Bug#860260: snapshot.debian.org: corrupted binary package: binutils_2.22-8_amd64.deb

[Julien Muchembled <jm@jmuchemb.eu>]

Package: snapshot.debian.org
Severity: important

Hello,

When I download
  http://snapshot.debian.org/archive/debian/20130223T095106Z/pool/main/b/binutils/binutils_2.22-8_amd64.deb

from
  http://snapshot.debian.org/package/binutils/2.22-8/#binutils_2.22-8

I get:
  $ ls -l binutils_2.22-8_amd64.deb 
  -rw-r--r-- 1 jm jm 4799776 Feb 23  2013 binutils_2.22-8_amd64.deb
  $ md5sum binutils_2.22-8_amd64.deb
  11ff1f1d331c608aebb6d2585d601522  binutils_2.22-8_amd64.deb

whereas both the snapshot.d.o page and https://tracker.debian.org/news/432162
shows that the md5sum must be

  3d1fb7c57aa32ef5a122cb832a9f83de7e3b2a71

The size of the file is correct.

BTW, the severity of #740096 ("please enable HTTPS") should be raised.
I also don't agree with the answer on #820423:

> snapshot.d.o provides read-only snapshots of the archive, it does not
> modify any files.

All this shows that some authentication mechanism is important, for 2 reasons:

1. unintentional data corruption, which is probably the case for the above file
   (bitflip by hardware ?)

2. MITM, and to protect against this when downloading binary package is to
   check the hashes on the related news on https://tracker.debian.org/,
   which I always do and it's very annoying.

Regards,
Julien