On Fri, Aug 05, 2011 at 02:04:27PM +0200, Michael Vogt wrote: > On Fri, Aug 05, 2011 at 07:23:15AM -0400, Hamish Moffatt wrote: > The test-bz2-hash-error.tar that is attached to the bug does not have > a Release.gpg file. With this unsigned archive there is indeed no > hashsum check.
So it is, my apologies. > > As a second dist, I copied down dists/ from a debian mirror, repacked a > > Packages.bz2 for main/binary-i386 to ensure the md5sum changed, then ran > > apt-get update against it. There was no error and apt-cache policy > > showed that apt considered the source valid. > > I just did something similar, i wget Release and Release.gpg, then > binary-i386/Packages.bz2 into /var/www, modified its content and ran > apt-get update on a sources.list that points to http://localhost/ > > With both current trunk and the apt in squeeze I got the expected > "Hash Sum mismatch" error and no Packages file in /var/lib/apt/lists > > If you can reproduce this, I would love to get the output of > "apt-get update -o Debug::pkgAcquire::Auth=true" and steps how to > reproduce this. I'm also available on irc as "mvo" on oftc and > freenode for faster turnaround. As this report is quite concerning, I > would really like to get to the bottom of this as quickly as > possible. > > One thing I can think of is that apt does not verify the content in > /var/lib/apt/lists again after it got downloaded, so if the Packages > file in there is modified locally, then apt will not catch that. I had trouble catching the debug output in a useful way, I suspect because it's coming from the sub-processes. "apt-get ... 2>&1" doesn't grab it and "script" produced rather a mess. I'll try to paste it below. In my sources.list I have: deb http://www.risingsoftware.com/~hamish/deb squeeze main You are welcome to test against this. I renamed the original Packages.bz2 to .real and repacked it. The sha256sums are: 114ce0441b921dd4a83788805438055d1c6f8de66a1c4c327de31ffaf65a729d dists/squeeze/main/binary-i386/Packages.bz2 61d6edde3f1572dd92f44dc134b4024d30cbf3c24a856b914a8844a6fcdc613b dists/squeeze/main/binary-i386/Packages.bz2.real and the Release file says 61d6edde3f1572dd92f44dc134b4024d30cbf3c24a856b914a8844a6fcdc613b 6566963 main/binary-i386/Packages.bz2 I removed the cached lists from /var/lib/apt/lists first. Hamish [ 9:02AM] hamish@li154-67:~ $ sudo apt-get update -o Debug::pkgAcquire::Auth=true Get:1 http://www.risingsoftware.com squeeze Release.gpg [1,672 B] Ign http://www.risingsoftware.com/~hamish/deb/ squeeze/main Translation-en Ign http://www.risingsoftware.com/~hamish/deb/ squeeze/main Translation-en_AU Get:2 http://www.risingsoftware.com squeeze Release [104 kB] 60% [Connecting to ftp.us.debian.org] [Connecting to security.debian.org (212.211.132.250)] [2 Release 62.1 kB/104 kB 59%]Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/www.risingsoftware.com_%7ehamish_deb_dists_squeeze_Release.gpg,/var/lib/apt/lists/partial/www.risingsoftware.com_%7ehamish_deb_dists_squeeze_Release) 99% [2 Release gpgv 104 kB] [Connecting to ftp.us.debian.org (199.6.12.70)] [Connecting to security.debian.org (212.211.132.250)]Got Codename: squeeze Expecting Dist: squeeze Transformed Dist: squeeze Signature verification succeeded: /var/lib/apt/lists/partial/www.risingsoftware.com_%7ehamish_deb_dists_squeeze_Release Queueing: http://www.risingsoftware.com/~hamish/deb/dists/squeeze/main/binary-i386/Packages Expected Hash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece Get:3 http://www.risingsoftware.com squeeze/main i386 Packages [7,816 kB] Hit http://ftp.us.debian.org squeeze Release.gpg Ign http://ftp.us.debian.org/debian/ squeeze/contrib Translation-en Ign http://ftp.us.debian.org/debian/ squeeze/contrib Translation-en_AU Ign http://ftp.us.debian.org/debian/ squeeze/main Translation-en Ign http://ftp.us.debian.org/debian/ squeeze/main Translation-en_AU Ign http://ftp.us.debian.org/debian/ squeeze/non-free Translation-en Ign http://ftp.us.debian.org/debian/ squeeze/non-free Translation-en_AU Hit http://ftp.us.debian.org squeeze-updates Release.gpg Ign http://ftp.us.debian.org/debian/ squeeze-updates/contrib Translation-en Ign http://ftp.us.debian.org/debian/ squeeze-updates/contrib Translation-en_AU Ign http://ftp.us.debian.org/debian/ squeeze-updates/main Translation-en Ign http://ftp.us.debian.org/debian/ squeeze-updates/main Translation-en_AU Ign http://ftp.us.debian.org/debian/ squeeze-updates/non-free Translation-en Ign http://ftp.us.debian.org/debian/ squeeze-updates/non-free Translation-en_AU 84% [Waiting for headers] [3 Packages 