[ATrpms-users] checksum issues

[Axel Thimm]

Hi,

On Fri, May 26, 2006 at 12:40:12AM -0400, John McNair wrote:
> I am having trouble with checksums in the fedora core 5 atrpms 'updates'
> repo.  I am trying to use the configuration in /etc/yum.repos.d/base.repo
> included in the atrpms-package-config-108-1.rhfc5.at package.

> I used 'zcat primary.xml.gz | xml_pp > foo.out' to make that file easier to
> read.  I found the ntp entry, and it had a checksum of type 'sha' with a
> value of 'c1cea36fd59590dd0f3be799556b5db709769f5b'.  I ran sha1sum on
> ntp-4.2.0.a.20050816-11.FC5.i386.rpm and got
> '7d3380570a9a0a71631dc42f82d2d75adc09eeae'.  So they are indeed different.

Putting the "buggy" checksum into google:

http://www.google.com/search?q=c1cea36fd59590dd0f3be799556b5db709769f5b

one sees that (again) the original package indeed had this checksum,
when it was announced.

What I think happened is that some packages probably made it to the
repo unsigned or signed with the wrong key. The checksums were
computed and then someone discovered it, and silently replaced the
packages with re-signed ones. Breaking of course the checksums in the
metadata and the announcement emails.

I guess I will have to wipe away all checksums and let the system
recompute them. Until it happens again :(
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.atrpms.net/pipermail/atrpms-users/attachments/20060526/3159fb8f/attachment-0001.bin