chore(registry): publish marketplace registry update#651
Conversation
| "files": [ | ||
| "nllb-200-distilled-600M-ct2-int8.tar.xz" | ||
| ], | ||
| "expected_size_bytes": 1135260128, | ||
| "license": "CC-BY-NC-4.0", | ||
| "license_url": "https://huggingface.co/facebook/nllb-200-distilled-600M", | ||
| "sha256": "6c95a9bc42239a189c71d32aeb66b3108a4fef97d194e3360f3a749671a05c35" |
There was a problem hiding this comment.
🔴 New translation model download fails integrity check
The new NLLB model file is listed with a different archive format (.tar.xz at dist/registry/plugins/nllb/0.3.1/manifest.json:25) while keeping the exact download checksum and size of the previous .tar.bz2 archive, so downloading the model fails verification.
Impact: Users installing the new NLLB version cannot complete installation — the model download aborts with a hash mismatch (or a missing-file error).
Checksum belongs to the old bz2 archive, not the new xz file
The installer hashes the downloaded (still compressed) file bytes and compares against the manifest sha256 (apps/skit/src/marketplace_installer.rs:1698-1706). In dist/registry/plugins/nllb/0.3.0/manifest.json the file was nllb-200-distilled-600M-ct2-int8.tar.bz2 with sha256 6c95a9bc42239a189c71d32aeb66b3108a4fef97d194e3360f3a749671a05c35 and expected_size_bytes 1135260128. The 0.3.1 manifest changes the filename to nllb-200-distilled-600M-ct2-int8.tar.xz but keeps the byte-identical sha256 and expected_size_bytes. A bz2 and an xz archive of the same content have entirely different bytes and thus different hashes, so either the checksum/size were never regenerated for the new archive, or the extension was changed by mistake. The same discrepancy exists in docs/public/registry/plugins/nllb/0.3.1/manifest.json:25,30.
Prompt for agents
The NLLB 0.3.1 manifest declares the model file as nllb-200-distilled-600M-ct2-int8.tar.xz but reuses the sha256 (6c95a9bc42239a189c71d32aeb66b3108a4fef97d194e3360f3a749671a05c35) and expected_size_bytes (1135260128) from the previous 0.3.0 manifest, which referenced the .tar.bz2 archive. The installer (apps/skit/src/marketplace_installer.rs) verifies this sha256 against the bytes of the downloaded compressed file, so this will fail. Determine whether the model archive on Hugging Face (repo streamkit/nllb-models) is actually .tar.xz or still .tar.bz2. If it is genuinely a new .tar.xz archive, regenerate and update both the sha256 and expected_size_bytes to match the new file. If the file is unchanged, revert the extension back to .tar.bz2. Apply the fix to both dist/registry/plugins/nllb/0.3.1/manifest.json and docs/public/registry/plugins/nllb/0.3.1/manifest.json (and note the .minisig signatures must be regenerated for the corrected manifest).
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
| "files": [ | ||
| "sherpa-onnx-nemo-parakeet-tdt-0.6b-v3-int8.tar.bz2" | ||
| ], | ||
| "expected_size_bytes": 486660829, | ||
| "license": "CC-BY-4.0", | ||
| "license_url": "https://huggingface.co/nvidia/parakeet-tdt-0.6b-v3", | ||
| "sha256": "181f96d0dcac111d68c2ee5843655bb08ecb5fe26f845a915c3e4fca7915b9f8" |
There was a problem hiding this comment.
🔍 Parakeet 0.3.1 switches from per-file checksums to single tarball
Parakeet 0.3.0 delivered the model as individual .onnx/.txt files with a file_checksums map, whereas 0.3.1 delivers a single archive sherpa-onnx-nemo-parakeet-tdt-0.6b-v3-int8.tar.bz2 with a top-level sha256. Because the model has a single file, the installer selects model.sha256 for verification (apps/skit/src/marketplace_installer.rs:1467), so this new hash is what will be checked. The silero-vad sha256 (1a153a22...88e3) is unchanged from 0.3.0, which is correct since silero_vad.onnx is unchanged. Unlike the NLLB entry, the parakeet tarball hash is new and could not be cross-checked against a prior value — reviewer should confirm it matches the actual uploaded archive.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
| untrusted comment: signature from minisign secret key | ||
| RUQ/85JEqYXEgdeVVmGwIGnSi5mBQsV48E9WsObmfD+rWnDxGpawRiVmX8FATBnjiz/rsQtZrGMquMXH9RXp/Omoj/hYz1VEMgE= | ||
| trusted comment: timestamp:1783273484 file:manifest.json hashed | ||
| peC71tuvTUJ/H8UqXTyY3iCBvy196vyTDoXEiLfa/p3HgHHFKseIQIOtGypX00U45IgDWTCDiKOpdGupFsdzAQ== |
There was a problem hiding this comment.
🔍 Manifest .minisig signatures must match corrected manifest content
Each new manifest.json ships with a detached minisign signature over manifest.json. If the NLLB 0.3.1 manifest is corrected (per the reported checksum bug), the corresponding manifest.minisig in both dist/ and docs/public/ must be regenerated, otherwise signature verification of the manifest will fail at install time.
Was this helpful? React with 👍 or 👎 to provide feedback.
Automated registry metadata update from run
28748266283.