500017 – software management: wrong digest -- are attacks that selective

Bug 500017 - software management: wrong digest -- are attacks that selective

Summary: software management: wrong digest -- are attacks that selective

Status:	RESOLVED DUPLICATE of bug 500388

Alias:	None

Product:	openSUSE 11.1
Classification:	openSUSE
Component:	YaST2 (show other bugs)
Version:	Final
Hardware:	x86-64 Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Jiří Suchomel
QA Contact:	Jiri Srain

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2009-05-01 10:21 UTC by macias -
Modified:	2009-05-07 19:15 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
y2logs.tgz (8.16 MB, application/x-tgz) 2009-05-05 05:39 UTC, macias -	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description macias - 2009-05-01 10:21:41 UTC

wrong digest: are attacks that selective

Well, it is not bug report per se, I mean I am not sure -- maybe I am under attack, but it looks a bit suspicious to me, that yast is right.

For some time now, each time I run Yast/SM I get warning about this or that packages.gz that checksum is incorrect. I choose not to use that package and I continue. Next time I run Yast/SM I get another warning -- each time it is only _1_ (one) file affected.

I see possible scenarios here:
a) I am under attack of very subtle attack method, which is very selective, it affects only one package a time and it knows when I run yast (maybe yast is infected?)
b) there is some flaw with updating packages -- so for yast it seems the checksum is changed, while in fact the whole package is changed 
c) my HDD is failing, and that failing is very selective

Comment 1 chen zhen 2009-05-05 01:48:28 UTC

Hi Maciej, thanks for reporting. Can you attach the yast2 logs please?
See http://en.opensuse.org/Bugs/YaST

Comment 2 chen zhen 2009-05-05 03:14:40 UTC

https://bugzilla.novell.com/show_bug.cgi?id=500388#c1 related?

Comment 3 macias - 2009-05-05 05:30:48 UTC

The other one looks like duplicate to me, the only difference, that the reporter didn't tell if this happens for the same package all the time or for various (but one per each launch of yast).

Comment 4 macias - 2009-05-05 05:39:18 UTC

Created attachment 289881 [details]
y2logs.tgz

Comment 5 Jiří Suchomel 2009-05-06 09:02:03 UTC

Well, than please try to select another mirror, just like the user in the other bug. I leave the other one open, as I hope Peter Poeml (commenting the other one) will take care about the servers.

*** This bug has been marked as a duplicate of bug 500388 ***

Comment 6 macias - 2009-05-06 11:07:50 UTC

If anything, the other report is a duplicate.

But the problem is I don't use any mirror explicitly set as repo -- so yast could pick up the best site for me automatically.

Comment 7 Peter Poeml 2009-05-07 19:15:42 UTC

Additional note to all: 

Since errors like this one are, in essence, unavoidable and occur rather frequently, we have been working on a way to handle them as robustly as possible. See 
http://en.opensuse.org/Libzypp/Failover 
and 
https://features.opensuse.org/302923
for more information about this. openSUSE 11.2 will deal with this by simply ignoring accidentally broken/wrong files from whatever mirror, and use intact files whereever available.

The motivation to get this fixed was not only that it is very inconvenient for the users, but also that it is usually quite some work to debug these problems (or even take note of them).