[Bug 934751] New: Bad checksum on repository
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 Bug ID: 934751 Summary: Bad checksum on repository Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: x86-64 OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: Maintenance Assignee: bnc-team-screening@forge.provo.novell.com Reporter: jamesrome@alum.mit.edu QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Retrieving repository 'openSUSE:13.2:Update' metadata -----------------------------------------------------------------------------------------------------[|] Warning: Digest verification failed for file '03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz' [/var/cache/zypp/raw/openSUSE:13.2:UpdateqhyOCY/repodata/03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz] expected 4b7b13246a375b856bfaff1f019ca731f289408604329e47135520637217e549 but got e6c5988694e984d4674f01930765d016f384d5c5d33b2655ec3f397e23e47ab0 Accepting packages with wrong checksums can lead to a corrupted system and in extreme cases even to a system compromise. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c1 Bernhard Wiedemann <bwiedemann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bwiedemann@suse.com, | |jamesrome@alum.mit.edu, | |ma@suse.com Flags| |needinfo?(jamesrome@alum.mi | |t.edu) --- Comment #1 from Bernhard Wiedemann <bwiedemann@suse.com> --- Is this reproducible? Can you upload /var/log/zypper.log It should have details about the mirror. Sometimes a zypper refresh might also help -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c2 --- Comment #2 from James Rome <jamesrome@alum.mit.edu> --- Created attachment 637915 --> http://bugzilla.opensuse.org/attachment.cgi?id=637915&action=edit zypper.log It did not do this again after zypper update. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c5 --- Comment #5 from James Rome <jamesrome@alum.mit.edu> --- It did this again today: Retrieving repository 'openSUSE:13.2:Update' metadata -----------------------------------------------------------------------------------------------------[\] Warning: Digest verification failed for file '03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz' [/var/cache/zypp/raw/openSUSE:13.2:UpdateQmekm8/repodata/03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz] expected 36f198e347c79a823e9f0d652f165a61769326497ff49983f169d7ccbab896b3 but got 4b7b13246a375b856bfaff1f019ca731f289408604329e47135520637217e549 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c6 --- Comment #6 from Michael Andres <ma@suse.com> --- Strange. If it happens again, please don't answer the callback before you were able to backup the *appdata.xml.gz file mentioned in the message. Then reopen the bug and attach it together with the zypper.log. Maybe it reveals something. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c7 --- Comment #7 from James Rome <jamesrome@alum.mit.edu> --- Created attachment 638100 --> http://bugzilla.opensuse.org/attachment.cgi?id=638100&action=edit latest zypper.log -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c8 --- Comment #8 from James Rome <jamesrome@alum.mit.edu> --- Created attachment 638101 --> http://bugzilla.opensuse.org/attachment.cgi?id=638101&action=edit The file in question Here they are -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c9 --- Comment #9 from Michael Andres <ma@suse.com> --- You are dead certain the attached *appdata.xml.gz was taken from the temp directory mentioned in the message (@@@@@@ = some random chars)
/var/cache/zypp/raw/openSUSE:13.2:Update@@@@@@/repodata
and not accidentally from the original repo (without the @@@@@@)
/var/cache/zypp/raw/openSUSE:13.2:Update/repodata
I'm asking because the attached file has the correct checksum (4b7b1324) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c10 --- Comment #10 from James Rome <jamesrome@alum.mit.edu> --- I think I cut and pasted. But I guess I will have to wait and do it again when it occurs. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c11 --- Comment #11 from Michael Andres <ma@suse.com> --- If possible tar the whole openSUSE:13.2:Update@@@@@@/ directory and attach it + zypper.log. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c12 --- Comment #12 from James Rome <jamesrome@alum.mit.edu> --- Created attachment 638961 --> http://bugzilla.opensuse.org/attachment.cgi?id=638961&action=edit zip of the repo jarfx:~ # zypper patch Retrieving repository 'Packman Repository' metadata ..............................[done] Building repository 'Packman Repository' cache ...................................[done] Retrieving repository 'Main Update Repository' metadata ..........................[done] Building repository 'Main Update Repository' cache ...............................[done] Retrieving repository 'google-chrome' metadata ...................................[done] Building repository 'google-chrome' cache ........................................[done] Retrieving repository 'openSUSE:13.2:Update' metadata -------------------------------[-] Warning: Digest verification failed for file '03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz' [/var/cache/zypp/raw/openSUSE:13.2:UpdatevL0pFR/repodata/03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz] expected 33949d687153a3ab9e5e39713a1768690fa6c672df9cbc30e28af69414f95c6c but got 4df95663ea673827c548aaeeebddbf34d8566edd08b58ca052a5cd6c96cbf509 Accepting packages with wrong checksums can lead to a corrupted system and in extreme cases even to a system compromise. However if you made certain that the file with checksum '4df9..' is secure, correct and should be used within this operation, enter the first 4 characters of the checksum to unblock using this file on your own risk. Empty input will discard the file. Unblock or discard? [4df9/? shows all options] (discard): -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c13 --- Comment #13 from James Rome <jamesrome@alum.mit.edu> --- Created attachment 638963 --> http://bugzilla.opensuse.org/attachment.cgi?id=638963&action=edit zypper.log -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c14 --- Comment #14 from Michael Andres <ma@suse.com> ---
[http://download.opensuse.org/ports/update/13.2/repodata/repomd.xml] <data type="appdata"> <location href="repodata/03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz" /> <checksum type="sha256">33949d687153a3ab9e5e39713a1768690fa6c672df9cbc30e28af69414f95c6c</checksum> <timestamp>1435145552</timestamp> <size>568279</size> <open-checksum type="sha256">fa03e49e929bd234f5c8a49971f215482fb99a4b30820092ac3694bd39f37231</open-checksum> </data>
Same here. Checksumm is 4df95663ea6. Looks like the file has changed, but not the filename. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c15 Michael Andres <ma@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |adrian@suse.com, | |ro@suse.com Resolution|WORKSFORME |--- Flags|needinfo?(jamesrome@alum.mi |needinfo?(adrian@suse.com), |t.edu) |needinfo?(ro@suse.com) --- Comment #15 from Michael Andres <ma@suse.com> --- @Adrian/Rudi: It looks like in http://download.opensuse.org/ports/update/13.2/repodata the file 03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz has changed. I checked all mirror locations I found in my logfiles and currently about 50% return the old file (sha256sum 4df95663ea6); the rest delivers the new one (sha256sum 33949d68715).
