Your message dated Fri, 14 Aug 2015 11:15:58 +0200 with message-id <20150814091557.GA21339@crossbow> and subject line Re: apt doesn't check/verify file sizes in Release file has caused the Debian Bug report #681193, regarding apt doesn't check/verify file sizes in Release file to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 681193: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681193 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt doesn't check/verify file sizes in Release file
- From: Michael Prokop <mika@debian.org>
- Date: Wed, 11 Jul 2012 11:34:36 +0200
- Message-id: <2012-07-11T11-24-16@devnull.michael-prokop.at>
- Message-id: <20120711093436.19583.51480.reportbug@grmlvrs>
Package: apt Version: 0.9.7.1 Severity: normal I stumbled upon this with a mirror which has a broken Release file: | % wget http://packages.dotdeb.org/dists/squeeze/Release &>/dev/null | % wget http://packages.dotdeb.org/dists/squeeze/all/binary-amd64/Packages.bz2 &>/dev/null | % sha1sum Packages.bz2 | dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b Packages.bz2 | % grep dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b Release | dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b 20 all/binary-amd64/Packages.bz2 | % ls -l Packages.bz2 | -rw-r--r-- 1 mika mika 18189 Jul 10 09:48 Packages.bz2 So it's 20 vs. 18189 file size. For example reprepro refuses to mirror from such a repo unless you're using "IgnoreRelease: yes" in its configuration. But when using the following sources.list entry: deb http://packages.dotdeb.org/ squeeze all then apt on the other side will use such a repo just fine. apt seems to verify just the checksum. It might be worth informing/warning the user if the file size doesn't match in such a situation. regards, -mika-
--- End Message ---
--- Begin Message ---
- To: 681193-done@bugs.debian.org
- Subject: Re: apt doesn't check/verify file sizes in Release file
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Fri, 14 Aug 2015 11:15:58 +0200
- Message-id: <20150814091557.GA21339@crossbow>
- In-reply-to: <20120711093436.19583.51480.reportbug@grmlvrs>
- References: <20120711093436.19583.51480.reportbug@grmlvrs>
Version: 1.1~exp8 On Wed, Jul 11, 2012 at 11:34:36AM +0200, Michael Prokop wrote: > apt seems to verify just the checksum. It might be worth > informing/warning the user if the file size doesn't match in such a > situation. I am relatively sure this was checked at least for some files in various versions, but because I got annoyed by checking it explicitely all the time while we worked on the acquiresystem rewrite (because it was so easy to forget to do it) I made the FileSize a (very weak) checksum. See git 23397c9d7d4d455461176600bb45c81185493504 for details. Hence closing as done. Best regards David KalnischkiesAttachment: signature.asc
Description: Digital signature
--- End Message ---