Description: The help file from http://www.nic.funet.fi/pub/mirrors/documentfoundation.org/libreoffice/stable/6.1.3/deb/x86_64/LibreOffice_6.1.3_Linux_x86-64_deb_helppack_en-US.tar.gz does not match the sha256 checksum. Steps to Reproduce: 1. Go to download page 2. If the download link points to http://www.nic.funet.fi/pub/mirrors/documentfoundation.org/libreoffice/stable/6.1.3/deb/x86_64/LibreOffice_6.1.3_Linux_x86-64_deb_helppack_en-US.tar.gz , then you will end up downloading the bad file. Alternatively just enter in the URL to that mirror and it will download the bad file. 3. perform a checksum with sha256 and notice that it does not match with the website's checksum of aefe906103156c14f36e892a69a3f208b44cf8d34ff757bed9d1900dadad8ffc. The checksum from the mirror is cf38b2047ad1ea0f0fafed916e019f4e84e47821eb4e6163ba2800ec90a56f89. Actual Results: mismatched sha256 checksum Expected Results: matching checksums Reproducible: Always User Profile Reset: No Additional Info: The web site should exclude the bad mirror. The mirror needs to be checked if it was compromised or if the LibreOffice accounts used to upload the file was compromised. The bad file can still be extracted from the gz file.
Do you reproduce this with another mirror?
No, one other mirror did not reproduce the failed checksum; I got a matching checksum. I do not remember which mirror it was which was OK.
Thanks for reporting this issue. Moved to https://redmine.documentfoundation.org/issues/2898