Hi, > md5sum says: > > ~> md5sum slbackup_0.0.12-5~edu70+1_all.deb > *7e72a33d83d3185abe66278c1b01b67e* slbackup_0.0.12-5~edu70+1_all.deb > > but > http://ftp.skolelinux.org/skolelinux/dists/wheezy/local/binary-amd64/Package > s states > > MD5sum: *83d3185abe66278c1b01b67e98d69f57* > SHA1: a23c8598901c18fa16dc18128e6b668ef2de7f61 > SHA256: 4dc74d5da14c7b8d5bcc55fcfc40660991255d074142d9f0b2461e3200000000 > > Only the SHA512 value matches the one we calculated locally, MD5, SHA1 > and SHA256 are screwed. > > There is an indication that there might be somewhere something broken > with string manipulation as e.g. the MD5 sums we got match a substring > of the one given on the project web page. This gets more obvious if > written like this: > > 7e72a33d *83d3185abe66278c1b01b67e* > > ........ *83d3185abe66278c1b01b67e* 98d69f57 Yeah, looking closer, it's all eight characters off somewhere (check the eight 0s at the end of the sha256 hash). Cute bug :D! @pere, if you give me a hint on where the Packages index is generated, I'd look at it. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Attachment:
signature.asc
Description: This is a digitally signed message part.