Bug#690302: debmirror: man page does not specify content verification

Fri, 12 Oct 2012 03:06:20 -0700 

Package: debmirror
Version: 1:2.14~bpo60+1
Severity: normal


I wasn't able to determine from the debmirror(1) man page the extent to
which content is verified.  It states that the top level Release file is
verified by its PGP signature, but doesn't mention whether further downloaded 
content is verified against this anchor.  Looking at the dependencies on 
various 
hashing libraries, I'm guessing it does, but it would be good to state this 
explicitly.

I'd also be interested in a brief description of what happens if a downloaded
file doesn't match.  I think users of this program would be interested to know
if it's possible for unverified content to end up in the target directory, or
whether the verification is done before putting the content in place.

I'd also be interested whether the condition of having downloaded content that
failed verification is detectable by debmirror's exit code.

-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages debmirror depends on:
ii  bzip2                  1.0.5-6+squeeze1  high-quality block-sorting file co
pn  libdigest-md5-perl     <none>            (no description available)
ii  liblockfile-simple-per 0.207-1           Simple advisory file locking
ii  libnet-inet6glue-perl  0.4-2             glue module to make perl modules I
ii  libwww-perl            5.836-1           Perl HTTP/WWW client/server librar
ii  perl [libdigest-sha-pe 5.10.1-17squeeze3 Larry Wall's Practical Extraction 
ii  perl-modules [libnet-p 5.10.1-17squeeze3 Core Perl modules
ii  rsync                  3.0.7-2           fast remote file copy program (lik

Versions of packages debmirror recommends:
ii  ed                            1.4-3      The classic UNIX line editor
ii  gpgv                          1.4.10-4   GNU privacy guard - signature veri
ii  patch                         2.6-2      Apply a diff file to an original

Versions of packages debmirror suggests:
ii  gnupg                         1.4.10-4   GNU privacy guard - a free PGP rep

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to