[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#657561: apt-get chokes on bad files, needs manual intervention to fix the situation

On Fri, Jan 27, 2012 at 01:10:11AM +0100, Evgeni Golov wrote:
> Package: apt
> Version:
> Severity: important
> Heya,
> I am currently sitting on a kinda crappy line (hotel WiFi, who guess)
> and had some fun while trying to run my usual apt-get update tonight.
> The WiFi seems to run a Squid in a sort of transparent setup.
> Sort of because it forbids me access to dl.google.com and resolves
> ftp.de.debian.org to a wrong IP ( The funny thing
> about that machine is, it returns the same page to any request, no 404,
> no 502, no kitten.
> Now the page ends up served as 'Packages', 'InRelease', the signatures etc.
> Apt of course refuses to work, as it cannot check the signature.
> But the problem is that apt never clears the bad signature file.
> Every next run of apt-get will end up with a 
> W: GPG error: http://ftp.de.debian.org squeeze Release: The following signatures were invalid: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>
> as the signature file is still borked and of course cannot be verified.
> Only the killing of the files in /var/lib/apt/lists/ brings apt back
> to life.
> This might have two outcomings for the user (as far I can think of,
> you could for sure come up with more):
> 1. unexperienced user, uses some apt frontend → no way to get updates
> 2. MITM a machine updating the files and you prolly stop it from fetching
>    updates via cron
> I hope there is some way to fix that.

That's interesting, as I assumed to have this fixed since my
commits last year in 0.8.15 (LP: #346386, Bug#627642).

Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Attachment: pgpOtrMtszQcq.pgp
Description: PGP signature

Reply to: