[opensuse-security] Failed digest verification with package updates from build service projects
Hi, apart from many connection failures to download.opensuse.org, e.g.: Retrieving package samba-client-3.5.1-5.1.i586 (145/164), 21.0 M (76.9 M unpacked) Retrieving: samba-client-3.5.1-5.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_11...': Error code: Connection failed Error message: couldn't connect to host Abort, retry, ignore? [A/r/i]: r Retrieving: samba-client-3.5.1-5.1.i586.rpm [done (1.7 M/s)] Installing: samba-client-3.5.1-5.1 [done] Additional rpm output: warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew Updating etc/sysconfig/network/dhcp... and Retrieving package perl-DBI-1.609-9.1.i586 (131/164), 760.0 K (2.0 M unpacked) Retrieving: perl-DBI-1.609-9.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/devel:/languages:/perl/openSUSE_11...': Error code: Connection failed Error message: couldn't connect to host Abort, retry, ignore? [A/r/i]: r Retrieving: perl-DBI-1.609-9.1.i586.rpm [done] Installing: perl-DBI-1.609-9.1 [done] that are circumvented with retrying, I get really disconcerting failures like: Retrieving package libssh2-1-1.2.4-3.1.i586 (14/16), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval? [devel_languages_python|http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_...] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (15/16), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Digest verification failed for libcurl4-7.20.0-33.1.i586.rpm. Expected ef235bb05c155b78659bc3356b88f4a88b255e20, found d37f038a4f933efbdb10bc73cfb93946750420c6. Continue? [yes/NO]: Failed to provide Package libcurl4-7.20.0-33.1. Do you want to retry retrieval? [devel_languages_python|http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_...] Can't provide file './i586/libcurl4-7.20.0-33.1.i586.rpm' from repository 'devel_languages_python' History: - libcurl4-7.20.0-33.1.i586.rpm has wrong checksum Abort, retry, ignore? [A/r/i]: i Given, that both originate from the same project and both are critical from a security POV, I _am_ worried about this behavior. Is there somebody tampering with those packages? TIA, Pete -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thursday 25 March 2010, 18:34:30 Hans-Peter Jansen wrote:
Hi,
apart from many connection failures to download.opensuse.org, e.g.:
Retrieving package samba-client-3.5.1-5.1.i586 (145/164), 21.0 M (76.9 M unpacked) Retrieving: samba-client-3.5.1-5.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUS E_11.1/i586/samba-client-3.5.1-5.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: samba-client-3.5.1-5.1.i586.rpm [done (1.7 M/s)] Installing: samba-client-3.5.1-5.1 [done] Additional rpm output: warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew Updating etc/sysconfig/network/dhcp...
and
Retrieving package perl-DBI-1.609-9.1.i586 (131/164), 760.0 K (2.0 M unpacked) Retrieving: perl-DBI-1.609-9.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/devel:/languages:/perl/openSUS E_11.1/i586/perl-DBI-1.609-9.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: perl-DBI-1.609-9.1.i586.rpm [done] Installing: perl-DBI-1.609-9.1 [done]
that are circumvented with retrying, I get really disconcerting failures like:
Retrieving package libssh2-1-1.2.4-3.1.i586 (14/16), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/devel:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (15/16), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Digest verification failed for libcurl4-7.20.0-33.1.i586.rpm. Expected ef235bb05c155b78659bc3356b88f4a88b255e20, found d37f038a4f933efbdb10bc73cfb93946750420c6. Continue? [yes/NO]: Failed to provide Package libcurl4-7.20.0-33.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/devel:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libcurl4-7.20.0-33.1.i586.rpm' from repository 'devel_languages_python' History: - libcurl4-7.20.0-33.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i
Given, that both originate from the same project and both are critical from a security POV, I _am_ worried about this behavior. Is there somebody tampering with those packages?