6,619 kB/7,816 kB 84%]Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/ftp.us.debian.org_debian_dists_squeeze_Release.gpg,/var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze_Release) Hit http://ftp.us.debian.org squeeze Release 84% [Waiting for headers] [Waiting for headers] [3 Packages 6,619 kB/7,816 kB 84%]Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/ftp.us.debian.org_debian_dists_squeeze-updates_Release.gpg,/var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze-updates_Release) Hit http://ftp.us.debian.org squeeze-updates Release 84% [Release gpgv 104 kB] [Waiting for headers] [3 Packages 6,623 kB/7,816 kB 84%]Got Codename: squeeze Expecting Dist: squeeze Transformed Dist: squeeze Signature verification succeeded: /var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze_Release Queueing: http://ftp.us.debian.org/debian/dists/squeeze/main/source/Sources Expected Hash: SHA256:a36b4dbd279c55c19262f7328123c0199209398223453b1d503de49fc7d7fe3a Queueing: http://ftp.us.debian.org/debian/dists/squeeze/non-free/source/Sources Expected Hash: SHA256:4e40b53e633ce78958d3c4b024f218345151947acc717ff3099be9995c966124 Queueing: http://ftp.us.debian.org/debian/dists/squeeze/contrib/source/Sources Expected Hash: SHA256:31797608cfd95a8817d1d5347ea7bce50230cce2289db25c7b8a35d8b7f868a0 Queueing: http://ftp.us.debian.org/debian/dists/squeeze/main/binary-i386/Packages Expected Hash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece Queueing: http://ftp.us.debian.org/debian/dists/squeeze/non-free/binary-i386/Packages Expected Hash: SHA256:2b317a5a4ea6266efc384fc4ba8d092bf1dceebb99f1b91427f8a1bd14bcb28f Queueing: http://ftp.us.debian.org/debian/dists/squeeze/contrib/binary-i386/Packages Expected Hash: SHA256:e0aa709917596a3ef5cd69bf47e24ed738e5fdd2b96ce68400c4dcc38cc71857 90% [Release gpgv 113 kB] [Waiting for headers] [3 Packages 7,078 kB/7,816 kB 90%]Got Codename: squeeze-updates Expecting Dist: squeeze-updates Transformed Dist: squeeze-updates Signature verification succeeded: /var/lib/apt/lists/ftp.us.debian.org_debian_dists_squeeze-updates_Release Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/main/source/Sources Expected Hash: SHA256:065d3a955db08f050c998c1daf6f6eaf42aa08e82b4288131a3783137d2548b6 Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/non-free/source/Sources Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/contrib/source/Sources Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/main/binary-i386/Packages Expected Hash: SHA256:14e9a18ec616cc37f12cdeeec18a174425c8d5db4e17e53f81308d99189e6329 Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/non-free/binary-i386/Packages Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Queueing: http://ftp.us.debian.org/debian/dists/squeeze-updates/contrib/binary-i386/Packages Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 94% [Waiting for headers] [Waiting for headers] [3 Packages 7,406 kB/7,816 kB 94%]201 URI Done: http://www.risingsoftware.com/~hamish/deb/dists/squeeze/main/binary-i386/Packages.bz2 RecivedHash: SHA256:114ce0441b921dd4a83788805438055d1c6f8de66a1c4c327de31ffaf65a729d ExpectedHash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece Hit http://security.debian.org squeeze/updates Release.gpg Ign http://security.debian.org/ squeeze/updates/contrib Translation-en Ign http://security.debian.org/ squeeze/updates/contrib Translation-en_AU 99% [3 Packages bzip2 0 B] [Waiting for headers] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/main/source/Sources.bz2 RecivedHash: ExpectedHash: SHA256:a36b4dbd279c55c19262f7328123c0199209398223453b1d503de49fc7d7fe3a Hit http://ftp.us.debian.org squeeze/main Sources 99% [3 Packages bzip2 0 B] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/non-free/source/Sources.bz2 RecivedHash: ExpectedHash: SHA256:4e40b53e633ce78958d3c4b024f218345151947acc717ff3099be9995c966124 Hit http://ftp.us.debian.org squeeze/non-free Sources 201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/contrib/source/Sources.bz2 RecivedHash: ExpectedHash: SHA256:31797608cfd95a8817d1d5347ea7bce50230cce2289db25c7b8a35d8b7f868a0 Hit http://ftp.us.debian.org squeeze/contrib Sources 201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/main/binary-i386/Packages.bz2 RecivedHash: ExpectedHash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece Hit http://ftp.us.debian.org squeeze/main i386 Packages 201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/non-free/binary-i386/Packages.bz2 RecivedHash: ExpectedHash: SHA256:2b317a5a4ea6266efc384fc4ba8d092bf1dceebb99f1b91427f8a1bd14bcb28f Hit http://ftp.us.debian.org squeeze/non-free i386 Packages 201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze/contrib/binary-i386/Packages.bz2 RecivedHash: ExpectedHash: SHA256:e0aa709917596a3ef5cd69bf47e24ed738e5fdd2b96ce68400c4dcc38cc71857 Hit http://ftp.us.debian.org squeeze/contrib i386 Packages Hit http://ftp.us.debian.org squeeze-updates/main Sources/DiffIndex 99% [3 Packages bzip2 0 B] [Waiting for headers] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/non-free/source/Sources.bz2 RecivedHash: ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Hit http://ftp.us.debian.org squeeze-updates/non-free Sources 201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/contrib/source/Sources.bz2 RecivedHash: ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Hit http://ftp.us.debian.org squeeze-updates/contrib Sources Hit http://ftp.us.debian.org squeeze-updates/main i386 Packages/DiffIndex 201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/non-free/binary-i386/Packages.bz2 RecivedHash: ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Hit http://ftp.us.debian.org squeeze-updates/non-free i386 Packages Ign http://security.debian.org/ squeeze/updates/main Translation-en Ign http://security.debian.org/ squeeze/updates/main Translation-en_AU Ign http://security.debian.org/ squeeze/updates/non-free Translation-en Ign http://security.debian.org/ squeeze/updates/non-free Translation-en_AU 99% [3 Packages bzip2 0 B] [Waiting for headers]Metaindex acquired, queueing gpg verification (/var/lib/apt/lists/partial/security.debian.org_dists_squeeze_updates_Release.gpg,/var/lib/apt/lists/security.debian.org_dists_squeeze_updates_Release) Hit http://security.debian.org squeeze/updates Release 99% [3 Packages bzip2 0 B] [Release gpgv 38.4 kB] [Waiting for headers]Got Codename: squeeze Expecting Dist: squeeze/updates Transformed Dist: squeeze Signature verification succeeded: /var/lib/apt/lists/security.debian.org_dists_squeeze_updates_Release Queueing: http://security.debian.org/dists/squeeze/updates/main/binary-i386/Packages Expected Hash: SHA256:9a4d69cc4792a78191af6b31b3f24080aa67339bc836a6d6a989278f9757f305 Queueing: http://security.debian.org/dists/squeeze/updates/contrib/binary-i386/Packages Expected Hash: SHA256:f0f4d26b2f1adef2e527e6ea22876d8c5b8a40b037b3e07d06a75411d3dd4acb Queueing: http://security.debian.org/dists/squeeze/updates/non-free/binary-i386/Packages Expected Hash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 99% [3 Packages bzip2 0 B] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/contrib/binary-i386/Packages.bz2 RecivedHash: ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Hit http://ftp.us.debian.org squeeze-updates/contrib i386 Packages 99% [3 Packages bzip2 0 B] [Waiting for headers] [Waiting for headers]201 URI Done: http://ftp.us.debian.org/debian/dists/squeeze-updates/main/binary-i386/Packages.bz2 RecivedHash: ExpectedHash: SHA256:14e9a18ec616cc37f12cdeeec18a174425c8d5db4e17e53f81308d99189e6329 Hit http://ftp.us.debian.org squeeze-updates/main i386 Packages 99% [3 Packages bzip2 0 B] [Waiting for headers]201 URI Done: http://security.debian.org/dists/squeeze/updates/main/binary-i386/Packages.bz2 RecivedHash: ExpectedHash: SHA256:9a4d69cc4792a78191af6b31b3f24080aa67339bc836a6d6a989278f9757f305 Hit http://security.debian.org squeeze/updates/main i386 Packages 99% [3 Packages bzip2 0 B]201 URI Done: http://security.debian.org/dists/squeeze/updates/contrib/binary-i386/Packages.bz2 RecivedHash: ExpectedHash: SHA256:f0f4d26b2f1adef2e527e6ea22876d8c5b8a40b037b3e07d06a75411d3dd4acb Hit http://security.debian.org squeeze/updates/contrib i386 Packages 99% [3 Packages bzip2 0 B] [Waiting for headers]201 URI Done: http://security.debian.org/dists/squeeze/updates/non-free/binary-i386/Packages.bz2 RecivedHash: ExpectedHash: SHA256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Hit http://security.debian.org squeeze/updates/non-free i386 Packages 99% [3 Packages bzip2 0 B]201 URI Done: http://www.risingsoftware.com/~hamish/deb/dists/squeeze/main/binary-i386/Packages.bz2 RecivedHash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece ExpectedHash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece http://www.risingsoftware.com/~hamish/deb/dists/squeeze/main/binary-i386/Packages: Computed Hash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece Expected Hash: SHA256:2bc8e2f2838654cb836ed000ab958cf9c349a1024b3c7b6d893d190be9752ece Fetched 7,921 kB in 2s (3,491 kB/s) Reading package lists... Done -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
