On Fri, Jan 27, 2012 at 01:10:11AM +0100, Evgeni Golov wrote: > Package: apt > Version: 0.8.15.9 > Severity: important > > Heya, > > I am currently sitting on a kinda crappy line (hotel WiFi, who guess) > and had some fun while trying to run my usual apt-get update tonight. > > The WiFi seems to run a Squid in a sort of transparent setup. > Sort of because it forbids me access to dl.google.com and resolves > ftp.de.debian.org to a wrong IP (22.214.171.124). The funny thing > about that machine is, it returns the same page to any request, no 404, > no 502, no kitten. > > Now the page ends up served as 'Packages', 'InRelease', the signatures etc. > Apt of course refuses to work, as it cannot check the signature. > But the problem is that apt never clears the bad signature file. > Every next run of apt-get will end up with a > W: GPG error: http://ftp.de.debian.org squeeze Release: The following signatures were invalid: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <firstname.lastname@example.org> > as the signature file is still borked and of course cannot be verified. > > Only the killing of the files in /var/lib/apt/lists/ brings apt back > to life. > This might have two outcomings for the user (as far I can think of, > you could for sure come up with more): > 1. unexperienced user, uses some apt frontend → no way to get updates > 2. MITM a machine updating the files and you prolly stop it from fetching > updates via cron > > I hope there is some way to fix that. > That's interesting, as I assumed to have this fixed since my commits last year in 0.8.15 (LP: #346386, Bug#627642). -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Description: PGP signature