It gets stranger and stranger: for some reason, the verification for libcurl4 succeeded in another attempt: The following package is going to be upgraded: libcurl4-7.20.0-33.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service) The following NEW package is going to be installed: libssh2-1-1.2.4-3.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service) Overall download size: 228.0 K. After the operation, additional 183.0 K will be used. Continue? [YES/no]: committing Retrieving package libssh2-1-1.2.4-3.1.i586 (1/2), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval? [devel_languages_python|http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_...] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (2/2), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Installing: libcurl4-7.20.0-33.1 [done] committingCommitResult 2 (errors 0, remaining 0, srcremaining 0) Now that version binds against libssh2, which wasn't installed obviously. With the unfriendly result of: # zypper zypper: error while loading shared libraries: libssh2.so.1: cannot open shared object file: No such file or directory Indeed: # ldd /usr/bin/zypper linux-gate.so.1 => (0xffffe000) libzypp.so.523 => /usr/lib/libzypp.so.523 (0xb7363000) libreadline.so.5 => /lib/libreadline.so.5 (0xb732b000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7237000) libm.so.6 => /lib/libm.so.6 (0xb720e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb71fe000) libc.so.6 => /lib/libc.so.6 (0xb70a2000) librt.so.1 => /lib/librt.so.1 (0xb7098000) libpthread.so.0 => /lib/libpthread.so.0 (0xb707e000) libutil.so.1 => /lib/libutil.so.1 (0xb707a000) libdbus-1.so.3 => /lib/libdbus-1.so.3 (0xb7038000) librpm-4.4.so => /usr/lib/librpm-4.4.so (0xb6fa1000) libhal.so.1 => /usr/lib/libhal.so.1 (0xb6f8e000) libhal-storage.so.1 => /usr/lib/libhal-storage.so.1 (0xb6f82000) libcurl.so.4 => /usr/lib/libcurl.so.4 (0xb6f2b000) libxml2.so.2 => /usr/lib/libxml2.so.2 (0xb6dd7000) libz.so.1 => /lib/libz.so.1 (0xb6dc2000) libexpat.so.1 => /lib/libexpat.so.1 (0xb6d99000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb6c32000) libncurses.so.5 => /lib/libncurses.so.5 (0xb6bf5000) /lib/ld-linux.so.2 (0xb77bb000) librpmdb-4.4.so => /usr/lib/librpmdb-4.4.so (0xb6aed000) librpmio-4.4.so => /usr/lib/librpmio-4.4.so (0xb6a0b000) libdl.so.2 => /lib/libdl.so.2 (0xb6a05000) libbz2.so.1 => /lib/libbz2.so.1 (0xb69f5000) libpopt.so.0 => /lib/libpopt.so.0 (0xb69ec000) libselinux.so.1 => /lib/libselinux.so.1 (0xb69cf000) libuuid.so.1 => /lib/libuuid.so.1 (0xb69c9000) libcares.so.2 => /usr/lib/libcares.so.2 (0xb69b8000) libidn.so.11 => /usr/lib/libidn.so.11 (0xb6986000) libssh2.so.1 => not found libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb693c000) libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0xb68f8000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb68ca000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb682b000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb6804000) libcom_err.so.2 => /lib/libcom_err.so.2 (0xb6800000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb67fc000) libresolv.so.2 => /lib/libresolv.so.2 (0xb67e6000) liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb67d5000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb67bb000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb67b2000) Well, I restored the libcurl4 version from openSUSE update for now, but this is highly troubling me (and my confidence about openSUSE). What the hell happens here? Why does libcurl need to bind against libssh2? The libcurl4 changelog just notes: * Wed Mar 24 2010 crrodriguez@opensuse.org - enable libssh2 support unconditionally. * Wed Mar 10 2010 crrodriguez@opensuse.org - enable libcares support unconditionally. @crrodriguez: the whole issue might be a red herring, but let's face it: such moves need a bit more verbose description, and given, that these libs crept into my system via devel:/languages:/python, while they flag themself Distribution: devel:libraries:c_c++ / openSUSE_11.1 doesn't raise users confidence. In fact, it keeps smelling fishy... Pete -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, Mar 25, 2010 at 08:46:08PM +0100, Hans-Peter Jansen wrote:
On Thursday 25 March 2010, 18:34:30 Hans-Peter Jansen wrote:
Hi,
apart from many connection failures to download.opensuse.org, e.g.:
Retrieving package samba-client-3.5.1-5.1.i586 (145/164), 21.0 M (76.9 M unpacked) Retrieving: samba-client-3.5.1-5.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUS E_11.1/i586/samba-client-3.5.1-5.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: samba-client-3.5.1-5.1.i586.rpm [done (1.7 M/s)] Installing: samba-client-3.5.1-5.1 [done] Additional rpm output: warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew Updating etc/sysconfig/network/dhcp...
