On Thu, Sep 1, 2011 at 17:57, Paul Wise <p...@debian.org> wrote: > W: Failed to fetch http://serviceplatform.org/packages/./Release  Unable to > find expected entry 'Sources' in Release file (Wrong sources.list entry or > malformed file) > E: Some index files failed to download. They have been ignored, or old ones > used instead.
Beside that repositories really should provide checksums and signatures for security reasons[0] this behavior is a regression from a recent commit (2156) enabling checksum checking even if the Release file isn't signed. This doesn't add any points to the security score as someone who can manipulate the Packages files can also manipulate the Release file, but that the attacker needs to do it at least increases the complexity of an attack a bit… So, with this background its fair to party revert the commit by trying to check the checksums but ignore it if they are not provided (but still fail if they are not correct). I did that a while ago already in my branch so it's most likely fixed in the next upload, but given that everyone seems to be pretty busy lately (or the contrary: is in holidays) it might take a while to hit sid. Users should take that as an open invitation to bug repository admins to "fix" their repositories. Most of these seem to be created by complicated hand-made scripts and could be replaced by a shorter and better-working 'apt-ftparchive generate' (at least that was the case for a fellow student). Feel free to ask on deity@l.d.o or in #debian-apt for help (but prepare for non-immediate response) - or refer to one of the debian-user lists if you can't work out how to set it up from the manpages/examples. Best regards David Kalnischkies [0] It's kind of pointless to get excited about a kernel.org break-in if every user of repository X is forced to trust that not a single system on the way between his computer and the repository is compromised. See man-in-the-middle attacks for a start on this topic. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
