Re: Processed: Re: Bug#319142: apt: attempts to install corrupted packages

[Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>]

Matt Zimmerman <mdz@debian.org> writes:

> On Thu, Jul 28, 2005 at 11:52:48PM +0200, Goswin von Brederlow wrote:
>> owner@bugs.debian.org (Debian Bug Tracking System) writes:
>> 
>> > Processing commands for control@bugs.debian.org:
>> >
>> >> severity 319142 wishlist
>> > Bug#319142: apt: attempts to install corrupted packages
>> > Severity set to `wishlist'.
>> 
>> Why wishlist? Isn't that serious or critical since it is a security problem?
>
> Packages in the cache are only modifiable by root, so no, it isn't.
>
>> > Bug#250305: apt-get: should validate md5sum of debs in it's cache before installing them
>> > Bug#319142: apt: attempts to install corrupted packages
>> > Merged 250305 319142.
>> 
>> (That doesn't sound like the same bug. I did run apt-get clean between
>> tests to avoid cached debs to confuse the testing. Sure about this?)
>
> I'm quite sure about this regarding network sources, yes.  file: and cdrom:
> are a different case, as Michael explained.
>
> -- 
>  - mdz

Hi,

sorry, didn't see Michaels mail since he didn't CC me and I didn't
subscribe to the bug.

>From his mail:

| The attached patch (also in
| michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-14) added md5sum
| checking for file and cdrom methods. Support in copy is not needed
| because it is only used internally by the other methods.

The copy method is also used externaly. It is needed for local source
mirrors to prevent apt using symlinks into the archive for "apt-get
source" and subsequent calls to "debuild" to overwrite the files in
the mirror those links point to.

Example:

deb file:///mnt/mirror/ivanova/debian-amd64 sarge main contrib
deb-src copy:///mnt/mirror/ivanova/debian-amd64 sarge main contrib

MfG
        Goswin