and
Retrieving package perl-DBI-1.609-9.1.i586 (131/164), 760.0 K (2.0 M unpacked) Retrieving: perl-DBI-1.609-9.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/devel:/languages:/perl/openSUS E_11.1/i586/perl-DBI-1.609-9.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: perl-DBI-1.609-9.1.i586.rpm [done] Installing: perl-DBI-1.609-9.1 [done]
that are circumvented with retrying, I get really disconcerting failures like:
Retrieving package libssh2-1-1.2.4-3.1.i586 (14/16), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/devel:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (15/16), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Digest verification failed for libcurl4-7.20.0-33.1.i586.rpm. Expected ef235bb05c155b78659bc3356b88f4a88b255e20, found d37f038a4f933efbdb10bc73cfb93946750420c6. Continue? [yes/NO]: Failed to provide Package libcurl4-7.20.0-33.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/devel:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libcurl4-7.20.0-33.1.i586.rpm' from repository 'devel_languages_python' History: - libcurl4-7.20.0-33.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i
Given, that both originate from the same project and both are critical from a security POV, I _am_ worried about this behavior. Is there somebody tampering with those packages?
It gets stranger and stranger: for some reason, the verification for libcurl4 succeeded in another attempt:
The following package is going to be upgraded: libcurl4-7.20.0-33.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service)
The following NEW package is going to be installed: libssh2-1-1.2.4-3.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service)
Overall download size: 228.0 K. After the operation, additional 183.0 K will be used. Continue? [YES/no]: committing Retrieving package libssh2-1-1.2.4-3.1.i586 (1/2), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_...] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum
Perhaps not refreshed?
Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (2/2), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Installing: libcurl4-7.20.0-33.1 [done] committingCommitResult 2 (errors 0, remaining 0, srcremaining 0)
Now that version binds against libssh2, which wasn't installed obviously. With the unfriendly result of:
Well, I restored the libcurl4 version from openSUSE update for now, but this is highly troubling me (and my confidence about openSUSE).
What the hell happens here? Why does libcurl need to bind against libssh2? The libcurl4 changelog just notes:
* Wed Mar 24 2010 crrodriguez@opensuse.org - enable libssh2 support unconditionally.
* Wed Mar 10 2010 crrodriguez@opensuse.org - enable libcares support unconditionally.
@crrodriguez: the whole issue might be a red herring, but let's face it: such moves need a bit more verbose description, and given, that these libs crept into my system via devel:/languages:/python, while they flag themself
Yes. Why does libcurl4 needs libssh2? :/
Distribution: devel:libraries:c_c++ / openSUSE_11.1
doesn't raise users confidence. In fact, it keeps smelling fishy...
You should not add the Development repos, like devel:libraries:c_c++ or devel:languages:python, for 11.1 directly, its for Factory staging and so might break 11.1 systems in funny ways. Why do you need that repo? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thursday 25 March 2010, 21:56:16 Marcus Meissner wrote:
On Thu, Mar 25, 2010 at 08:46:08PM +0100, Hans-Peter Jansen wrote:
On Thursday 25 March 2010, 18:34:30 Hans-Peter Jansen wrote:
Hi,
apart from many connection failures to download.opensuse.org, e.g.:
Retrieving package samba-client-3.5.1-5.1.i586 (145/164), 21.0 M (76.9 M unpacked) Retrieving: samba-client-3.5.1-5.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/network:/samba:/STABLE/ope nSUS E_11.1/i586/samba-client-3.5.1-5.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: samba-client-3.5.1-5.1.i586.rpm [done (1.7 M/s)] Installing: samba-client-3.5.1-5.1 [done] Additional rpm output: warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew Updating etc/sysconfig/network/dhcp...
and
Retrieving package perl-DBI-1.609-9.1.i586 (131/164), 760.0 K (2.0 M unpacked) Retrieving: perl-DBI-1.609-9.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/devel:/languages:/perl/ope nSUS E_11.1/i586/perl-DBI-1.609-9.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: perl-DBI-1.609-9.1.i586.rpm [done] Installing: perl-DBI-1.609-9.1 [done]
that are circumvented with retrying, I get really disconcerting failures like:
Retrieving package libssh2-1-1.2.4-3.1.i586 (14/16), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/dev el:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (15/16), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Digest verification failed for libcurl4-7.20.0-33.1.i586.rpm. Expected ef235bb05c155b78659bc3356b88f4a88b255e20, found d37f038a4f933efbdb10bc73cfb93946750420c6. Continue? [yes/NO]: Failed to provide Package libcurl4-7.20.0-33.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/dev el:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libcurl4-7.20.0-33.1.i586.rpm' from repository 'devel_languages_python' History: - libcurl4-7.20.0-33.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i
Given, that both originate from the same project and both are critical from a security POV, I _am_ worried about this behavior. Is there somebody tampering with those packages?
It gets stranger and stranger: for some reason, the verification for libcurl4 succeeded in another attempt:
The following package is going to be upgraded: libcurl4-7.20.0-33.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service)
The following NEW package is going to be installed: libssh2-1-1.2.4-3.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service)
Overall download size: 228.0 K. After the operation, additional 183.0 K will be used. Continue? [YES/no]: committing Retrieving package libssh2-1-1.2.4-3.1.i586 (1/2), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/devel :/languages:/python/openSUSE_11.1/] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum
Perhaps not refreshed?
Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (2/2), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Installing: libcurl4-7.20.0-33.1 [done] committingCommitResult 2 (errors 0, remaining 0, srcremaining 0)
Now that version binds against libssh2, which wasn't installed obviously. With the unfriendly result of:
Well, I restored the libcurl4 version from openSUSE update for now, but this is highly troubling me (and my confidence about openSUSE).
What the hell happens here? Why does libcurl need to bind against libssh2? The libcurl4 changelog just notes:
* Wed Mar 24 2010 crrodriguez@opensuse.org - enable libssh2 support unconditionally.
* Wed Mar 10 2010 crrodriguez@opensuse.org - enable libcares support unconditionally.
@crrodriguez: the whole issue might be a red herring, but let's face it: such moves need a bit more verbose description, and given, that these libs crept into my system via devel:/languages:/python, while they flag themself
Yes. Why does libcurl4 needs libssh2? :/
Distribution: devel:libraries:c_c++ / openSUSE_11.1
doesn't raise users confidence. In fact, it keeps smelling fishy...
You should not add the Development repos, like devel:libraries:c_c++
I never added devel:libraries:c_c++ as a repo. This is part of the reason for this message. As noted before, it came from devel:languages:python, even if tagged as devel:libraries:c_c++. Shouldn't the build system automatically set the correct Distribution: flags?
or devel:languages:python, for 11.1 directly, its for Factory staging and so might break 11.1 systems in funny ways.
Why do you need that repo?
It contains packages, that I work with, and that the distribution is missing. Being a Python developer, I'm well prepared to fix any arising issues from badly interacting python packages, when using this repo and I do understand the risks. On the system in question, I also use devel:languages:perl, since it's the only repo, that provides a current spamassassin. The issues, that drove me to write to this ML were merely due to the digest verification failures. Do you have any explanation for these failures, and the even uglier aspect, that made one of them vanish arbitrarily? Thanks, Pete -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi, Am 25.03.2010 um 21:56 schrieb Marcus Meissner:
@crrodriguez: the whole issue might be a red herring, but let's face it: such moves need a bit more verbose description, and given, that these libs crept into my system via devel:/languages:/python, while they flag themself
Yes. Why does libcurl4 needs libssh2? :/
Distribution: devel:libraries:c_c++ / openSUSE_11.1
doesn't raise users confidence. In fact, it keeps smelling fishy...
You should not add the Development repos, like devel:libraries:c_c++ ordevel:languages:python, for 11.1 directly, its for Factory staging and so might break 11.1 systems in funny ways.
No, the project is used to bring > 600 Python modules to openSUSE 11.2, 11.1 & 11.0, and thereby increasing the usefulness of openSUSE. It happens to be _also_ used by Factory. And you certainly wouldn't recommend everybody to use Factory I guess. Do you really believe that people invest so much time in maintaining all these packages just so that they appear in openSUSE in a year or so? No, these people have a hands-down need for the packages now, and that's not on Factory. In addition, only 20% of those packages end up in Factory. It would certainly be a small catastrophe if devel:languages:python "breaks systems in funny ways".
Why do you need that repo?
It is _the_ place to be when working with Python productively. Peter-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hans-Peter Jansen wrote:
Given, that both originate from the same project and both are critical from a security POV, I _am_ worried about this behavior. Is there somebody tampering with those packages?
It gets stranger and stranger: for some reason, the verification for libcurl4 succeeded in another attempt:
download.opensuse.org redirects to mirrors. Maybe one of them has a corrupted package. I don't know if zypper has options to print redirects. You could try fetching the file manually using wget to see which mirror was used though.
Now that version binds against libssh2, which wasn't installed obviously. With the unfriendly result of:
# zypper zypper: error while loading shared libraries: libssh2.so.1: cannot open shared object file: No such file or directory
Just don't press 'i' ie 'ignore' if zypper prompts you to avoid such errors :-)
@crrodriguez: the whole issue might be a red herring, but let's face it: such moves need a bit more verbose description, and given, that these libs crept into my system via devel:/languages:/python, while they flag themself
Distribution: devel:libraries:c_c++ / openSUSE_11.1
doesn't raise users confidence. In fact, it keeps smelling fishy...
There's an _aggregate file in devel:languages:python/curl that copies curl binaries from devel:libraries:c_c++ to avoid rebuilding curl in devel:languages:python too. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Am 26.03.2010 um 09:05 schrieb Ludwig Nussel:
Hans-Peter Jansen wrote:
Given, that both originate from the same project and both are critical from a security POV, I _am_ worried about this behavior. Is there somebody tampering with those packages?
It gets stranger and stranger: for some reason, the verification for libcurl4 succeeded in another attempt:
download.opensuse.org redirects to mirrors. Maybe one of them has a corrupted package. I don't know if zypper has options to print redirects. You could try fetching the file manually using wget to see which mirror was used though.
zypper doesn't have such options. (It should... so users could report problems in a way that makes it possible to easily fix them... but well. We haven't.) But you can check the hashes that the server provides. They are listed in the Metalink of each file, e.g. http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_11... Those hashes are authoritative and independent of mirrors. Since the Metalink also lists the mirrors, it's trivial to check if a mirror delivers different content. (Consider though that not all problems are apparent immediately; some occur only sometimes.) aria2c automatically uses this information to download correct content. That's why openSUSE 11.2 uses aria2c as downloader. In the near future, it'll be possible retrieve the hashes simply by appending .sha256, .sha1 or .md5 to an URL.
Now that version binds against libssh2, which wasn't installed obviously. With the unfriendly result of:
# zypper zypper: error while loading shared libraries: libssh2.so.1: cannot open shared object file: No such file or directory
Just don't press 'i' ie 'ignore' if zypper prompts you to avoid such errors :-)
Good one ;-) Peter -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Hans-Peter Jansen -
Ludwig Nussel -
Marcus Meissner -
Peter Pöml