On Fri, Aug 05, 2011 at 07:23:15AM -0400, Hamish Moffatt wrote: > On Fri, Aug 05, 2011 at 12:32:17PM +0200, Michael Vogt wrote: > > On Tue, Aug 02, 2011 at 04:14:18AM -0400, Hamish Moffatt wrote: > > > Package: apt > > > Version: 0.8.10.3+squeeze1 > > > Severity: important > > > > Thanks for your bugreport. > > > > > I have a test repository containing a Packages.bz2 file with different > > > checksums than what is listed in the signed Release file. However, > > > 'apt-get update' does not report any error and shows the resulting > > > packages in the output of 'apt-cache policy'. > > > > > > This occurs when accessing the repository with http. I think I have seen > > > errors reported when using file:/ urls (and uncompressed Packages) files > > > but I am not certain now. > > > > > > I've attached a test repository; it's not signed, but I've tried with > > > signed repositories too. eg rsync dists/squeeze from a Debian mirror > > > then mess with main/binary-i386/Packages.bz2 > > > > I can verify this for unsigned Release files, there is indeed no > > hashsum verification in this case. I added a testcase and a fix to the > > debian-sid branch. But I was not able to verify this for signed > > Release files, I get correct errors in this case on apt-get update on > > mismaches (I added a test for this as well to the testsuite to be > > sure). > > Thanks. By the way I found this problem in lucid originally and verified > on squeeze before reporting it there. > > However I am seeing the problem with what I believe is a correctly > signed repository. For example the repository inside the tar I attached > to the original report. I think the key for it is on keyserver.ubuntu.com. > > As a second dist, I copied down dists/ from a debian mirror, repacked a > Packages.bz2 for main/binary-i386 to ensure the md5sum changed, then ran > apt-get update against it. There was no error and apt-cache policy > showed that apt considered the source valid. That's to be expected. There is no reason for us to verify the compressed version of the file, we only verify the uncompressed file, which still has the correct checksum. As long as the uncompressed content is correct, the source is correct. There is not reason to verify compressed results, as the only thing we need to know is whether the content is right, not whether it was recompressed. -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Attachment:
pgp0KXtpdnUB1.pgp
Description: PGP signature