http://www.novell.com/linux/security/advisories/2006_09_gpg.html
The given MD5 5098f06cba2e38aa0b5181fb3f9cd7f3 for the SUSE 10.0 GnuPG 1.4.2-5.2 source RPM
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.2.src.rpm
is wrong, on my machine I get
fe3233bc0b60f6fa67ac6f062af2c793.
But the rpm seems to be signed correctly with the package key 0x9c800aca
Malte
Hi!
On Monday 27 February 2006 23:30, Malte Gell wrote:
http://www.novell.com/linux/security/advisories/2006_09_gpg.html
The given MD5 5098f06cba2e38aa0b5181fb3f9cd7f3 for the SUSE 10.0 GnuPG 1.4.2-5.2 source RPM
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.2.src.rpm
is wrong, on my machine I get
fe3233bc0b60f6fa67ac6f062af2c793.
But the rpm seems to be signed correctly with the package key 0x9c800aca
Malte
Full ACK, I get:
david@imladris:/srv/ftp/pub/suse/i386/update/10.0/rpm/src> md5sum gpg-1.4.2-5.2.src.rpm fe3233bc0b60f6fa67ac6f062af2c793 gpg-1.4.2-5.2.src.rpm
Something wrong with the md5 announced by SuSE...
FYI: I got the package via rsync from ftp.hosteurope.de.
On Mon, Feb 27, 2006 at 11:30:38PM +0100, Malte Gell wrote:
http://www.novell.com/linux/security/advisories/2006_09_gpg.html
The given MD5 5098f06cba2e38aa0b5181fb3f9cd7f3 for the SUSE 10.0 GnuPG 1.4.2-5.2 source RPM
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.2.src.rpm
is wrong, on my machine I get
fe3233bc0b60f6fa67ac6f062af2c793.
But the rpm seems to be signed correctly with the package key 0x9c800aca
This is a problem of the MD5 generation in the advisory tool, not a problem.
The cause is that we have multiple SRPMs for the 10.0 distribution, but only one gets copied to the ftp tree (because it is shared for i386,x86_64,ppc and ppc64).
So our advisory tool added the wrong one in this case.
We will try to avoid this in the future.
Ciao, Marcus
On Tuesday 28 February 2006 15:19, Marcus Meissner wrote:
On Mon, Feb 27, 2006 at 11:30:38PM +0100, Malte Gell wrote:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.2. src.rpm is wrong, on my machine I get fe3233bc0b60f6fa67ac6f062af2c793. But the rpm seems to be signed correctly with the package key 0x9c800aca
This is a problem of the MD5 generation in the advisory tool, not a problem.
The cause is that we have multiple SRPMs for the 10.0 distribution, but only one gets copied to the ftp tree (because it is shared for i386,x86_64,ppc and ppc64).
Thanx for the explanation. But, just out of curiosity, if you can offer one single src.rpm for 3 platforms, why do you need multiple src.rpms internally at Novell/SUSE?
Regards Malte
On Tue, Feb 28, 2006 at 06:58:02PM +0100, Malte Gell wrote:
On Tuesday 28 February 2006 15:19, Marcus Meissner wrote:
On Mon, Feb 27, 2006 at 11:30:38PM +0100, Malte Gell wrote:
ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/gpg-1.4.2-5.2. src.rpm is wrong, on my machine I get fe3233bc0b60f6fa67ac6f062af2c793. But the rpm seems to be signed correctly with the package key 0x9c800aca
This is a problem of the MD5 generation in the advisory tool, not a problem.
The cause is that we have multiple SRPMs for the 10.0 distribution, but only one gets copied to the ftp tree (because it is shared for i386,x86_64,ppc and ppc64).
Thanx for the explanation. But, just out of curiosity, if you can offer one single src.rpm for 3 platforms, why do you need multiple src.rpms internally at Novell/SUSE?
They are generated during RPM build. Currently we have 3 trees active for 10.0 that provide gpg packages, the i386, x86_64 and ppc trees.
RPMs from all of them are merged for updates to result in 1 update repository, so 3 gpg SRPMs are merged into one. Due to different build times they have different md5s.
(Internally we store our sources not as SRPMs, but in an unpacked way nearly identical to the SOURCES/ and SPECS/ directory.)
Ciao, Marcus
-
David Huecking -
Malte Gell -
Marcus Meissner