Your message dated Sat, 30 May 2009 17:36:43 +0200
with message-id <[email protected]>
and subject line Re: Bug#509221: security.debian.org: Repeated intermittant GPG
BADSIG errors with Automatic Signing Key
has caused the Debian Bug report #509221,
regarding security.debian.org: Repeated intermittant GPG BADSIG errors with
Automatic Signing Key
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
509221: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509221
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: security.debian.org
Severity: important
For the past several months I have been getting periodic errors with
the signing key as follows:
sudo aptitude update
........
W: GPG error: http://ftp.debian.org etch Release: The following
signatures were
invalid: BADSIG A70DAF536070D3A1 Debian Archive Automatic Signing Key
(4.0/etch)
<[email protected]>
W: You may want to run apt-get update to correct these problems
Repeated running aptitude update sometimes clears the errors. If not,
then running dist-upgrade gives:
wover...@imb-msump-l-01:~$ sudo aptitude dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading extended state information
Initializing package states... Done
Reading task descriptions... Done
Building tag database... Done
The following packages will be upgraded:
devscripts dpkg dpkg-dev dselect libc6 libc6-dev libc6-i686 libpq4
linux-image-2.6.18-6-686 locales reportbug
11 packages upgraded, 0 newly installed, 0 to remove and 0 not
upgraded.
Need to get 0B/32.6MB of archives. After unpacking 106kB will be used.
Do you want to continue? [Y/n/?] y
WARNING: untrusted versions of the following packages will be installed!
Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.
reportbug libc6-i686 locales devscripts dpkg dpkg-dev libc6-dev libpq4
libc6 dselect
Do you want to ignore this warning and proceed anyway?
It feels like the problem is becoming more frequent. Is one or more
of the servers serving security.debian.org out of sync?
A dig on security.debian.org gives me:
dig -t ANY security.debian.org
; <<>> DiG 9.3.4-P1.1 <<>> -t ANY security.debian.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30614
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;security.debian.org. IN ANY
;; ANSWER SECTION:
security.debian.org. 300 IN A 130.89.149.225
security.debian.org. 300 IN A 195.20.242.89
security.debian.org. 300 IN A 212.211.132.32
security.debian.org. 300 IN A 212.211.132.250
security.debian.org. 300 IN A 128.31.0.36
security.debian.org. 3600 IN MX 10 klecker.debian.org.
;; AUTHORITY SECTION:
debian.org. 2814 IN NS raff.debian.org.
debian.org. 2814 IN NS rietz.debian.org.
debian.org. 2814 IN NS klecker.debian.org.
;; Query time: 94 msec
;; SERVER: 128.150.130.16#53(128.150.130.16)
;; WHEN: Fri Dec 19 14:56:10 2008
;; MSG SIZE rcvd: 194
All of these systems were clean new installs of Debian 4.0.
Warren
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
--- End Message ---
--- Begin Message ---
On sneon 20 Desimber 2008, Florian Weimer wrote:
> * Warren Overholt:
> > Sorry, it took a while to find the right people to explain the
> > network configuration. A BlueCoat was recently installed, which
> > among other tasks is a proxy server. The bluecoat is supposed to be
> > an inline cache.
>
> I guess it's the culprit here. Such issues are quite common,
> unfortunately.
>
> > The error I cut and pasted the messages from today was roughly
> > 2:45-3:00pm EST. The server's IP is 128.150.140.174. I have been
> > told that the BlueCoat's IP should not show up in the access logs.
>
> We've got a request from the .174 IP in our logs for the etch Release
> file, but no request at all for the corresponding Release.gpg file. I
> suppose the proxy it is caching an outdated copy for some reason.
> Obviously, the signature doesn't match the new file.
>
> > Given your response, will a solution like apt-proxy, approx, or
> > apt-cacher help me?
>
> This only works if those instances aren't behind the same proxy, and
> if you can download data from them in ways which your proxy doesn't
> affect.
>
> > Or will that only help me if I can have it's requests to
> > *.debian.org not be filtered?
>
> Filtering and caching is fine, but the proxy should honor aptitude's
> requests to bypass it. This way, you will still get the benefit of
> caching the actual package files.
Given that a possible culprit has been identified, it's probable that this was
the cause and that we haven't received other reports about this kind of
errors, I'm closing the bug now. Feel free to reopen if you still think this
is something Debian could address.
Thijs
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
