[Bug 1078697] Re: Ubuntu archive is missing SHA-1/SHA-256 hashes for some packages

David Kalnischkies 1078697 at bugs.launchpad.net
Sat Jan 12 12:21:38 UTC 2013 

If you wait a bit longer the fix for apt-ftparchive is 3 years old: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567343
That is rev 1875.1.95 in bzr and what pabs refers to as until recently (minus the time needed to get this onto ftp-master box of course) as far as I know.

And of course @mdeslaur, apt-get source does more than just checking
MD5. It does what it does for all other downloads as well: Take the
"best" checksum it knows and is available for checking if it isn't
forced to use another (Acquire::ForceHash). What it does do with MD5
only is checking if the file on the disc matches the file we would
download and if it does skipping the download as already done, which
should be fixed (so that we can drop MD5 at some point) but has no real
security implications as someone with write access to your local disk in
that directory has better things to do …

** Bug watch added: Debian Bug tracker #567343
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567343

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1078697

Title:
  Ubuntu archive is missing SHA-1/SHA-256 hashes for some packages

Status in Launchpad itself:
  Triaged
Status in “apt” package in Ubuntu:
  New

Bug description:
  As part of the Debian derivatives census, we are doing some checks on
  all derivatives. We noticed that a number of source packages are missing
  SHA-1/SHA-256 hashes. You may have inherited this issue from Debian, we
  had the same issue until recently. Here are some sample messages from
  the report below, which is generated daily.

  WARNING: source cvstrac 2.0.1-3: SHA-256 hashes but no hash for the dsc file
  WARNING: source cvstrac 2.0.1-3: SHA-1 hashes but no hash for the dsc file
  WARNING: source diveintopython 5.4-2ubuntu2: no SHA-256 hash
  WARNING: source diveintopython 5.4-2ubuntu2: no SHA-1 hash

  http://dex.alioth.debian.org/census/Ubuntu/check-package-list

  Please ignore the warnings about GPG and InRelease stuff, they are due
  to python-apt not supporting some things in Debian squeeze.

   affects launchpad
   subscribe ubuntu-archive

  -- 
  bye,
  pabs

  http://wiki.debian.org/PaulWise

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1078697/+subscriptions

More information about the foundations-bugs mailing list