On Thursday 25 March 2010, 21:56:16 Marcus Meissner wrote:
On Thu, Mar 25, 2010 at 08:46:08PM +0100, Hans-Peter Jansen wrote:
On Thursday 25 March 2010, 18:34:30 Hans-Peter Jansen wrote:
Hi,
apart from many connection failures to download.opensuse.org, e.g.:
Retrieving package samba-client-3.5.1-5.1.i586 (145/164), 21.0 M (76.9 M unpacked) Retrieving: samba-client-3.5.1-5.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/network:/samba:/STABLE/ope nSUS E_11.1/i586/samba-client-3.5.1-5.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: samba-client-3.5.1-5.1.i586.rpm [done (1.7 M/s)] Installing: samba-client-3.5.1-5.1 [done] Additional rpm output: warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew Updating etc/sysconfig/network/dhcp...
and
Retrieving package perl-DBI-1.609-9.1.i586 (131/164), 760.0 K (2.0 M unpacked) Retrieving: perl-DBI-1.609-9.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/devel:/languages:/perl/ope nSUS E_11.1/i586/perl-DBI-1.609-9.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: perl-DBI-1.609-9.1.i586.rpm [done] Installing: perl-DBI-1.609-9.1 [done]
that are circumvented with retrying, I get really disconcerting failures like:
Retrieving package libssh2-1-1.2.4-3.1.i586 (14/16), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/dev el:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (15/16), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Digest verification failed for libcurl4-7.20.0-33.1.i586.rpm. Expected ef235bb05c155b78659bc3356b88f4a88b255e20, found d37f038a4f933efbdb10bc73cfb93946750420c6. Continue? [yes/NO]: Failed to provide Package libcurl4-7.20.0-33.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/dev el:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libcurl4-7.20.0-33.1.i586.rpm' from repository 'devel_languages_python' History: - libcurl4-7.20.0-33.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i
Given, that both originate from the same project and both are critical from a security POV, I _am_ worried about this behavior. Is there somebody tampering with those packages?
It gets stranger and stranger: for some reason, the verification for libcurl4 succeeded in another attempt:
The following package is going to be upgraded: libcurl4-7.20.0-33.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service)
The following NEW package is going to be installed: libssh2-1-1.2.4-3.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service)
Overall download size: 228.0 K. After the operation, additional 183.0 K will be used. Continue? [YES/no]: committing Retrieving package libssh2-1-1.2.4-3.1.i586 (1/2), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/devel :/languages:/python/openSUSE_11.1/] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum
Perhaps not refreshed?
Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (2/2), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Installing: libcurl4-7.20.0-33.1 [done] committingCommitResult 2 (errors 0, remaining 0, srcremaining 0)
Now that version binds against libssh2, which wasn't installed obviously. With the unfriendly result of:
Well, I restored the libcurl4 version from openSUSE update for now, but this is highly troubling me (and my confidence about openSUSE).
What the hell happens here? Why does libcurl need to bind against libssh2? The libcurl4 changelog just notes:
* Wed Mar 24 2010 crrodriguez@opensuse.org - enable libssh2 support unconditionally.
* Wed Mar 10 2010 crrodriguez@opensuse.org - enable libcares support unconditionally.
@crrodriguez: the whole issue might be a red herring, but let's face it: such moves need a bit more verbose description, and given, that these libs crept into my system via devel:/languages:/python, while they flag themself
Yes. Why does libcurl4 needs libssh2? :/
Distribution: devel:libraries:c_c++ / openSUSE_11.1
doesn't raise users confidence. In fact, it keeps smelling fishy...
You should not add the Development repos, like devel:libraries:c_c++
I never added devel:libraries:c_c++ as a repo. This is part of the reason for this message. As noted before, it came from devel:languages:python, even if tagged as devel:libraries:c_c++. Shouldn't the build system automatically set the correct Distribution: flags?
or devel:languages:python, for 11.1 directly, its for Factory staging and so might break 11.1 systems in funny ways.
Why do you need that repo?
It contains packages, that I work with, and that the distribution is missing. Being a Python developer, I'm well prepared to fix any arising issues from badly interacting python packages, when using this repo and I do understand the risks. On the system in question, I also use devel:languages:perl, since it's the only repo, that provides a current spamassassin. The issues, that drove me to write to this ML were merely due to the digest verification failures. Do you have any explanation for these failures, and the even uglier aspect, that made one of them vanish arbitrarily? Thanks, Pete -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org