Package: apt Version: 0.9.7.1 Severity: normal
I stumbled upon this with a mirror which has a broken Release file: | % wget http://packages.dotdeb.org/dists/squeeze/Release &>/dev/null | % wget http://packages.dotdeb.org/dists/squeeze/all/binary-amd64/Packages.bz2 &>/dev/null | % sha1sum Packages.bz2 | dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b Packages.bz2 | % grep dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b Release | dbd06a25ac7dad9bbbcbbac51e2e8c446fdcc80b 20 all/binary-amd64/Packages.bz2 | % ls -l Packages.bz2 | -rw-r--r-- 1 mika mika 18189 Jul 10 09:48 Packages.bz2 So it's 20 vs. 18189 file size. For example reprepro refuses to mirror from such a repo unless you're using "IgnoreRelease: yes" in its configuration. But when using the following sources.list entry: deb http://packages.dotdeb.org/ squeeze all then apt on the other side will use such a repo just fine. apt seems to verify just the checksum. It might be worth informing/warning the user if the file size doesn't match in such a situation. regards, -mika- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2012-07-11t11-24...@devnull.michael-prokop.at
