Bug 905995

Summary: perl-Mozilla-LDAP upstream tarball checksum mismatch
Product: [Fedora] Fedora Reporter: Stanislav Ochotnicky <sochotni>
Component: perl-Mozilla-LDAPAssignee: Petr Šabata <psabata>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: nkinder, perl-devel, psabata, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-01 15:40:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stanislav Ochotnicky 2013-01-30 15:13:04 UTC 
Your package contains sources which have different checksums from upstream versions. Please verify they are correct and differences do not pose a problem for Fedora.
MD5-sum check
-------------
ftp://ftp.mozilla.org/pub/mozilla.org/directory/perldap/releases/1.5.3/src/perl-mozldap-1.5.3.tar.gz :
  CHECKSUM(SHA256) this package     : 9d707be3a126dd6001205ef72e59e4b892dcda3b3a1e7d061f6f7fc0dba20a68
  CHECKSUM(SHA256) upstream package : 9d707be3a126dd6001205ef72e59e4b892dcda3b3a1e7d061f6f7fc0dba20a68
ftp://ftp.mozilla.org/pub/mozilla.org/directory/perldap/releases/1.5/src/Makefile.PL.rpm :
  CHECKSUM(SHA256) this package     : 946e337be7a112b1e29bce67d495fdf74b50a72303c4aa2f4ddfad5759030e6a
  CHECKSUM(SHA256) upstream package : 8b42cb7f2242afdaf912abe9fd490f783afa453b9bc9c1ae425b12a40dd44cd1
diff -r also reports differences
Comment 1 Petr Šabata 2013-02-01 15:40:39 UTC 
The file is patched in our git tree; the changes there are related to our specific build options.
Comment 2 Stanislav Ochotnicky 2013-02-01 16:32:33 UTC 
Why not make a patch for it and apply it in %prep then?
Comment 3 Petr Šabata 2013-02-04 10:20:20 UTC 
(In reply to comment #2)
> Why not make a patch for it and apply it in %prep then?

I see no benefit of such approach in this case.

Also, I suggest your tool should compute digests of the versions initially committed to the repository in these cases to avoid false positives.  There are probably more packages like this one...