Bug#931913: aptitude: The certificate is NOT trusted when using https to fetch packages from security.debian.org in buster

[JL Lee]

Package: aptitude
Version: 0.8.11-7
Severity: normal

Dear Maintainer,

After a fresh install of buster on my notebook, I installed the package 
"aptitude" to manage my packages.

It reported to me there was an update (firefox-esr) available. At thispoint I 
exited the app and changed the sources.list file entries to make all future 
updates via https, instead of the default http.

When I run the aptitude app and did an update, it reports the following:

Failed to download some files

W: Failed to fetch 
https://security.debian.org/debian-security/dists/buster/updates/Release: 
Certificate verification failed. The certificate is NOT trusted...

E: Some index files failed to download. They have been ignored, or old one used 
instead.

The warning goes away if I changed back to http instead of https for the 
entries to security.debian.org in sources.list.



Thanks for your attention.

Lee 
 



-- Package-specific info:
Terminal: xterm-256color
$DISPLAY is set.
which aptitude: /usr/bin/aptitude

aptitude version information:
aptitude 0.8.11
Compiler: g++ 8.2.0
Compiled against:
  apt version 5.0.2
  NCurses version 6.1
  libsigc++ version: 2.10.1
  Gtk+ support disabled.
  Qt support disabled.

Current library versions:
  NCurses version: ncurses 6.1.20181013
  cwidget version: 0.5.17
  Apt version: 5.0.2

aptitude linkage:
linux-vdso.so.1 (0x7ffe1419e000)
libapt-pkg.so.5.0 => /lib/x86_64-linux-gnu/libapt-pkg.so.5.0 
(0x7f28dc9f5000)
libncursesw.so.6 => /lib/x86_64-linux-gnu/libncursesw.so.6 
(0x7f28dc9bb000)
libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 
(0x7f28dc98d000)
libsigc-2.0.so.0 => /lib/x86_64-linux-gnu/libsigc-2.0.so.0 
(0x7f28dc984000)
libcwidget.so.3 => /lib/x86_64-linux-gnu/libcwidget.so.3 
(0x7f28dc87e000)
libsqlite3.so.0 => /lib/x86_64-linux-gnu/libsqlite3.so.0 
(0x7f28dc75c000)
libboost_iostreams.so.1.67.0 => 
/lib/x86_64-linux-gnu/libboost_iostreams.so.1.67.0 (0x7f28dc73c000)
libboost_system.so.1.67.0 => 
/lib/x86_64-linux-gnu/libboost_system.so.1.67.0 (0x7f28dc735000)
libxapian.so.30 => /lib/x86_64-linux-gnu/libxapian.so.30 
(0x7f28dc509000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x7f28dc4e8000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 
(0x7f28dc364000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x7f28dc1e1000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 
(0x7f28dc1c5000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7f28dc004000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 
(0x7f28dbfea000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x7f28dbdcc000)
libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 
(0x7f28dbdb9000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x7f28dbd91000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x7f28dbd7)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x7f28dbcd)
libudev.so.1 => /lib/x86_64-linux-gnu/libudev.so.1 (0x7f28dbcaa000)
libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 
(0x7f28dbc09000)
/lib64/ld-linux-x86-64.so.2 (0x7f28dd026000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7f28dbc04000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x7f28dbbf8000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x7f28dbbef000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 
(0x7f28dbad1000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 
(0x7f28dbaae000)

-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_SG.UTF-8, LC_CTYPE=en_SG.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_SG:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages aptitude depends on:
ii  aptitude-common   0.8.11-7
ii  libapt-pkg5.0 1.8.2
ii  libboost-iostreams1.67.0  1.67.0-13
ii  libboost-system1.67.0 1.67.0-13
ii  libc6 2.28-10
ii  libcwidget3v5 0.5.17-11
ii  libgcc1   1:8.3.0-6
ii  libncursesw6  6.1+20181013-2
ii  libsigc++-2.0-0v5 2.10.1-2
ii  libsqlite3-0  3.27.2-3
ii  libstdc++68.3.0-6
ii  libtinfo6 6.1+20181013-2
ii  libxapian30   1.4.11-1

Versions of packages aptitude recommends:
ii  libparse-debianchangelog-perl  1.2.0-13
ii  sensible-utils 0.0.12

Versions of packages aptitude suggests:
pn  apt-xapian-index
pn  aptitude-doc-en | aptitude-doc  
pn  debtags 
ii  tasksel 

Bug#858805: cdimage.debian.org: File on DVD images failed the MD5 checksum verification

[JL Lee]

Package: cdimage.debian.org
Severity: normal

Dear Maintainer,

   * What led up to the situation?

The file 
./pool/main/t/texlive-extra/texlive-latex-extra-doc_2016.20170123-5_all.deb on 
the DVD image failed the MD5 checksum verification.
This happens to the DVD images for both amd64 and i386 architecture. I 
noticed this from the DVD images published since late January 2017 
and persists till the latest release on March 23 2017.

I used jigdo-lite to download these images and the images downloaded 
each time were good.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

Diselected the installation of Print Server from the menu during the 
"Choose software to install"

   * What was the outcome of this action?
   * What outcome did you expect instead?

It appears this particular file is corrupted and needs to be looked at.


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_SG.UTF-8, LC_CTYPE=en_SG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)