[Bug 741979] New: Online update fails because of invalid checksums
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c0 Summary: Online update fails because of invalid checksums Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: All Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: herbert@women-at-work.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0 I use as local mirror of http://ftp3.gwdg.de/pub/opensuse/update/12.1/ to install updates. Yast complains about invalid checksums of many of the packages and refuses to install them. It looks like some packages were signed two times and the gwdg.de mirror holds the older files. Reproducible: Always Steps to Reproduce: Only as an example one of the files. wget http://download.opensuse.org/update/12.1/x86_64/krb5-1.9.1-24.3.1.x86_64.rpm wget http://ftp.gwdg.de/pub/opensuse/update/12.1/x86_64/krb5-1.9.1-24.3.1.x86_64.... md5sum -b krb5-1.9.1-24.3.1.x86_64.rpm* rpm -qpi * | grep Key Actual Results: # md5sum -b krb5-1.9.1-24.3.1.x86_64.rpm* c6723fb6d475115ca85215b9a03f062b *krb5-1.9.1-24.3.1.x86_64.rpm 6e1cf511119dc24c80bebe93186721d6 *krb5-1.9.1-24.3.1.x86_64.rpm.1 # rpm -qpi * | grep -i key Signature : RSA/SHA256, Do 08 Dez 2011 17:39:28 CET, Key ID b88b2fd43dbdc284 Signature : RSA/SHA256, Do 08 Dez 2011 17:39:25 CET, Key ID b88b2fd43dbdc284 Expected Results: Two identical files and not two different signing time stamps. A regular online update from download.opensuse.org is also failing because for dolphin-4.7.2-4.4.1.x86_64.rpm, the checksum is 903b3243f0e3012e5dc9dd01c26b6f618fcb808d65394df97e6724002ce70e4e, but Yast expects 4a73848e62be00c5a04fdfbdeaebe7e7decdb125173de754a65675a6af284d25.
From the Yast log file I can see that the dolphin package was downloaded in several parts from uni-kl.de, hs-esslingen.de, uni-hd.de uni-ulm.de and uni-wuerzburg.de. All of these mirrors have the file with the 903b... checksum.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c Jochen Katz <jochen.katz@de.thalesgroup.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c2 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|security-team@suse.de |ro@suse.com --- Comment #2 from Ludwig Nussel <lnussel@suse.com> 2012-01-30 10:34:47 CET --- This was actually supposed to be fixed already. krb5 on gwdg still has the wrong checksum though. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c3 Mark Gray <markgray+to-suse@puck.nac.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |markgray+to-suse@puck.nac.n | |et --- Comment #3 from Mark Gray <markgray+to-suse@puck.nac.net> 2012-01-30 09:52:59 UTC --- If I may put my two cents in -- this might be a bug in 12.1's rsync. The only way I could get rsync to replace the bad files to my backup disks was to remove them first -- otherwise it was somehow convinced the files were not different, and no copy was necessary. (Perhaps somehow the good and bad files have the same md5sum as far as rsync is concerned.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c4 Adrian Schröter <adrian@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |adrian@suse.com --- Comment #4 from Adrian Schröter <adrian@suse.com> 2012-01-30 10:31:53 UTC --- I touched the files, so the next sync should enforce to mirror it out to all mirror. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c5 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |luizluca@tre-sc.gov.br --- Comment #5 from Ludwig Nussel <lnussel@suse.com> 2012-01-30 14:35:07 CET --- *** Bug 743241 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=743241 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c6 --- Comment #6 from Herbert Meier <herbert@women-at-work.org> 2012-01-30 22:53:54 UTC --- Created an attachment (id=473353) --> (http://bugzilla.novell.com/attachment.cgi?id=473353) One more broken file At least if you compare the gwdg.de mirror to another mirror, you will find many more packages and gwdg.de is not the only one affected. But maybe this has also to be fixed at the source: Why are these packages signed two times within one second?
From the signing date the file on gwdg.de is the good/new one!
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c7 --- Comment #7 from Eberhard Mönkeberg <emoenke@gwdg.de> 2012-01-31 00:12:53 UTC --- I wonder how different packages (new and old, same name) can have not only same size, but also same timestamp. This HAS TO GET cured by action within stage.opensuse.org, not at the clients. Touching seems to work (how couldn't it) so please build a complete list of affected files and touch 'em. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c8 --- Comment #8 from Herbert Meier <herbert@women-at-work.org> 2012-02-01 22:33:29 UTC --- Just another example: Yesterday, I downloaded kernel-default-3.1.9-1.4.1.x86_64.rpm from widehat.opensuse.org, ftp.gwdg.de and from ftp.halifax.rwth-aachen.de, all versions had time stamp and signature "Fr 27 Jan 2012 17:52:52". Today the files were newly downloaded and have time stamp and signature "Fr 27 Jan 2012 17:59:41". File size is identical and the old and new files differ only in the first 832 bytes. A diff between widehat.opensuse.org/update/12.1/x86_64 and ftp.gwdg.de/pub/opensuse/update/12.1/x86_64 reveals 140 files that differ. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c9 --- Comment #9 from Eberhard Mönkeberg <emoenke@gwdg.de> 2012-02-01 22:42:26 UTC --- Next step should be not only to touch the files, but to cure the creating of different files with identical name, size and timestamp. Forever, if possible - what a mess! How can that happen! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=741979 https://bugzilla.novell.com/show_bug.cgi?id=741979#c Ruediger Oertel <ro@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|ro@suse.com |adrian@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com