Bug#860260: marked as done (snapshot.debian.org: corrupted binary package: binutils_2.22-8_amd64.deb)
Your message dated Fri, 14 Apr 2017 20:06:52 +0000
with message-id <20170414200652.GM23352@sarek.noreply.org>
and subject line Re: Bug#860260: snapshot.debian.org: corrupted binary package: binutils_2.22-8_amd64.deb
has caused the Debian Bug report #860260,
regarding snapshot.debian.org: corrupted binary package: binutils_2.22-8_amd64.deb
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
860260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860260
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: snapshot.debian.org
Severity: important
Hello,
When I download
http://snapshot.debian.org/archive/debian/20130223T095106Z/pool/main/b/binutils/binutils_2.22-8_amd64.deb
from
http://snapshot.debian.org/package/binutils/2.22-8/#binutils_2.22-8
I get:
$ ls -l binutils_2.22-8_amd64.deb
-rw-r--r-- 1 jm jm 4799776 Feb 23 2013 binutils_2.22-8_amd64.deb
$ md5sum binutils_2.22-8_amd64.deb
11ff1f1d331c608aebb6d2585d601522 binutils_2.22-8_amd64.deb
whereas both the snapshot.d.o page and https://tracker.debian.org/news/432162
shows that the md5sum must be
3d1fb7c57aa32ef5a122cb832a9f83de7e3b2a71
The size of the file is correct.
BTW, the severity of #740096 ("please enable HTTPS") should be raised.
I also don't agree with the answer on #820423:
> snapshot.d.o provides read-only snapshots of the archive, it does not
> modify any files.
All this shows that some authentication mechanism is important, for 2 reasons:
1. unintentional data corruption, which is probably the case for the above file
(bitflip by hardware ?)
2. MITM, and to protect against this when downloading binary package is to
check the hashes on the related news on https://tracker.debian.org/,
which I always do and it's very annoying.
Regards,
Julien
--- End Message ---
--- Begin Message ---
On Thu, 13 Apr 2017, Julien Muchembled wrote:
> Package: snapshot.debian.org
> Severity: important
>
> Hello,
>
> When I download
> http://snapshot.debian.org/archive/debian/20130223T095106Z/pool/main/b/binutils/binutils_2.22-8_amd64.deb
>
> from
> http://snapshot.debian.org/package/binutils/2.22-8/#binutils_2.22-8
>
> I get:
> $ ls -l binutils_2.22-8_amd64.deb
> -rw-r--r-- 1 jm jm 4799776 Feb 23 2013 binutils_2.22-8_amd64.deb
> $ md5sum binutils_2.22-8_amd64.deb
> 11ff1f1d331c608aebb6d2585d601522 binutils_2.22-8_amd64.deb
>
> whereas both the snapshot.d.o page and https://tracker.debian.org/news/432162
> shows that the md5sum must be
>
> 3d1fb7c57aa32ef5a122cb832a9f83de7e3b2a71
No it doesn't. It says that the sha1sum must be
3d1fb7c57aa32ef5a122cb832a9f83de7e3b2a71, and it is.
} weasel@orinoco:~$ sha1sum binutils_2.22-8_amd64.deb
} 3d1fb7c57aa32ef5a122cb832a9f83de7e3b2a71 binutils_2.22-8_amd64.deb
} weasel@orinoco:~$ md5sum binutils_2.22-8_amd64.deb
} 11ff1f1d331c608aebb6d2585d601522 binutils_2.22-8_amd64.deb
Cheers,
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
--- End Message ---
Reply to: