https://bugzilla.redhat.com/show_bug.cgi?id=2013814 Brian Lane <bcl@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(bcl@xxxxxxxxxx) | --- Comment #3 from Brian Lane <bcl@xxxxxxxxxx> --- That just points to the upstream path for the tar, but it isn't downloaded at build time. The src.rpm includes a copy of it alongside the spec file. You can examine this by running: rpm2cpio libxo-1.6.0-1.el8.src.rpm | cpio -od in a temporary directory, it will extract the contents: libxo-1.6.0-sysctl.patch libxo-1.6.0.tar.gz libxo.spec And if you run sha256sum on the tar included in the src.rpm it doesn't match the upstream tar's hash, which is what fedora-review means with this output: https://github.com/Juniper/libxo/releases/download/1.6.0/libxo-1.6.0.tar.gz : CHECKSUM(SHA256) this package : fca2d2d0c628d5a2b41e9dbe4ef1aa032e3680b2cb5c86a27e552a2eb8368bd7 CHECKSUM(SHA256) upstream package : 9f2f276d7a5f25ff6fbfc0f38773d854c9356e7f985501627d0c0ee336c19006 diff -r also reports differences Somehow the libxo-1.6.0.tar.gz you used when creating the src.rpm isn't the same as the upstream one. Sometimes downloading via the browser can grab the wrong one. The easiest way to get it is to use rpmspectool: # rpmspectool get --sources ./libxo.spec # sha256sum libxo-1.6.0.tar.gz 9f2f276d7a5f25ff6fbfc0f38773d854c9356e7f985501627d0c0ee336c19006 libxo-1.6.0.tar.gz which matches the expected upstream hash. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2013814 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
