os icon indicating copy to clipboard operation
os copied to clipboard
verified publisher icon wolfi-dev

add php package apfd

Open mirobertod opened this issue 2 months ago • 4 comments

Pre-review Checklist

For new package PRs only

  • [ ] This PR is marked as fixing a pre-existing package request bug
    • [ ] Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
  • [x] REQUIRED - The package is available under an OSI-approved or FSF-approved license
  • [x] REQUIRED - The version of the package is still receiving security updates
  • [ ] This PR links to the upstream project's support policy (e.g. endoflife.date)

https://pecl.php.net/package/apfd

mirobertod avatar Nov 10 '25 10:11 mirobertod

@EyeCantCU any chance to review this PR? Is something missing? thanks

mirobertod avatar Nov 25 '25 17:11 mirobertod

@mirobertod seems fine now after adding the label, you may not be in the group

EyeCantCU avatar Nov 25 '25 19:11 EyeCantCU

🔍 Build Failed: Checksum Verification Failed

fetch: Expected sha256 does not match found: de222ad4231f410d71b8232b01e3e22c9cc27a68e6d272f153b230f2b048995f

Build Details

Category Details
Build System melange
Failure Point fetch step during source download verification

Root Cause Analysis 🔍

The downloaded file apfd-1.0.3.tgz from https://pecl.php.net/get/apfd-1.0.3.tgz has a SHA256 checksum (de222ad4231f410d71b8232b01e3e22c9cc27a68e6d272f153b230f2b048995f) that does not match the expected checksum (90a2edecb43e3774ee2da7a0a2d59c9093dcdc4f0270ea682fa77fb65e1ec4e5) specified in the package configuration. This indicates either the source file has been updated/modified upstream, or there's a configuration error in the expected checksum value.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

  • https://github.com/wolfi-dev/os/pull/51942

Suggested Changes

File: php-8.1-apfd.yaml

  • checksum_update at line 28 (pipeline fetch step) Original:
expected-sha256: 90a2edecb43e3774ee2da7a0a2d59c9093dcdc4f0270ea682fa77fb65e1ec4e5

Replacement:

expected-sha256: de222ad4231f410d71b8232b01e3e22c9cc27a68e6d272f153b230f2b048995f

Content:

Update the expected SHA256 checksum to match the actual checksum of the downloaded file
Click to expand fix analysis

Analysis

All three similar fixes show a consistent pattern: when a checksum mismatch occurs, the solution is to update the expected checksum value in the pipeline fetch step to match the actual checksum found during download. In Fix Example #0 and #2, the expected-sha512 was updated from an incorrect value to d2bd32e1f508585aa35db2ee3d9dc15fa20ad6f06ebaf894bba687aaaacf7771a0d0c5f5ffa8ed8c3e01d9239e20d26194e8f491f7cf10c2de140b64c58a2ede. In Fix Example #1, the expected-sha256 was updated from 9141cfa359202065d1af16f2216499d9fc66c270fc3176e60034dd270a91cb09 to c62d38f5da7df4299ac3a652508e959537752440181e34c76b2aecebd7f301b9, which was the actual checksum found. The fixes also often include version updates to ensure the package configuration matches the upstream source.

Click to expand fix explanation

Explanation

The current build failure occurs because the downloaded apfd-1.0.3.tgz file has SHA256 checksum de222ad4231f410d71b8232b01e3e22c9cc27a68e6d272f153b230f2b048995f, but the package configuration expects 90a2edecb43e3774ee2da7a0a2d59c9093dcdc4f0270ea682fa77fb65e1ec4e5. This mismatch indicates that the upstream source file has been updated or re-uploaded with different content, which is common in software distributions. The fix involves updating the expected checksum to match the actual file checksum. This approach follows the exact same pattern seen in all three similar fixes, where the expected checksum value was corrected to match the actual downloaded file. Since the URL and version remain the same (1.0.3), this suggests the upstream maintainer updated the archive without changing the version number, which sometimes happens for packaging fixes or minor corrections that don't warrant a version bump.

Click to expand alternative approaches

Alternative Approaches

  • Verify the integrity of the upstream source by checking multiple download mirrors or contacting the upstream maintainer to confirm the checksum change is legitimate
  • Download the file manually and verify its contents haven't been maliciously modified before updating the checksum
  • Check if there's a newer version (1.0.4 or higher) available that might have the expected checksum, though this would require a version bump

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

octo-sts[bot] avatar Nov 25 '25 19:11 octo-sts[bot]

@EyeCantCU I fixed the checksum, something else is missing? thanks

mirobertod avatar Nov 27 '25 08:11 mirobertod

any update here? thanks

mirobertod avatar Dec 03 '25 08:12 mirobertod

@OddBloke any chance to review this PR? Is something missing? thanks

mirobertod avatar Dec 09 '25 13:12 mirobertod