Checksum mismatch on sources for version 2.16.1 from Github
57 views
Skip to first unread message
Uilian Ries
Nov 25, 2025, 3:23:26 AMNov 25
to DataStax C++ Driver for Apache Cassandra User Mailing List
Greetings!
Recently, when installing Cassandra CPP Driver via GitHub, the expected checksum did not match the current available on that repository:
Recently, when installing Cassandra CPP Driver via GitHub, the expected checksum did not match the current available on that repository:
The source file https://github.com/apache/cassandra-cpp-driver/archive/refs/tags/2.16.2.tar.gz matches the SHA-256 38ee1678bbf05eb566be7e45bebd9aedcac98c8a1fccba31bf89057c9cd6c6e3
However, we have a backup of those sources in our Artifactory too, and the computed SHA-256 is de60751bd575b5364c2c5a17a24a40f3058264ea2ee6fef19de126ae550febc9.
Doing a diff -r I did not find changes under the files; it seems to be a re-tag or metadata update only, but I would like a confirmation first.
Also, using GitHub to store sources does not guarantee the same checksum: https://github.com/orgs/community/discussions/45830. Instead, it's recommended to provide an archive with the sources released instead.
Can anyone confirm it was intentional?
Can anyone confirm it was intentional?
Bret McGuire
Dec 1, 2025, 6:02:16 PMDec 1
to DataStax C++ Driver for Apache Cassandra User Mailing List, uilia...@gmail.com
Thanks for the ping Uilian!
I can confirm that the SHA-256 of 38ee1678bbf05eb566be7e45bebd9aedcac98c8a1fccba31bf89057c9cd6c6e3 is indeed correct so that archive should be considered legitimate. I don't find any evidence that the 2.16.2 tag was moved around at all (nor do I remember doing so). Furthermore I'll note that the commits immediately before and after the current 2.16.2 tag do modify content so I'm not sure how you'd get to a build of something from that tag with a different SHA. Is it possible the build in your local Artifactory instance was a local build that contained some kind of modification or addition? Hard to imagine how that could be the case given the diff -r output you reported though.
I can confirm that the SHA-256 of 38ee1678bbf05eb566be7e45bebd9aedcac98c8a1fccba31bf89057c9cd6c6e3 is indeed correct so that archive should be considered legitimate. I don't find any evidence that the 2.16.2 tag was moved around at all (nor do I remember doing so). Furthermore I'll note that the commits immediately before and after the current 2.16.2 tag do modify content so I'm not sure how you'd get to a build of something from that tag with a different SHA. Is it possible the build in your local Artifactory instance was a local build that contained some kind of modification or addition? Hard to imagine how that could be the case given the diff -r output you reported though.
I'm at something of a loss here. I guess my answer would be to use the archive you downloaded with a valid SHA and discard the old one.
Thanks for the pointer about potentially changing SHAs on the Github side for release artifacts. I'll add here that since this driver has recently been donated to the Apache Software Foundation we'll likely be changing our build and release process. I would be quite surprised if that process didn't include automated generation of at least SHA digests as part of the build. We do this for the Java driver and I'd definitely like to see something similar incorporated here.
Hopefully some part of that was helpful!
- Bret -
Uilian Ries
Dec 2, 2025, 1:57:32 AMDec 2
to Bret McGuire, DataStax C++ Driver for Apache Cassandra User Mailing List
Hello Bret!
After doing a further investigation, the checksum mismatch was caused by the root folder renaming in that auto-generated tar.gz file. Reply all
Reply to author
Forward
0 new messages