Comments (4)
Ah, there are two issues here, both of which are related to the same event. I wrote a bit about it over here: moby/moby#46470 (comment)
In short, the metadata for IBM packages was out of sync with the package files, and there were limited options to recover; the "least evil" was to re-sign the 24.0.6 binaries for non-IBM platforms (currently, signing and publishing are the same step in the release pipeline).
This situation should happen rarely or not at all; this infrastructure is being actively worked on and I don't think we'll have to repeat this, but I'm also looking at e.g. separating signing and publishing to prevent this scenario more robustly in the future.
I wrote a couple more thoughts on mirrors over at docker/docker-install#379 (comment).
As a final take-away, it seems like we'll really need to figure out a canonical venue to discuss Docker CE/download.docker.com since issues end up opened in so many diverse places (and I also receive emails, Slack messages, etc.); I'll continue to mull over where that should be, as the canonical pipeline that defines this infrastructure is actually 4-5 internal repositories.
from docker-ce-packaging.
We also observed hash sum mismatches on the following packages that we use:
# ARM64
/dists/jammy/pool/stable/arm64/docker-ce-cli_24.0.6-1~ubuntu.22.04~jammy_arm64.deb
/dists/jammy/pool/stable/arm64/docker-ce_24.0.6-1~ubuntu.22.04~jammy_arm64.deb
/dists/jammy/pool/stable/arm64/docker-ce-rootless-extras_24.0.6-1~ubuntu.22.04~jammy_arm64.deb
/dists/jammy/pool/stable/arm64/docker-compose-plugin_2.21.0-1~ubuntu.22.04~jammy_arm64.deb
# AMD64
/dists/jammy/pool/stable/amd64/docker-ce-cli_24.0.6-1~ubuntu.22.04~jammy_amd64.deb
/dists/jammy/pool/stable/amd64/docker-ce_24.0.6-1~ubuntu.22.04~jammy_amd64.deb
/dists/jammy/pool/stable/amd64/docker-ce-rootless-extras_24.0.6-1~ubuntu.22.04~jammy_amd64.deb
/dists/jammy/pool/stable/amd64/docker-compose-plugin_2.21.0-1~ubuntu.22.04~jammy_amd64.deb
Diffing the files confirmed that the same versions had been rebuilt and pushed. For example looking, at part of a binary diff of docker-compose-plugin_2.21.0-1~ubuntu.22.04~jammy_arm64.deb
:
640736,640737c640736,640737
< 009c6df0: 4461 7465 3a20 5475 6520 5365 7020 2035 Date: Tue Sep 5
< 009c6e00: 2031 363a 3532 3a33 3220 3230 3233 0a52 16:52:32 2023.R
---
> 009c6df0: 4461 7465 3a20 4672 6920 5365 7020 2038 Date: Fri Sep 8
> 009c6e00: 2031 373a 3031 3a32 3120 3230 3233 0a52 17:01:21 2023.R
There were other minor differences in what looked to be a PGP cert inside the file.
We had to ask our package mirror maintainers to manually delete these files from their cache to fix our builds.
My understanding is that pushing up a different build of the same version is considered bad practice. Is there any reason why these weren't released as new packages with their build number bumped (e.g. 24.0.6-2
)?
from docker-ce-packaging.
Okay, so someone's done something because today...
andy:foo$ wget https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/s390x/docker-ce_24.0.3-1~ubuntu.20.04~focal_s390x.deb
...
andy:foo$ md5sum docker-ce_24.0.3-1~ubuntu.20.04~focal_s390x.deb
df3e70ebf3512c73d2b553c145991652 docker-ce_24.0.3-1~ubuntu.20.04~focal_s390x.deb
andy:foo$ sha1sum docker-ce_24.0.3-1~ubuntu.20.04~focal_s390x.deb
fd5b0d5a95af5a6459fb120362a84edd3a7ffe38 docker-ce_24.0.3-1~ubuntu.20.04~focal_s390x.deb
andy:foo$ sha256sum docker-ce_24.0.3-1~ubuntu.20.04~focal_s390x.deb
6d1c1656d82b621fcec013566ddb67537bf53cb73ca3ae839fbbd83804b93796 docker-ce_24.0.3-1~ubuntu.20.04~focal_s390x.deb
andy:foo$ sha512sum docker-ce_24.0.3-1~ubuntu.20.04~focal_s390x.deb
bf96935b6db864510a95e1842cc54b956c3ed6175a56fa9244dccf00b323b9397f0903216d2497ca2982b7c93f7e46d124801fc190d9640476259a9178c1b403 docker-ce_24.0.3-1~ubuntu.20.04~focal_s390x.deb
So now all the checksums match up with what the Packages
files claim
Looking at https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/s390x/, the timestamps on the files are unchanged
from docker-ce-packaging.
Also, closing this for now as resolved.
from docker-ce-packaging.
Related Issues (20)
- https://download.docker.com/linux/rhel/9/docker-ce.repo stopped working HOT 4
- Panic: runtime - error HOT 1
- Add rpm package for Fedora 38 HOT 10
- [chore] remove device mapper dependencies HOT 1
- Use upstream init scripts
- docker-ce-23.0.x, docker-ce-rootless-extras-23.0.x - rpm circular dependency reference HOT 5
- docker.service fails to start after upgrade from 24.0.2 to 24.0.3 HOT 2
- CI should validate expected files are included somehow
- Debian bookworm install/service start fail
- Build RPMs for Rocky and Alma (without reusing CentOS Stream RPMs)
- bullseye apt repo is broken HOT 3
- Build RPMs for Fedora 39 HOT 2
- Official Fedora docker-ce.repo file is empty HOT 1
- VERIFY_PACKAGE_REPO mis-assigned staging instead of stage HOT 1
- Support kernel.apparmor_restrict_unprivileged_userns HOT 3
- Question: How are packages distributed HOT 2
- [BUG] docker compose in apt is not up to date with docker compose releases HOT 3
- `docker-compose-plugin` v2.24.6 is not available via apt repos HOT 1
- Sdw💥🔥
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-ce-packaging.