Chet Murthy wrote: > Today I was updating, and I noticed that the testing/Release file has > a bad signature, and that that signature is -different- from the > signature on the same file from http.us.debian.org. > > I wouldn't know if this is innocuous or dangerous -- figured I should > report it.
Yes, and it's a good idea to not continue installing when this happens, even though the chances are it's a mirror inconsistency and not a security issue. http.us.debian.org has 5 mirrors behind it, if any one of them breaks and apt happens to pick it to use, you lose. Today's breakage is on the mirror at ip 128.101.240.212, which has: [ ] Release 12-Mar-2006 15:13 35k [ ] Release.gpg 10-Mar-2006 15:14 1k Obviously a Release.gpg file created 2 days ago isn't going to match today's Release file. I'm not sure how this happened, but apparently the new one was not mirrored in. Perhaps it will be fixed tomorrow. I've personally stopped using the http.us.debian.org mirror rotation, and just choose one mirror in the set, such as saens.debian.org. Of course since the mirror that broke today _is_ saens.debian.org, it obviously doesn't solve all these problems, but it makes tracking down the breakage easier since you only have to look on one mirror. And can change to another one, like mirrors.kernel.org, if the one you're using breaks. I'd be especially leery of using http.us.debian.org if I had more than one machine using it behind the same dns server. Round robin dns works by the server giving out the next address on the list to each client, so if you update multiple machines it becomes more likely that one will try to use the bad mirror. And it's nearly 5 times as likely that any one of the mirrors in http.us.debian.org will be broken than that any single mirror will be broken.. -- see shy jo
signature.asc
Description: Digital signature
