TheiaIDE.AppImage has invalid checksum on Eclipse download site

[0rzech]

Bug Description:

TheiaIDE.AppImage has invalid checksum on Eclipse download site.

Steps to Reproduce:

1. Go to https://www.eclipse.org/downloads/download.php?file=/theia/ide/latest/linux/TheiaIDE.AppImage .
2. Click on SHA-512.
3. The presented checksum is going to be:

c91a09a4911816a81ba18a042a9f0f4619db112250b596930dac2e9a8a2446946e591283e2651caa677113d9a3f54e184810b836ca3b84f1260c542f786283e3

Additional Information

The actual file checksum is:

e120d610d2b4b18696215a4e609ac53b8e5eef8f41c89324a95be2b01a73a87235f60594b8ca7f289e27ad1ad28fd6f73ba615c6a86651823fd3e2b66f1b6ef2

• Theia Version: 1.53.200

[sgraband]

I cannot reproduce this. I get the correct checksum. Could you re-check?

[0rzech]

Now I can't reproduce either, but at the time of creating this issue the download site did present that weird checksum (weird, because it did not match the previous version either, AFAIR).

Btw., while the download site did present the wrong checksum, the https://download.eclipse.org/theia/ide/1.53.200/linux/ download folder has been containing latest-linux.yml with correct one.

[JonasHelming]

@0rzech As there is currently no way to reproduce this, I suggest to close this and see whether it ever happens again. If this fine for you?

[0rzech]

TBH, if I were you, I'd wait until next release to see if there's again some time window of wrong checksum and eventually then close the issue. But the call is yours, of course! 🙂

[JonasHelming]

Yes, makes sense @sgraband Can you create a reminder please?

[sgraband]

I already monitored this with the latest release and it seems like the mirrors are indeed slow. It seems like the mirror is only updated after around 1-2 days.
While we do not control the mirrors we can control what we link on the webpage.
Therefore i will create a reminder for the next release to recheck this, as i am not sure which file is actually downloaded and which checksum is displayed and what we can do to decrease the impact that this has.

[sgraband]

@JonasHelming I observed it during the last release and it actually took almost a week this time for the mirrors to update. I could not reproduce where the checksum that was shown on the mirror came from, until it got updated after almost a week.

I think we need to open a Ticket to the Eclipse Foundation HelpDesk for this.

To mitigate the impact of this in the meantime i opened eclipse-theia/theia-website#654 to point the website to the "real" download page which properly gets updated.

[JonasHelming]

I would open a ticket at help desk indeed

[0rzech]

Perhaps the checksum could always be fetched from original download page and only binaries from the mirrors?

This way even if something bad happens on the mirror, the checksum will stay intact and the user will know something malicious happend to the binary.

I know that checksums are not meant for that, but it would add additional safety measure and at the same time make checksum available from the get go after Theia update.

The checksum file is very small, so it should not be too much of a burden for the server. And the binaries would still be downloaded primarily from the mirrors.

I saw this scheme many times in other FLOSS projects, so maybe it's worth considering in Theia's case as well?