[Bug 1098738] Re: apt-get source only checks md5 hashes in Sources files
Marc Deslauriers
marc.deslauriers at canonical.com
Sat Jan 12 14:24:09 UTC 2013
Steps to reproduce in a newly-installed Quantal VM:
1- apt-get update
2- Modify /var/lib/apt/lists/*Sources file to break sha1 and sha256 sums of 'hello' package
3- apt-get source hello
I would expect this to fail, but it doesn't.
If you then modify *Sources again to break the md5 sum of the 'hello'
package, apt-get source hello then fails as expected.
In apt-get.cc, DoSource() seems to do:
new pkgAcqFile(&Fetcher,Last->Index().ArchiveURI(I->Path),
I->MD5Hash,I->Size,
Last->Index().SourceInfo(*Last,*I),Src);
** Changed in: apt (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1098738
Title:
apt-get source only checks md5 hashes in Sources files
Status in “apt” package in Ubuntu:
Confirmed
Bug description:
'apt-get source' only validates the md5 hash in the Sources file.
Ideally, it should check the sha hashes also.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098738/+subscriptions
More information about the foundations-bugs
mailing list