than the tag?

Homebrew is based on community submission for updates, and we can't actually control the community like that 😄. We can however tweak our "update detection" to warn a little later. @nandahkrishna and @samford paging you as the experts here.

SMillerDev on 20 Oct 2020

By default, livecheck checks the Git repository tags for the nushell formula. Since the "latest" release is marked on GitHub, it would be more appropriate for us to be checking that anyway (as we prefer it over the Git tags, when available). I'll add a livecheck block to the formula in a moment.

samford on 20 Oct 2020

We could update the nushell formula to have a livecheck block that checks for the GitHub Latest release rather than using the Git strategy (which is what happens now).

Edit: Aha, it seems Sam and I commented at the same time, Thanks Sam!