does not notice "Deleted" versions when accepting uploads which leads to corrupted md5 cache

I'm marking it as 'won't fix' because there is nothing we can do about this problem right now, either it get fixed by a new upload or we have to spend time investigating why a-f caches are corrupted.

Shouldn't you be debugging (with high priority) an issue that creates broken indices, particularly as the md5sums provide the only form of security?

this sounds like throwing security out the window, because you can't be bothered to fix it. Ouch.

How are we sure that the rest of them are right? This would tend to cause apt to fall over, if the md5sum is wrong, and bugs to get filed on the affected packages - where this is actually a launchpad bug. I'm not sure that's overly sensible.

Michael,

Can you help us to debug the current a-f caches used in drescher and find 'if' and 'why' they got corrupted. I can copy the caches to another machine in DC (they have 2.3G in total).

Thanks in advance.

I note that debmirror will refuse to update a mirror in this situation, so no mirrors using debmirror will update until this is fixed.

If you run debmirror with --ignore-small-errors it will complete.

Michael,

I've re-generated a-f caches in dogfood (took around 4 hours) and it fixed the problem, see http://archive.dogfood.launchpad.net/ubuntu/dists/hardy/

I don't think this is the only solution available, but it's nice to have it as an alternative.

Any resolution on the horizon?

I get this while using debmirror to create a local, private mirror for my company. Using the --ignore-small-errors allowed me to complete the mirror, but the security issues by not checking the md5's leaves me with a bad taste in my mouth.

Indeed, I feel it would look very unprofessional to say the least if Hardy were to be released in a state in which it cannot be securely mirrored. Surely it is a simple matter for the right person to fix this?

I've uploaded no-change version-bumps for the two source packages. This likely won't fix Gutsy's mirroring, but it will be okay Hardy. Soyuz still needs to be fixed (or rather, the caches regenerated), so I've re-opened that part of the bug.

motu-release ack.

This bug was fixed in the package mobile-player - 0.4ubuntu1

---------------
mobile-player (0.4ubuntu1) hardy; urgency=low

  * No-change version bump to work around LP: #174038.

 -- Kees Cook <email address hidden> Mon, 21 Apr 2008 14:13:47 -0700

This bug was fixed in the package mobile-application-service - 0.9-6

---------------
mobile-application-service (0.9-6) hardy; urgency=low

  * No-change version-bump to work around LP: #174038.

 -- Kees Cook <email address hidden> Mon, 21 Apr 2008 14:14:29 -0700

Part of the problem will be fixed by bug #300533 (the package indexes will contain correct checksums). However we should spot conflicting binary versions earlier and refuse to publish them in binary-upload-time (resulting in explicit failed-to-upload builds)