Bug#681193: marked as done (apt doesn't check/verify file sizes in Release file)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 14 Aug 2015 11:15:58 +0200
with message-id <20150814091557.GA21339@crossbow>
and subject line Re: apt doesn't check/verify file sizes in Release file
has caused the Debian Bug report #681193,
regarding apt doesn't check/verify file sizes in Release file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
681193: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681193
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt doesn't check/verify file sizes in Release file
• From: Michael Prokop <mika@debian.org>
• Date: Wed, 11 Jul 2012 11:34:36 +0200
• Message-id: <2012-07-11T11-24-16@devnull.michael-prokop.at>
• Message-id: <20120711093436.19583.51480.reportbug@grmlvrs>

Package: apt
Version: 0.9.7.1
Severity: normal


I stumbled upon this with a mirror which has a broken Release file:

| % wget http://packages.dotdeb.org/dists/squeeze/Release &>/dev/null
| % wget http://packages.dotdeb.org/dists/squeeze/all/binary-amd64/Packages.bz2 &>/dev/null
| % sha1sum Packages.bz2
| dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b  Packages.bz2
| % grep dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b Release
|  dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b 20 all/binary-amd64/Packages.bz2
| % ls -l Packages.bz2
| -rw-r--r-- 1 mika mika 18189 Jul 10 09:48 Packages.bz2

So it's 20 vs. 18189 file size.

For example reprepro refuses to mirror from such a repo unless
you're using "IgnoreRelease: yes" in its configuration.

But when using the following sources.list entry:

  deb http://packages.dotdeb.org/ squeeze all

then apt on the other side will use such a repo just fine.

apt seems to verify just the checksum. It might be worth
informing/warning the user if the file size doesn't match in such a
situation.

regards,
-mika-

--- End Message ---

--- Begin Message ---

• To: 681193-done@bugs.debian.org
• Subject: Re: apt doesn't check/verify file sizes in Release file
• From: David Kalnischkies <david@kalnischkies.de>
• Date: Fri, 14 Aug 2015 11:15:58 +0200
• Message-id: <20150814091557.GA21339@crossbow>
• In-reply-to: <20120711093436.19583.51480.reportbug@grmlvrs>
• References: <20120711093436.19583.51480.reportbug@grmlvrs>

Version: 1.1~exp8

On Wed, Jul 11, 2012 at 11:34:36AM +0200, Michael Prokop wrote:
> apt seems to verify just the checksum. It might be worth
> informing/warning the user if the file size doesn't match in such a
> situation.

I am relatively sure this was checked at least for some files in various
versions, but because I got annoyed by checking it explicitely all the
time while we worked on the acquiresystem rewrite (because it was so
easy to forget to do it) I made the FileSize a (very weak) checksum.

See git 23397c9d7d4d455461176600bb45c81185493504 for details.

Hence closing as done.


Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

--- End Message ---