[http://gd.tuwien.ac.at/opsys/linux/opensuse/ports/update/13.2] <data type="appdata"> <location href="repodata/03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz" /> <checksum type="sha256">4df95663ea673827c548aaeeebddbf34d8566edd08b58ca052a5cd6c96cbf509</checksum> <timestamp>1434989566</timestamp> <size>568279</size> <open-checksum type="sha256">fa03e49e929bd234f5c8a49971f215482fb99a4b30820092ac3694bd39f37231</open-checksum> </data>
I always thought the funny checksum-like string in front of the file name (03f8cec0b5ba52...-appdata.xml.gz) should change whenever the content changes; in order to avoid such a name clash? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c16 --- Comment #16 from Adrian Schröter <adrian@suse.com> --- yes, job of modifyrepo from createrepo package. We do currently use a heavily patched createrepo 0.9.9 version. I will try if we can use the different heavily patched version 0.10.3 from factory instead. createrepo is known to become incompatible, fail and break down servers due to stupid programming :/ -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c17 --- Comment #17 from Adrian Schröter <adrian@suse.com> --- grr, debian packaging got removed and not adapted, so this would break travis. sorry no time for this atm. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c18 --- Comment #18 from Adrian Schröter <adrian@suse.com> --- k, ported that and ignored quite some crashes of createrepo, but all what we test in the testsuite looks good. Also triggered a republish of openSUSE:13.2:Update ports repo. It will take some time though. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c19 Michael Andres <ma@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |adrian@suse.com |ovo.novell.com | Flags|needinfo?(adrian@suse.com), | |needinfo?(ro@suse.com) | --- Comment #19 from Michael Andres <ma@suse.com> ---
[http://gd.tuwien.ac.at/opsys/linux/opensuse/ports/update/13.2] <data type="appdata"> <location href="repodata/03f8cec0b5ba52d39c90891a512c6d2ca7d7b125aa1bed572372463bcbe37c5f-appdata.xml.gz" /> <checksum type="sha256">78dab2d5caaf2b5f27e045cf3cd67656a5558500a02d224ba13b4b9f374e3550</checksum> <timestamp>1435167125</timestamp> <size>568279</size> <open-checksum type="sha256">fa03e49e929bd234f5c8a49971f215482fb99a4b30820092ac3694bd39f37231</open-checksum> </data>
Mirrors got new metadata (from 1435167125 Wed Jun 24 19:32:05 2015), new checksums but the filename is still the same (03f8cec0b5ba52...-appdata.xml.gz). I'll assign it to you as a reminder. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c20 --- Comment #20 from James Rome <jamesrome@alum.mit.edu> --- This is happening again: jarfx:/data1 # zypper in -t patch openSUSE-2015-695=1 Retrieving repository 'openSUSE:13.2:Update' metadata -------------------------------[\] Warning: Digest verification failed for file 'd8098d64a5e94a9468ee49009ea3d4030104624eab618325fbc24c6166220578-appdata.xml.gz' [/var/cache/zypp/raw/openSUSE:13.2:UpdateWgDhzH/repodata/d8098d64a5e94a9468ee49009ea3d4030104624eab618325fbc24c6166220578-appdata.xml.gz] expected 2b33cf79ea0d6b2323814c32fdb420f2f1b28166e9bcd6e08c6ec2e76245da2a but got d590a07ad176c472516d7de6ceb776e6bec35dbfd0d1eebaafde7e077bac3670 Accepting packages with wrong checksums can lead to a corrupted system and in extreme cases even to a system compromise. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=934751 http://bugzilla.opensuse.org/show_bug.cgi?id=934751#c21 Karl Cheng <qantas94heavy@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED CC| |qantas94heavy@gmail.com Resolution|--- |FIXED --- Comment #21 from Karl Cheng <qantas94heavy@gmail.com> --- Assuming this has been fixed by now. If this issue still persists, please file a new bug. Thank you! -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com