Bug 500388

Summary: oss source repository gives invalid checksumm
Product: [openSUSE] openSUSE.org Reporter: Olli Artemjev <grey-olli>
Component: Download InfrastructureAssignee: E-mail List <bnc-team-screening>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: bluedzins, grey-olli, mittov
Version: unspecified   
Target Milestone: ---   
Hardware: i686   
OS: openSUSE 11.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Olli Artemjev 2009-05-02 18:29:52 UTC 
User-Agent:       Opera/9.64 (X11; Linux i686; U; en) Presto/2.1.1

---- Sat May 02, 22:25:06 , ~
acer15 # zypper ref
Repository 'Old SuSE (11.0)' is up to date.
Repository 'SuSE factory (audio stuff)' is up to date.
Repository 'latest Wine' is up to date.
Repository 'latest mozilla' is up to date.
Repository 'openSUSE:Factory:Contrib' is up to date.
Repository 'packman' is up to date.
Repository 'Main Repository (NON-OSS)' is up to date.
Digest verification failed for packages.DU.gz. Expected c2c47b2bea12224005074a4a1dff2abb66ec28f0, found 0e90c879133dc4ac7b63acd021c0969cc24d00e6. Continue? [yes/NO]: NO
Retrieving repository 'openSUSE-11.1-Source' metadata [error]
Repository 'openSUSE-11.1-Source' is invalid.
packages.DU.gz has wrong checksum
Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'openSUSE-11.1-Source' because of the above error.
Repository 'openSUSE-11.1-Update' is up to date.
Repository 'Main Repository (OSS)' is up to date.
Repository 'videolan' is up to date.
Some of the repositories have not been refreshed because of an error.

---- Sat May 02, 22:25:29 , ~
acer15 #


I've added http://download.opensuse.org/source/distribution/11.1/repo/oss/ as a openSUSE-11.1-Source .

Sorry, donno where to report this - probably wrong place.:(

Reproducible: Always



Expected Results:  
Someone should resign repository files?
Comment 1 Peter Poeml 2009-05-04 10:07:56 UTC 
You are on 11.1, correct?  There is only a few mirrors offering the source packages. One of them does have a file that is not correct. The following is the output of a tool which lists all known sources of the file in question, downloads it and shows a checksum:   % mb file ls -p --md5 source/distribution/11.1/repo/oss/suse/setup/descr/packages.DU.gz eu de  100 ok       ok   ftp.hosteurope.de               200 690df10bdfaf21dbe32833494240b823 eu de  100 ok       ok   ftp.uni-ulm.de                  200 2741fdf230f17e7e9a79a9a4b0ade5ca sa ar  100 ok       ok   opensuse.patan.com.ar           200 690df10bdfaf21dbe32833494240b823 sa br  100 ok       ok   c3sl.ufpr.br                    200 690df10bdfaf21dbe32833494240b823  So, the file coming from ftp.uni-ulm.de can't be correct. If your zypper happens to download that file, it will fail. zypper in 11.2 will be robust against such failures, but 11.1 doesn't have any error handling for that. In addition, logging is very bad and the logs won't tell us which mirror was used, but I'm quite sure that the above is enough evidence.  (We'll have to disable the mirror, talk to the admin and investigate.)
Comment 2 Olli Artemjev 2009-05-05 22:33:02 UTC 
Yep, I'm on 11.1 .
BTW - could you tell output from 'rpm -qf `whih mb`' ?

And the checksumm is still wrong (for  http://download.opensuse.org/source/distribution/11.1/repo/oss/). 

Thanks for details - I've moved to one of mirrors giving correct checksumm.
Comment 3 Jiří Suchomel 2009-05-06 09:02:03 UTC 
*** Bug 500017 has been marked as a duplicate of this bug. ***
Comment 4 Peter Poeml 2009-05-07 13:59:16 UTC 
I was looking further a few days ago, and found something interesting.
The metalink hashes were outdated, and had wrong timestamps which caused
them to not being updated. I'm not sure what caused this; there seems to
have been a respin of the source tree in January, and maybe the
timestamps got hosed when we re-setup the download server after a major
disk crash in March. The wrong metalinks confused me and caused Dirk
(who was trying to reproduce this bug with his Factory installation) to
run into this bug seperately.

Also, I notified the university of Ulm and they'll update the copy soon.
Until then, I have disabled the mirror.

I verified that the three remaining mirrors deliver this file correctly.
Thus, I consider this bug fixed (I'll reenable the other mirror later).

You can use download.opensuse.org again.

# rpm -qf `which mb`
mirrorbrain-tools-2.8-5.3
The tools is useful only with access to the mirror database.
Sorry, I could have mentioned this.
Comment 5 Peter Poeml 2009-05-07 14:06:07 UTC 
*** Bug 497719 has been marked as a duplicate of this bug. ***
Comment 6 Peter Poeml 2009-05-07 19:16:31 UTC 
Additional note to all: 

Since errors like this one are, in essence, unavoidable and occur rather
frequently, we have been working on a way to handle them as robustly as
possible. See 
http://en.opensuse.org/Libzypp/Failover 
and 
https://features.opensuse.org/302923
for more information about this. openSUSE 11.2 will deal with this by simply
ignoring accidentally broken/wrong files from whatever mirror, and use intact
files whereever available.

The motivation to get this fixed was not only that it is very inconvenient for
the users, but also that it is usually quite some work to debug these problems
(or even take note of them).