On Sat, Mar 16, 2013 at 11:24:38AM +0100, David Kalnischkies wrote: > Hi Steven, Hi David and Steven, > could you please try again? > > This is very likely a temporary mirror hiccup while it is syncing. > > With disabling InRelease we get all the Release vs. Release.gpg mismatches > back, which look/are more critical than the (In)Release vs. Packages & Co. > mismatches. There are various ideas to make syncs more atomic, but none > is foolproof - and need "provider" support as APT is only a "consumer" here.
I can reproduce this here: """ $ sudo LANG=C debootstrap --verbose --arch=i386 sid sid-chroot ... $ sudo chroot sid-chroot root@bod:/# ls -l /var/lib/apt/lists/ total 30028 -rw-r--r-- 1 root root 236078 Mar 17 02:22 ftp.us.debian.org_debian_dists_sid_Release -rw-r--r-- 1 root root 30506862 Mar 17 02:02 ftp.us.debian.org_debian_dists_sid_main_binary-i386_Packages drwxr-xr-x 2 root root 4096 Mar 17 09:21 partial root@bod:/# apt-get update Get:1 http://ftp.us.debian.org sid Release.gpg [836 B] Hit http://ftp.us.debian.org sid Release Ign http://ftp.us.debian.org sid Release Get:2 http://ftp.us.debian.org sid/main i386 Packages/DiffIndex [7876 B] Get:3 http://ftp.us.debian.org sid/main Translation-en [4112 kB] Fetched 4120 kB in 9s (436 kB/s) Reading package lists... Done W: GPG error: http://ftp.us.debian.org sid Release: The following signatures were invalid: BADSIG AED4B06F473041FA Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmas...@debian.org> """ And indeed, there is something funny going on, looking at: # head /var/lib/apt/lists/ftp.us.debian.org_debian_dists_sid_Release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Origin: Debian ... shows that its actually the InRelease file after the apt-get update which of course does not verify against the Release.gpg. It looks like debootstrap is putting it here, I just re-ran debootstrap and indeed, the file put there in the chroot is called "_Release" but its actually the "_InRelease" file. Apt-get update will send a if-modified-since header to the remote server and get a "not-modified" so leaves the Release file alone but the downloaded Release.gpg does not match. Renaming the downloaded _Release file to _InRelease fixes the issue. This bug in debootstrap was masked by the previous apt that was downloding a new InRelease and not touch the already present Release file - but now that InRelease support is disabled its triggered. Cheers, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
