I’m trying to test a site on the upcoming 6.7 release, using the latest RC2 package. As I understand it the normal process for this with Bedrock or Radicle is to modify the composer packages to require the core installer and roots/wordpress-full directly (since roots/wordpress-no-content doesn’t include RC releases.) The changed composer.json should look like this:
- "roots/wordpress": "6.6.2",
+ "roots/wordpress-core-installer": "^1.100",
+ "roots/wordpress-full": "6.7-RC2",
When I added the RC2, I got the following output — note the checksum verification failure:
❯ composer require roots/wordpress-full:6.7-RC2
./composer.json has been updated
Running composer update roots/wordpress-full
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 0 updates, 0 removals
- Locking roots/wordpress-full (6.7-RC2)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
- Downloading roots/wordpress-full (6.7-RC2)
Failed to download roots/wordpress-full from dist: The checksum verification of the file failed (downloaded from https://downloads.wordpress.org/release/wordpress-6.7-RC2.zip)
Now trying to download from source
- Syncing roots/wordpress-full (6.7-RC2) into cache
- Installing roots/wordpress-full (6.7-RC2): Cloning master from cache
If I go to wordpress-full/composer.json at 7911eb86794280f56c98e94e2cec2a67ee97a06e · roots/wordpress-full · GitHub, I see that the package’s hard-coded checksum is 01d03df8b0a70f93f31d2030d39c6cf84c0a7edb.
But, if I go download the RC2 zip from https://wordpress.org/download/releases/#betas, and calculate my own checksum, sure enough it’s different: 0f78e7a8b97328a06be6767d4d606eda37ee4a2e.
This second checksum matches what is published at https://wordpress.org/wordpress-6.7-RC2.zip.sha1. The mismatch is between Composer’s expectation and what WordPress has published… so something has gone weird.
It looks like roots/wordpress-packager is the tool that assembles these new releases, and if I read the code correctly it should have gotten the checksum directly from what WordPress published at the URL above.
So what happened???
(Also strange: when I go check the wp-includes/version.php file that Composer added in my project, I see that what was actually installed is $wp_version = '6.8-alpha-59330' — apparently it pulled the master branch of WordPress/WordPress directly. That seems like a risky fallback.)