Bug#636314: apt: Packages.bz2 checksum mismatch not detected
On Tue, Aug 02, 2011 at 04:14:18AM -0400, Hamish Moffatt wrote:
> Package: apt
> Version: 0.8.10.3+squeeze1
> Severity: important
Thanks for your bugreport.
> I have a test repository containing a Packages.bz2 file with different
> checksums than what is listed in the signed Release file. However,
> 'apt-get update' does not report any error and shows the resulting
> packages in the output of 'apt-cache policy'.
>
> This occurs when accessing the repository with http. I think I have seen
> errors reported when using file:/ urls (and uncompressed Packages) files
> but I am not certain now.
>
> I've attached a test repository; it's not signed, but I've tried with
> signed repositories too. eg rsync dists/squeeze from a Debian mirror
> then mess with main/binary-i386/Packages.bz2
I can verify this for unsigned Release files, there is indeed no
hashsum verification in this case. I added a testcase and a fix to the
debian-sid branch. But I was not able to verify this for signed
Release files, I get correct errors in this case on apt-get update on
mismaches (I added a test for this as well to the testsuite to be
sure).
Thanks,
Michael
Reply to: