Am 26.03.2010 um 09:05 schrieb Ludwig Nussel:
Hans-Peter Jansen wrote:
Given, that both originate from the same project and both are critical from a security POV, I _am_ worried about this behavior. Is there somebody tampering with those packages?
It gets stranger and stranger: for some reason, the verification for libcurl4 succeeded in another attempt:
download.opensuse.org redirects to mirrors. Maybe one of them has a corrupted package. I don't know if zypper has options to print redirects. You could try fetching the file manually using wget to see which mirror was used though.
zypper doesn't have such options. (It should... so users could report problems in a way that makes it possible to easily fix them... but well. We haven't.) But you can check the hashes that the server provides. They are listed in the Metalink of each file, e.g. http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_11... Those hashes are authoritative and independent of mirrors. Since the Metalink also lists the mirrors, it's trivial to check if a mirror delivers different content. (Consider though that not all problems are apparent immediately; some occur only sometimes.) aria2c automatically uses this information to download correct content. That's why openSUSE 11.2 uses aria2c as downloader. In the near future, it'll be possible retrieve the hashes simply by appending .sha256, .sha1 or .md5 to an URL.
Now that version binds against libssh2, which wasn't installed obviously. With the unfriendly result of:
# zypper zypper: error while loading shared libraries: libssh2.so.1: cannot open shared object file: No such file or directory
Just don't press 'i' ie 'ignore' if zypper prompts you to avoid such errors :-)
Good one ;-) Peter -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org