Bug#681193: apt doesn't check/verify file sizes in Release file
Package: apt
Version: 0.9.7.1
Severity: normal
I stumbled upon this with a mirror which has a broken Release file:
| % wget http://packages.dotdeb.org/dists/squeeze/Release &>/dev/null
| % wget http://packages.dotdeb.org/dists/squeeze/all/binary-amd64/Packages.bz2 &>/dev/null
| % sha1sum Packages.bz2
| dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b Packages.bz2
| % grep dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b Release
| dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b 20 all/binary-amd64/Packages.bz2
| % ls -l Packages.bz2
| -rw-r--r-- 1 mika mika 18189 Jul 10 09:48 Packages.bz2
So it's 20 vs. 18189 file size.
For example reprepro refuses to mirror from such a repo unless
you're using "IgnoreRelease: yes" in its configuration.
But when using the following sources.list entry:
deb http://packages.dotdeb.org/ squeeze all
then apt on the other side will use such a repo just fine.
apt seems to verify just the checksum. It might be worth
informing/warning the user if the file size doesn't match in such a
situation.
regards,
-mika-
Reply to: