Bug#681193: apt doesn't check/verify file sizes in Release file

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#681193: apt doesn't check/verify file sizes in Release file
From: Michael Prokop <mika@debian.org>
Date: Wed, 11 Jul 2012 11:34:36 +0200
Message-id: <[🔎] 2012-07-11T11-24-16@devnull.michael-prokop.at>
Message-id: <20120711093436.19583.51480.reportbug@grmlvrs>
Reply-to: Michael Prokop <mika@debian.org>, 681193@bugs.debian.org

Package: apt
Version: 0.9.7.1
Severity: normal


I stumbled upon this with a mirror which has a broken Release file:

| % wget http://packages.dotdeb.org/dists/squeeze/Release &>/dev/null
| % wget http://packages.dotdeb.org/dists/squeeze/all/binary-amd64/Packages.bz2 &>/dev/null
| % sha1sum Packages.bz2
| dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b  Packages.bz2
| % grep dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b Release
|  dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b 20 all/binary-amd64/Packages.bz2
| % ls -l Packages.bz2
| -rw-r--r-- 1 mika mika 18189 Jul 10 09:48 Packages.bz2

So it's 20 vs. 18189 file size.

For example reprepro refuses to mirror from such a repo unless
you're using "IgnoreRelease: yes" in its configuration.

But when using the following sources.list entry:

  deb http://packages.dotdeb.org/ squeeze all

then apt on the other side will use such a repo just fine.

apt seems to verify just the checksum. It might be worth
informing/warning the user if the file size doesn't match in such a
situation.

regards,
-mika-

Reply to:

Prev by Date: Processed: Re: Bug#681164: "apt-cache search" output looks deceivingly sorted, but it is not
Next by Date: Sometimes we need to do what we want. Today I want to meet you if you do not mind:)
Previous by thread: Processed: Re: Bug#681164: "apt-cache search" output looks deceivingly sorted, but it is not
Next by thread: Sometimes we need to do what we want. Today I want to meet you if you do not mind:)
Index(es):
- Date
- Thread