Bug#860260: snapshot.debian.org: corrupted binary package: binutils_2.22-8_amd64.deb
Package: snapshot.debian.org
Severity: important
Hello,
When I download
http://snapshot.debian.org/archive/debian/20130223T095106Z/pool/main/b/binutils/binutils_2.22-8_amd64.deb
from
http://snapshot.debian.org/package/binutils/2.22-8/#binutils_2.22-8
I get:
$ ls -l binutils_2.22-8_amd64.deb
-rw-r--r-- 1 jm jm 4799776 Feb 23 2013 binutils_2.22-8_amd64.deb
$ md5sum binutils_2.22-8_amd64.deb
11ff1f1d331c608aebb6d2585d601522 binutils_2.22-8_amd64.deb
whereas both the snapshot.d.o page and https://tracker.debian.org/news/432162
shows that the md5sum must be
3d1fb7c57aa32ef5a122cb832a9f83de7e3b2a71
The size of the file is correct.
BTW, the severity of #740096 ("please enable HTTPS") should be raised.
I also don't agree with the answer on #820423:
> snapshot.d.o provides read-only snapshots of the archive, it does not
> modify any files.
All this shows that some authentication mechanism is important, for 2 reasons:
1. unintentional data corruption, which is probably the case for the above file
(bitflip by hardware ?)
2. MITM, and to protect against this when downloading binary package is to
check the hashes on the related news on https://tracker.debian.org/,
which I always do and it's very annoying.
Regards,
Julien
Reply to: