Bug#973259: marked as done (dpkg-scanpackages: local development repos fail due to missing sha512 hashes)

Mon, 14 Mar 2022 19:51:30 -0700 

Your message dated Tue, 15 Mar 2022 03:48:13 +0100
with message-id <Yi/[email protected]>
and subject line Re: Bug#973259: dpkg-scanpackages: local development repos 
fail due to missing sha512 hashes
has caused the Debian Bug report #973259,
regarding dpkg-scanpackages: local development repos fail due to missing sha512 
hashes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
973259: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973259
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: dpkg-dev
Version: 1.20.5
Severity: important

Today while working on the autopkgtests of an ITP of mine I discovered
that apt fails to install packages from the local repo, seemingly
because of missing sha512 hashes.  Whether intentional or not, the
effect seems to be that apt is enforcing sha512, which isn't a bad
thing, hence this bug!

…
The following NEW packages will be installed:
  libexpat1 libpython3-stdlib libpython3.8-minimal libpython3.8-stdlib 
mime-support python3 python3-atomicwrites python3-attr
  python3-importlib-metadata python3-minimal python3-more-itertools 
python3-packaging python3-pkg-resources python3-pluggy
  python3-py python3-pyparsing python3-pytest python3-six python3-volatile 
python3-wcwidth python3-zipp python3.8
  python3.8-minimal
0 upgraded, 23 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0 B/5889 kB of archives.
After this operation, 22.9 MB of additional disk space will be used.
Get:1 file:/usr/src/repo/amd64 ./ python3-volatile 2.1.0-1 [5356 B]
Err:1 file:/usr/src/repo/amd64 ./ python3-volatile 2.1.0-1
  Hash Sum mismatch
  Hashes of expected file:
   - SHA256:1210131215ad632c8eb4d09b0448ce680ca9805aaf4ec9b3b99ee2161537f93c
   - SHA1:fc1517b001fe9361d18a31f0d63daac366f93c8e [weak]
   - MD5Sum:e9c3ec5e3d437c610566fa2d24baee47 [weak]
   - Filesize:5356 [weak]
   - 
SHA512:779d3b466eb7cff946f6efebce7374803ec4afd6631ace49e02073d1da4fa98a4b1449e0e207dff6b32e11f735b29b04298a05632dcc077469ecfc674b0cab5d
  Hashes of received file:
   - 
SHA512:d2330098a34a54fe68a57ef12ce79260bb0eeddea3df251e9e4bbd1588dc0e46904ee89cc9e6bf44d8c0a910caedcc1b9c582066f7402ff264d7dc130d7f79c4
   - SHA256:1210131215ad632c8eb4d09b0448ce680ca9805aaf4ec9b3b99ee2161537f93c
   - SHA1:fc1517b001fe9361d18a31f0d63daac366f93c8e [weak]
   - MD5Sum:e9c3ec5e3d437c610566fa2d24baee47 [weak]
   - Filesize:5356 [weak]
  Last modification reported: Tue, 27 Oct 2020 21:23:22 +0000
W: Sources disagree on hashes for supposely identical version '2.1.0-1' of 
'python3-volatile:amd64'.
E: Failed to fetch 
file:/usr/src/repo/amd64/../pool/python3-volatile_2.1.0-1_all.deb  Hash Sum 
mismatch
   Hashes of expected file:
    - SHA256:1210131215ad632c8eb4d09b0448ce680ca9805aaf4ec9b3b99ee2161537f93c
    - SHA1:fc1517b001fe9361d18a31f0d63daac366f93c8e [weak]
    - MD5Sum:e9c3ec5e3d437c610566fa2d24baee47 [weak]
    - Filesize:5356 [weak]
    - 
SHA512:779d3b466eb7cff946f6efebce7374803ec4afd6631ace49e02073d1da4fa98a4b1449e0e207dff6b32e11f735b29b04298a05632dcc077469ecfc674b0cab5d
   Hashes of received file:
    - 
SHA512:d2330098a34a54fe68a57ef12ce79260bb0eeddea3df251e9e4bbd1588dc0e46904ee89cc9e6bf44d8c0a910caedcc1b9c582066f7402ff264d7dc130d7f79c4
    - SHA256:1210131215ad632c8eb4d09b0448ce680ca9805aaf4ec9b3b99ee2161537f93c
    - SHA1:fc1517b001fe9361d18a31f0d63daac366f93c8e [weak]
    - MD5Sum:e9c3ec5e3d437c610566fa2d24baee47 [weak]
    - Filesize:5356 [weak]
   Last modification reported: Tue, 27 Oct 2020 21:23:22 +0000
E: Unable to fetch some archives, maybe run apt-get update or try with 
--fix-missing?
autopkgtest [18:15:29]: ERROR: testbed failure: apt repeatedly failed to 
download packages


Regards,
Nicholas

--- End Message ---
--- Begin Message --- 
Hi!

On Tue, 2020-11-17 at 19:56:24 +0100, Guillem Jover wrote:
> On Tue, 2020-10-27 at 18:30:43 -0400, Nicholas D Steeves wrote:
> > Package: dpkg-dev
> > Version: 1.20.5
> > Severity: important
> 
> > Today while working on the autopkgtests of an ITP of mine I discovered
> > that apt fails to install packages from the local repo, seemingly
> > because of missing sha512 hashes.  Whether intentional or not, the
> > effect seems to be that apt is enforcing sha512, which isn't a bad
> > thing, hence this bug!
> 
> But sha256 is not weak, so that should be enough, the problem seems
> to be something else. I've already implemented this locally, but I'm
> afraid it would need coordination with at least ftp-masters as DAK
> might actually reject such .dsc and .changes files.
> 
> Hmm, but I tried to reproduce this, and I'm unable to, downloaded a
> couple of binary packages, created a Packages file with dpkg-scanpackages,
> and added an entry in apt and updated and nothing broke, so there's
> something else going on:
> 
>   $ mkdir repo
>   $ cd repo
>   $ apt download libbsd0 libmd0
>   $ dpkg-scanpackages . >Packages
>   $ cat <<REPO
>   Types: deb
>   URIs: file:///path-to/repo
>   Suites: ./
>   Trusted: yes
>   REPO
>   $ apt update
> 
> > …
> > Get:1 file:/usr/src/repo/amd64 ./ python3-volatile 2.1.0-1 [5356 B]
> > Err:1 file:/usr/src/repo/amd64 ./ python3-volatile 2.1.0-1
> >   Hash Sum mismatch
> >   Hashes of expected file:
> >    - SHA256:1210131215ad632c8eb4d09b0448ce680ca9805aaf4ec9b3b99ee2161537f93c
> >    - SHA1:fc1517b001fe9361d18a31f0d63daac366f93c8e [weak]
> >    - MD5Sum:e9c3ec5e3d437c610566fa2d24baee47 [weak]
> >    - Filesize:5356 [weak]
> >    - 
> > SHA512:779d3b466eb7cff946f6efebce7374803ec4afd6631ace49e02073d1da4fa98a4b1449e0e207dff6b32e11f735b29b04298a05632dcc077469ecfc674b0cab5d
> >   Hashes of received file:
> >    - 
> > SHA512:d2330098a34a54fe68a57ef12ce79260bb0eeddea3df251e9e4bbd1588dc0e46904ee89cc9e6bf44d8c0a910caedcc1b9c582066f7402ff264d7dc130d7f79c4
> >    - SHA256:1210131215ad632c8eb4d09b0448ce680ca9805aaf4ec9b3b99ee2161537f93c
> >    - SHA1:fc1517b001fe9361d18a31f0d63daac366f93c8e [weak]
> >    - MD5Sum:e9c3ec5e3d437c610566fa2d24baee47 [weak]
> >    - Filesize:5356 [weak]
> >   Last modification reported: Tue, 27 Oct 2020 21:23:22 +0000
> > W: Sources disagree on hashes for supposely identical version '2.1.0-1' of 
> > 'python3-volatile:amd64'.
> > E: Failed to fetch 
> > file:/usr/src/repo/amd64/../pool/python3-volatile_2.1.0-1_all.deb  Hash Sum 
> > mismatch
> 
> Hmm if the hashes are missing, why are they here mismatched?

I'm closing this, as it looks like a repo problem. Please feel free to
reopen, if there's new information, or a recipe on how to reproduce
this.

Thanks,
Guillem

--- End Message ---

Reply via email to