On Fri, Aug 05, 2011 at 07:23:15AM -0400, Hamish Moffatt wrote: > On Fri, Aug 05, 2011 at 12:32:17PM +0200, Michael Vogt wrote: > > On Tue, Aug 02, 2011 at 04:14:18AM -0400, Hamish Moffatt wrote: > > > Package: apt > > > Version: 0.8.10.3+squeeze1 > > > Severity: important [..] > > I can verify this for unsigned Release files, there is indeed no > > hashsum verification in this case. I added a testcase and a fix to the > > debian-sid branch. But I was not able to verify this for signed > > Release files, I get correct errors in this case on apt-get update on > > mismaches (I added a test for this as well to the testsuite to be > > sure). > > Thanks. By the way I found this problem in lucid originally and verified > on squeeze before reporting it there. > > However I am seeing the problem with what I believe is a correctly > signed repository. For example the repository inside the tar I attached > to the original report. I think the key for it is on keyserver.ubuntu.com.
Thanks for this additional information. The test-bz2-hash-error.tar that is attached to the bug does not have a Release.gpg file. With this unsigned archive there is indeed no hashsum check. > As a second dist, I copied down dists/ from a debian mirror, repacked a > Packages.bz2 for main/binary-i386 to ensure the md5sum changed, then ran > apt-get update against it. There was no error and apt-cache policy > showed that apt considered the source valid. I just did something similar, i wget Release and Release.gpg, then binary-i386/Packages.bz2 into /var/www, modified its content and ran apt-get update on a sources.list that points to http://localhost/ With both current trunk and the apt in squeeze I got the expected "Hash Sum mismatch" error and no Packages file in /var/lib/apt/lists If you can reproduce this, I would love to get the output of "apt-get update -o Debug::pkgAcquire::Auth=true" and steps how to reproduce this. I'm also available on irc as "mvo" on oftc and freenode for faster turnaround. As this report is quite concerning, I would really like to get to the bottom of this as quickly as possible. One thing I can think of is that apt does not verify the content in /var/lib/apt/lists again after it got downloaded, so if the Packages file in there is modified locally, then apt will not catch that. Thanks, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org