pkg/50555: lang/pear distfile (PEAR-1.10.1.tgz) checksum error

[kre%munnari.OZ.AU@localhost]

>Number:         50555
>Category:       pkg
>Synopsis:       lang/pear distfile (PEAR-1.10.1.tgz) checksum error
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 15 02:50:00 +0000 2015
>Originator:     Robert Elz
>Release:        NetBSD 7.99.21 (irrelevant) -- pkgsrc current 2015-12-15
>Organization:
	Prince of Songkla University
>Environment:
System: NetBSD andromeda.noi.kre.to 7.99.21 NetBSD 7.99.21 (VBOX64-1.1-20150829) #3: Sun Aug 30 07:16:17 ICT 2015 kre%andromeda.noi.kre.to@localhost:/home/kre/src/current-kernel/usr/src/sys/arch/amd64/compile/VBOX64 amd64
Architecture: x86_64
Machine: amd64
>Description:
	After the recent update of lang/pear the distfile from the master site
	(PEAR-1.10.1.tgz - others are OK) does not match what is expected
	from the distinfo file (size fetched is 296139, expected in distinfo
	is 291167 and all 3 algorithms produce different checksums).

	What's more, the backup sites have a 25KB file which is obviously
	truncated.

	As a pure guess, I'd assume the master site updated the distfile
	contents, and one (or more) mirror sites just happened to download
	while the upload of the changed version was happening.

>How-To-Repeat:
	make sure you don't have an old distfiles/PEAR-1.10.1.tgz
	(save it is you do), then ...

	cd .../pkgsrc/lang/pear
	make checksum

>Fix:
	Compare the new and old distfiles (requires someone with the
	distfile pkgsrc is currently expecting) and see what changed,
	verify that it hasn't been trojan'd or similar.

	Theen, if all is kosher,  add a DIST_SUBDIR to the Makefile,
	and update the distinfo file to match, with the updated
	distfile info.   (If it is some kind of hack, contact the
	upstream maintainer and let them know ... if is is just
	stupidity, contact them and flame...)