Bug#376817: confirmation

To: Mark Robinson <mark@zl2tod.net>
Cc: 376817@bugs.debian.org
Subject: Bug#376817: confirmation
From: Matt Zimmerman <mdz@debian.org>
Date: Thu, 10 Aug 2006 16:18:44 -0700
Message-id: <[🔎] 20060810231844.GM26957@alcor.net>
Reply-to: Matt Zimmerman <mdz@debian.org>, 376817@bugs.debian.org
In-reply-to: <[🔎] 44DBBA0C.2000801@zl2tod.net>
References: <[🔎] 44D7375E.1020802@zl2tod.net> <[🔎] 20060810222132.GF26957@alcor.net> <[🔎] 44DBBA0C.2000801@zl2tod.net>

On Fri, Aug 11, 2006 at 10:58:20AM +1200, Mark Robinson wrote:
> Matt Zimmerman wrote:
> >On Tue, Aug 08, 2006 at 12:51:42AM +1200, Mark Robinson wrote:
> >>I have several times seen it flag MD5SUM errors where the expected MD5SUM 
> >>and that computed are identical.
> >
> >I would be interested to see verbatim copies of such errors.
> 
> >>Computed MD5: 79d0311df375b8fe66ba0a97c5b1b069  Expected MD5: 
> >>79d0311df375b8fe66ba0a97c5b1b069

These don't match.

> >>http://http.us.debian.org/debian/dists/sid/main/source/Sources: Computed 
> >>MD5: e1168cf5f79a1cc839001f8f1d0eb556  Expected MD5: 
> >>c5c77469275f8e6211fcaa215edab58b

Neither do these.

> >Not exactly; the situation is such that apt needs a consistent view of the
> >archive in order to authenticate it (several different files must match),
> >and intermediate caches don't always provide this consistency.
> 
> When it's checking an MD5SUM it's looking at one file, when it's checking 
> the gpg key it's looking at one file.

That's correct, but irrelevant.  The way the system works is that the
Release file (which is authenticated by a detached signature in Release.gpg)
contains md5sums for the Packages files, which are retrieved separately.  If
the Release file is an older cached version than the Packages files, or vice
versa, there will be a mismatch and authentication will fail.

> I've noticed that the packages are uploaded to the servers after the index 
> files. This means that you can get the index and then have to wait an hour 
> say until the packages all turn up. Would this situation not be improved by 
> the index files being uploaded, or made available, last ?

Official mirrors do this correctly, and mirror the indexes last, for this
reason.

> Can we force the Get to blitz caches ?

Yes, there's an apt configuration option for it, but a) there seems to still
be trouble sometimes even with this option, and b) the packages files are
large and we *want* them to be cached, but only if they're verified against
the server so that they're guaranteed up-to-date.  That's what the
cache-control settings used by default should do according to the standard.

-- 
 - mdz

Reply to:

References:
- Bug#376817: confirmation
  - From: Mark Robinson <mark@zl2tod.net>
- Bug#376817: confirmation
  - From: Matt Zimmerman <mdz@debian.org>
- Bug#376817: confirmation
  - From: Mark Robinson <mark@zl2tod.net>

Prev by Date: Bug#376817: confirmation
Next by Date: Bug#376817: confirmation
Previous by thread: Bug#376817: confirmation
Next by thread: Bug#376817: confirmation
Index(es):
- Date
- Thread