Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch

[Evgeny Kapun <abacabadabacaba@gmail.com>]

> We verify the data before moving it to the final directory. If it is
> there, it is either valid, or we have no key for it, or it is unsigned
> (the latter two will disappear / be disabled at some point I think).
> 
> We had some issues where that validation succeeded where it should not
> (for example, on proxies returning a 200 OK page html page for every
> request, because the parser would not have any signatures to check
> then). They should be fixed now in newer releases I think.
> 
> If you have a concrete issue, it would be great if you let us know,
> but this bug is too generic. And re-verification is too expensive to
> do anyway.

The problem it is possible that cached data prevents `apt-get update` from working, even if currently all data on the server is valid. Another problem is that to make apt-get work again, it is necessary to manually clean /var/lib/apt/lists/partial. Also, some ISPs hijack all HTTP requests with 200 OK html page if you, for example, don't pay in time. After Internet access is restored, it is expected that running `apt-get update` would update package lists despite invalid data being returned previously, but this is not true.