#!/usr/bin/perl
use strict;
use warnings;
use CPAN::Mirrors;
use LWP::UserAgent;
use Digest::SHA qw(sha256_hex);
my $sha256 = '8e3fccbf4c7e87c2df7c1e756fc17666a708bab8b36fd2004163756
+51d9b86e1';
my $path = 'authors/id/R/RS/RSCHUPP/PAR-Packer-1.047.tar.gz';
my $mirrors = CPAN::Mirrors->new( 'MIRRORED.BY' );
my @mirrors = $mirrors->mirrors();
my ( @goodsha, @badsha, @problemmirror );
my $ua = LWP::UserAgent->new();
foreach my $cpan ( @mirrors ){
if ( $cpan->{http} ){
print "Checking Mirror: $cpan->{http}\n";
my $url = $cpan->{http} . $path;
my $res = $ua->get( $url );
if ( $res->is_success ){
my $file = $res->decoded_content( charset => 'none' );
my $file_sha = sha256_hex( $file );
if ( $file_sha eq $sha256 ){
print "Matching SHA\n";
push @goodsha, $url;
}else{
print "Warning: SHA does not match!\n";
print "Got : $file_sha\nExpected: $sha256\n";
push @badsha, $url;
}
}else{
print "Couldn't download $url\n";
push @problemmirror, $url;
}
}
}
print "'Bad' mirrorsn\n\n" . join( "\n", @badsha ) if ( @badsha );
print "\n'Unreachable' mirrors\n\n" . join( "\n", @problemmirror ) if
+( @problemmirror );
A wget http://www.cpan.org/MIRRORED.BY, or otherwise having a copy in the same directory as this script is required. I get a few 'Unreachable' URLs (perhaps connectivity issues from here to there, rather than genuine downtime, see also http://mirrors.cpan.org/, the same 4 at time of writing), and a few 'BAD' SHAs. On inspection these seem to be sending the value associated with 'sha256-ungz' (as listed in CHECKSUMS), as yet I'm unsure why.
Obviously this does not take into account PPM repos, which I gave up on years ago for unrelated reasons.
Update: For clarity, the script downloads PAR-Packer-1.047.tar.gz from each mirror and calculates the SHA256 and validates it against a known good SHA for the file. For a few of the sites the download of the tar.gz results in a different SHA:
Checking Mirror: http://mirrors.gossamer-threads.com/CPAN/
Warning: SHA does not match!
Got : d339d474e8a87ceb3e0ad456acd13249e7e80eea0d735aed3a32108bdcfc
+85bd
Expected: 8e3fccbf4c7e87c2df7c1e756fc17666a708bab8b36fd200416375651d9b
+86e1
Note that d339d474e8a87ceb3e0ad456acd13249e7e80eea0d735aed3a32108bdcfc85bd is the sha256-ungz SHA: 'sha256-ungz' => 'd339d474e8a87ceb3e0ad456acd13249e7e80eea0d735aed3a32108bdcfc85bd', (from CHECKSUMS) |