Hi! On Tue, 2020-10-27 at 18:30:43 -0400, Nicholas D Steeves wrote: > Package: dpkg-dev > Version: 1.20.5 > Severity: important
> Today while working on the autopkgtests of an ITP of mine I discovered > that apt fails to install packages from the local repo, seemingly > because of missing sha512 hashes. Whether intentional or not, the > effect seems to be that apt is enforcing sha512, which isn't a bad > thing, hence this bug! But sha256 is not weak, so that should be enough, the problem seems to be something else. I've already implemented this locally, but I'm afraid it would need coordination with at least ftp-masters as DAK might actually reject such .dsc and .changes files. Hmm, but I tried to reproduce this, and I'm unable to, downloaded a couple of binary packages, created a Packages file with dpkg-scanpackages, and added an entry in apt and updated and nothing broke, so there's something else going on: $ mkdir repo $ cd repo $ apt download libbsd0 libmd0 $ dpkg-scanpackages . >Packages $ cat <<REPO Types: deb URIs: file:///path-to/repo Suites: ./ Trusted: yes REPO $ apt update > … > Get:1 file:/usr/src/repo/amd64 ./ python3-volatile 2.1.0-1 [5356 B] > Err:1 file:/usr/src/repo/amd64 ./ python3-volatile 2.1.0-1 > Hash Sum mismatch > Hashes of expected file: > - SHA256:1210131215ad632c8eb4d09b0448ce680ca9805aaf4ec9b3b99ee2161537f93c > - SHA1:fc1517b001fe9361d18a31f0d63daac366f93c8e [weak] > - MD5Sum:e9c3ec5e3d437c610566fa2d24baee47 [weak] > - Filesize:5356 [weak] > - > SHA512:779d3b466eb7cff946f6efebce7374803ec4afd6631ace49e02073d1da4fa98a4b1449e0e207dff6b32e11f735b29b04298a05632dcc077469ecfc674b0cab5d > Hashes of received file: > - > SHA512:d2330098a34a54fe68a57ef12ce79260bb0eeddea3df251e9e4bbd1588dc0e46904ee89cc9e6bf44d8c0a910caedcc1b9c582066f7402ff264d7dc130d7f79c4 > - SHA256:1210131215ad632c8eb4d09b0448ce680ca9805aaf4ec9b3b99ee2161537f93c > - SHA1:fc1517b001fe9361d18a31f0d63daac366f93c8e [weak] > - MD5Sum:e9c3ec5e3d437c610566fa2d24baee47 [weak] > - Filesize:5356 [weak] > Last modification reported: Tue, 27 Oct 2020 21:23:22 +0000 > W: Sources disagree on hashes for supposely identical version '2.1.0-1' of > 'python3-volatile:amd64'. > E: Failed to fetch > file:/usr/src/repo/amd64/../pool/python3-volatile_2.1.0-1_all.deb Hash Sum > mismatch Hmm if the hashes are missing, why are they here mismatched? Thanks, Guillem
