Bug#639964: apt: 639964: SPACEflight sources.list no longer accepted by apt
On Thu, Sep 1, 2011 at 17:57, Paul Wise <pabs@debian.org> wrote:
> W: Failed to fetch http://serviceplatform.org/packages/./Release Unable to find expected entry 'Sources' in Release file (Wrong sources.list entry or malformed file)
> E: Some index files failed to download. They have been ignored, or old ones used instead.
Beside that repositories really should provide checksums and
signatures for security reasons[0] this behavior is a regression from
a recent commit (2156) enabling checksum checking even if the Release
file isn't signed. This doesn't add any points to the security score
as someone who can manipulate the Packages files can also
manipulate the Release file, but that the attacker needs to do it
at least increases the complexity of an attack a bit…
So, with this background its fair to party revert the commit by
trying to check the checksums but ignore it if they are not provided
(but still fail if they are not correct).
I did that a while ago already in my branch so it's most likely fixed in
the next upload, but given that everyone seems to be pretty busy lately
(or the contrary: is in holidays) it might take a while to hit sid.
Users should take that as an open invitation to bug repository admins
to "fix" their repositories. Most of these seem to be created by complicated
hand-made scripts and could be replaced by a shorter and better-working
'apt-ftparchive generate' (at least that was the case for a fellow student).
Feel free to ask on deity@l.d.o or in #debian-apt for help (but prepare for
non-immediate response) - or refer to one of the debian-user lists if you
can't work out how to set it up from the manpages/examples.
Best regards
David Kalnischkies
[0] It's kind of pointless to get excited about a kernel.org break-in
if every user of repository X is forced to trust that not a single system
on the way between his computer and the repository is compromised.
See man-in-the-middle attacks for a start on this topic.
Reply to: