Package: apt Version: 0.8.10.3+squeeze1 Severity: important I have a test repository containing a Packages.bz2 file with different checksums than what is listed in the signed Release file. However, 'apt-get update' does not report any error and shows the resulting packages in the output of 'apt-cache policy'. This occurs when accessing the repository with http. I think I have seen errors reported when using file:/ urls (and uncompressed Packages) files but I am not certain now. I've attached a test repository; it's not signed, but I've tried with signed repositories too. eg rsync dists/squeeze from a Debian mirror then mess with main/binary-i386/Packages.bz2 -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "i386"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "1"; APT::Install-Suggests "0"; APT::Acquire ""; APT::Acquire::Translation "environment"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image.*"; APT::NeverAutoRemove:: "^kfreebsd-image.*"; APT::NeverAutoRemove:: "^linux-restricted-modules.*"; APT::NeverAutoRemove:: "^linux-ubuntu-modules-.*"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "restricted/metapackages"; APT::Never-MarkAuto-Sections:: "universe/metapackages"; APT::Never-MarkAuto-Sections:: "multiverse/metapackages"; APT::Never-MarkAuto-Sections:: "oldlibs"; APT::Never-MarkAuto-Sections:: "restricted/oldlibs"; APT::Never-MarkAuto-Sections:: "universe/oldlibs"; APT::Never-MarkAuto-Sections:: "multiverse/oldlibs"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::mirrors "mirrors/"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::netrc "auth.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Etc::trusted "trusted.gpg"; Dir::Etc::trustedparts "trusted.gpg.d"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Media ""; Dir::Media::MountPath "/media/apt"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Dir::Log::History "history.log"; Dir::Ignore-Files-Silently ""; Dir::Ignore-Files-Silently:: "~$"; Dir::Ignore-Files-Silently:: "\.disabled$"; Dir::Ignore-Files-Silently:: "\.bak$"; Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; CommandLine ""; CommandLine::AsString "apt-config dump"; -- (no /etc/apt/preferences present) -- -- /etc/apt/sources.list -- #deb http://ftp.us.debian.org/debian/ etch main non-free contrib #deb http://http.us.debian.org/debian/ etch main non-free contrib #deb-src http://ftp.us.debian.org/debian/ etch main non-free contrib # #deb http://security.debian.org/ etch/updates main contrib non-free #deb http://volatile.debian.org/debian-volatile etch/volatile main deb http://ftp.us.debian.org/debian/ squeeze main non-free contrib deb-src http://ftp.us.debian.org/debian/ squeeze main non-free contrib deb http://ftp.us.debian.org/debian/ squeeze-updates main non-free contrib deb-src http://ftp.us.debian.org/debian/ squeeze-updates main non-free contrib deb http://security.debian.org/ squeeze/updates main contrib non-free #deb http://volatile.debian.org/debian-volatile squeeze/volatile main #deb http://www.backports.org/debian squeeze-backports main contrib non-free -- System Information: Debian Release: 6.0.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.39.1-linode34 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages apt depends on: ii debian-archive-keyring 2010.08.28 GnuPG archive keys of the Debian a ii gnupg 1.4.10-4 GNU privacy guard - a free PGP rep ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libgcc1 1:4.4.5-8 GCC support library ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3 ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime apt recommends no packages. Versions of packages apt suggests: pn apt-doc <none> (no description available) ii aptitude 0.6.3-3.2 terminal-based package manager (te ii bzip2 1.0.5-6 high-quality block-sorting file co ii dpkg-dev 1.15.8.11 Debian package development tools ii lzma 4.43-14 Compression method of 7z format in ii python-apt 0.7.100.1+squeeze1 Python interface to libapt-pkg -- no debconf information
Attachment:
test-bz2-hash-error.tar
Description: Unix tar archive