Comment 3 for bug 1098738
Revision history for this message
| Michael Vogt (mvo) wrote Re: [Bug 1098738] Re: apt-get source only checks md5 hashes in Sources files | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
On Sat, Jan 12, 2013 at 02:24:09PM -0000, Marc Deslauriers wrote:
> Steps to reproduce in a newly-installed Quantal VM:
>
> 1- apt-get update
> 2- Modify /var/lib/
> 3- apt-get source hello
>
> I would expect this to fail, but it doesn't.
>
> If you then modify *Sources again to break the md5 sum of the 'hello'
> package, apt-get source hello then fails as expected.
>
> In apt-get.cc, DoSource() seems to do:
>
> new pkgAcqFile(
> I->MD5Hash,I->Size,
> Last->Index(
Thanks for your bugreport. Indeed, the debsrcrecords.cc parser is just
looking that the "Files" section in the source package record AFAICT
not the new Checksums-
For a long time the server had no sha{1,256} information in the Source
records. But now that it has there seems to be some issues here too,
e.g. the quantal partner archive has:
"""
Files:
54ed74fd2fc267
f486992e58f025
273e471dbdc98b
Checksums-Sha1: 3daa3f68d649404
adobe-flashplug
69b3cce479651b
Checksums-Sha256:
c70cfd0df681b3d
bc339b8e637ae0
"""
I.e. for the .dsc file there is just a md5, not a sha available would
be good to figure out why this is the case. Interesstingly the main
archive seems to be ok.
I attached a first iteration of a fix, it needs a test and it also
needs some tweaking, see the FIXMEs. The other issue is that
technically at this form it breaks API as there is the rename MD5Hash
-> Hash. We could leave the misleading name I guess.
Cheers,
Michael