From bd4a8f51649ee37291c6e07310104a94f4f5fbed Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 14 Dec 2015 02:18:25 +0100 Subject: show a more descriptive error for weak Release files If we can't work with the hashes we parsed from the Release file we display now an error message if the Release file includes only weak hashes instead of downloading the indexes and failing to verify them with "Hash Sum mismatch" even through the hashes didn't mismatch (they were just weak). If for some (unlikely) reason we have got weak hashes only for individual targets we will show a warning to this effect (again, befor downloading and failing the index itself). Closes: 806459 --- apt-pkg/acquire-item.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'apt-pkg/acquire-item.cc') diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 54a50ff34..7f31d1449 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1075,6 +1075,16 @@ void pkgAcqMetaBase::QueueIndexes(bool const verify) /*{{{*/ strprintf(ErrorText, _("Unable to find expected entry '%s' in Release file (Wrong sources.list entry or malformed file)"), Target->MetaKey.c_str()); return; } + else + { + auto const hashes = GetExpectedHashesFor(Target->MetaKey); + if (hashes.usable() == false && hashes.empty() == false) + { + _error->Warning(_("Skipping acquire of configured file '%s' as repository '%s' provides only weak security information for it"), + Target->MetaKey.c_str(), TransactionManager->Target.Description.c_str()); + continue; + } + } // autoselect the compression method std::vector types = VectorizeString(Target->Option(IndexTarget::COMPRESSIONTYPES), ' '); -- cgit v1.2.3-70-g09d2