GitHub Download Hash Change?

Question

Today, an issue was raised in one project I use, because their build system rejected an invalid sha256sum while downloading a dependency from a GitHub zip file.The offending dependency is usrsctp (https://github.com/sctplab/usrsctp) at commit 9d6b99b:https://github.com/sctplab/usrsctp/archive/9d6b99b10a70f7a63d21cd80d03c353da9ac19d3.zipThis file's sha256sum has always been d9b7b3350ea0be2a3d1437e404d4852df741c4984b734729c5edc337ff4b7611 but suddenly today it changed to e86fe0b8aabef0eae207a94a5525da303e90477c37fce272c84e2d87d7ac169b This lasted a couple hours, and it is now back to the original hash. Does this mean that the project might have been compromised somehow? Or are there any other less alarming explanations for what has happened?

zbuf · Accepted Answer

There's many ways that different Zip files can contain the exact same content. A change to the order in which files are stored is likely to be the primary one.
Zip also has optional ZIP64 headers (required for large files) and a switch to using these would be another example.
Assuming Github don't actually store the files (maybe they cache frequently used ones), sounds like you spotted the roll out of some new code.
These sorts of issues come up when you're reliant on sorting a list of files -- because it depends on an idea of the alphabet, which comes from the locale in the environment you run in (could be "POSIX" or "en_GB"). Now you can see why a changes from outside the code could cause the unintended side effect you might be seeing here.

outloudvi · Answer

Protably there are some metadata changes. You can try diffoscope to look into the detail.

soraminazuki · Answer

GitHub archives are known to be unstable. Packages in the Nix package manager calculates the hash for the unpacked contents of GitHub archives for this precise reason.https://github.com/NixOS/nixpkgs/issues/32997

simfoo · Answer

Same thing happened to a bunch of other release archives and broke our CI pipeline