Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?
Hi,
I run reprepro to create a local mirror for lenny, lenny-security and
sid. Since I have it setup to put all 3 into a common pool I noticed
the following:
Lenny:
------
Package: uw-imap
Version: 7:2007b~dfsg-3
Files:
b52118669abf422f766d14e3e2d69daa 1608456 uw-imap_2007b~dfsg.orig.tar.gz
Sid:
----
Package: uw-imap
Version: 8:2007b~dfsg-1
Files:
b52118669abf422f766d14e3e2d69daa 1608456 uw-imap_2007b~dfsg.orig.tar.gz
Lenny-Securiy:
--------------
Package: uw-imap
Version: 7:2007b~dfsg-4+lenny1
13dc7a81451e676f29ed840ba81b79ca 1617554 uw-imap_2007b~dfsg.orig.tar.gz
As you can see Lenny-Security has a different orig.tar.gz than
Lenny/Sid. This creates a problem for my reprepro as it detects a
size/md5sum mismatch, aborts and sends me an angry mail. But more
importantly this prevents the security update from entering Lenny:
20081106164710|process-unchecked|rejected|uw-imap_2007b~dfsg-4+lenny1_amd64.changes
Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz.
Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive.
As it is the vulnerable version of uw-imap will remain in Lenny and
Lenny will have a known security bug that is totaly avoidable. From
the timestamp above you can see that this problem has been around over
a month.
Does anyone care?
MfG
Goswin
Reply to: