[Bug 1161247] New: zypper should verify all packages before installing
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247 Bug ID: 1161247 Summary: zypper should verify all packages before installing Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Upgrade Problems Assignee: bnc-team-screening@forge.provo.novell.com Reporter: devguy.ca@gmail.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- Hi I got into a messed when updating my system, I got a package signing error and decided to cancel out using the prompts provided. After this my system started to have problems like hanging, firefox tab crashing, booting problems. I had to perform several reboots just to be able to log into my system. All of this can be avoided if you fix zypper and any GUI update process to check all the package signatures before starting to install. This way the User can cancel the update process and not have a messed up system. I believe but not sure the signing error came from the pacman repo, it would be nice if I could abort the process before it start and wait for the signing errors to be fixed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c2
--- Comment #2 from dev guy
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c3
--- Comment #3 from dev guy
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c4
--- Comment #4 from dev guy
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c5
--- Comment #5 from dev guy
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c6
--- Comment #6 from dev guy
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c7
Michael Andres
2019-12-31 03:01:48 'zypper' 'in' 'code-insiders-1.42.0-1576829237.el7.x86_64.rpm'
/var/tmp/zypp.w9g6Oz/zypper/_tmpRPMcache_/%CLI%/code-insiders-1.42.0-1576829237.el7.x86_64.rpm (1 -> [4-Signatures public key is not available]) Header V4 RSA/SHA256 Signature, key ID be1229cf: NOKEY V4 RSA/SHA256 Signature, key ID be1229cf: NOKEY code-insiders-1.42.0-1576829237.el7.x86_64 (Plain RPM files cache): User requested to accept insecure file
Here you've been prompted, and accepted to install the package passed on the commandline despite the unknonw/missing key. === Regarding packaman is see several repository metadata related issues starting 2020-01-17 09:13 and ending after 2020-01-17 09:24. The affected commands are:
TIME PID VER CMD 2020-01-17 09:13 5381 1.14.33 zypper refresh 2020-01-17 09:14 5486 1.14.33 zypper update 2020-01-17 09:20 6036 1.14.33 zypper refresh 2020-01-17 09:20 6064 1.14.33 zypper update 2020-01-17 09:21 6100 1.14.33 zypper ar -cfp 90 http://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/ packman 2020-01-17 09:21 6149 1.14.33 zypper dup --from packman --allow-vendor-change
2020-01-17 09:22 6236 1.14.33 zypper refresh 2020-01-17 09:22 6300 1.14.33 zypper update 2020-01-17 09:24 6600 1.14.33 zypper refresh 2020-01-17 09:24 6630 1.14.33 zypper update
To me it looks like packaman temporarily had some trouble rebuilding or republishing new repository metadata. Up to PID 6149 you've been prompted that primary.xml.gz (the catalog of packages) has a wrong checksum and you patiently decided to discard the file and the repo was skipped. In PID 6149 however you explicitly entered the code '9c1d' to force zypper into accepting primary.xml.gz with WRONG CHECKSUM. The remaining commands then report issues parsing the (malformed) primary.xml.gz you accepted. Actually not a zypper issue. Also none of the zypper commands above, where the repo was corrupted, did install any package. So this can not have damaged any of your installed packages. You re-added packman at 10:49 and AFAICS the metadata issues had been resolved. The repo worked again as expected. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c8
--- Comment #8 from dev guy
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c9
--- Comment #9 from Michael Andres
However if as you told me zypper will verify all packages signature before installing it. Then why part way through, did zypper prompted me to accept or decline a bad package?
To make it clear: We're not talking about a package here! You have not been prompted to accept or decline a bad package! The checksum error affected the packman repositories metadata: Before zypper even starts to compute which packages to update, we check and get the latest repository metadata (aka auto-refresh). This is where the error occurred and it lead to skipping the packman repository. We were not able to determine the repositories content, so we can't compute an update for packman. This is at the beginning of an update and not 'part way through'. We did not even start to compute what could be updated. In fact the update commands which reported the checksum issue did not install any package at all. Not even the 'zypper dup --from packman --allow-vendor-change' command where you accepted the broken metadata file. According to the zypper log the last install by zypper was a successfull 'zypper up' at 2020-01-17 06:12:43 (17 packages updated, should be visible in your /var/log/zypp/history). The checksum issue started at 09:13:32. The next package related action by zypper was 'zypper remove firefox' at 09:59:36. Throughout your log there's no partial or incomplete install. AFAICS the checksum issue can not have affected the consistency of your system. The problem you experienced is most probably caused by one of the packages that were updated, but not by zypper having installed a broken package. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c10
--- Comment #10 from dev guy
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247
http://bugzilla.opensuse.org/show_bug.cgi?id=1161247#c11
Michael Andres
participants (1)
-
bugzilla_noreply@novell.com