I need some help to see if this a local internet problem or if the repodata files are incorrect. My script to mirror the repos is failing and I am seeing problems with the check sums for the gz files in repodata. Although the check sums do not match the file name they match what is in the meta4 files. Can someone else try to down the files with aria2c and run sha256sum to see if the checksum matches what is in the file name. I do not want to create a bug until I can confirm that this is not a local problem. I did not have this problem when I did my sync last week. It started yesterday. The Update-NonOSS repos for 13.1 and 13.2 do not have the problem.
Bit confused is this a single system or multiple some 13.1 and some 13.2. Just to make a wild guess never mix repos from different version on a single system. If not this then perhaps you need to explain more about your configuration since we can’t see over your shoulder.
I have thirty computers here. I found it was better to have a local mirror of the repos instead of trying to get all my computers to connect to the internet to update. We did not have the best internet. So when trying to mirror yesterday my script failed when testing checksums. I am seeing that the sha256sum does not match the file name, but it does match what is the the meta4 file. The check sum is supposed to match the beginning part of the file name.
My script uses aria2c because it is able to use the mirror brain system. The meta4 file that aria2c gets from download.opensuse.org tells the program were it can find local copies of files and what the checksums are. If it find an bad copy it will then search for another host. I tried a single file download from a web page and got the same result. The sha256sum did not match the file name. RSYNC is block by the firewall, and I do not have control of the firewall. that is why I am asking for other to try and download one of the repodata files and check the checksums.
I did some more digging, when you look into repomd.xml you can see what check sums it is looking for. In the repomd.xml from 24 May you can see the the file name checksum matches the sha256sum check sum. When you look at 15 June the check sum in the file name does not match either check sum in the repomd.xml file. So we need to find out if there was an error in the build process or if some one is trying to tamper with the repo. If all of the checksums do not match up then something is wrong.
Dave W
From 15 June
<data type="app-icons">
<location href="repodata/**e401c0934cecc5ad4a07bcce66c1a37c3922cdcdba7afe1ac25e2d9def7859e3**-app-icons.tar.gz" />
<checksum type="sha256">8c2dc6b86b9062a7411afaaf0a996fca529c6cfc535a853ea23fa6856c92dae2</checksum>
<timestamp>1434366265</timestamp>
<size>297314</size>
<open-checksum type="sha256">8f7b053f237ed5a6a788913b5ae13a449e592cb251afe70edef592049128954f</open-checksum>
</data>
From 24 May
<data type="app-icons">
<checksum type="sha256">**de6fdd9cbb1af9b7f7badbaeec96300257ab63494c1616b732a1d48e457b61c7**</checksum>
<open-checksum type="sha256">9dcc80e759e0a51eff37ce8e08cd0dcd461a74590153940dfde18ebd66eff208</open-checksum>
<location href="repodata/**de6fdd9cbb1af9b7f7badbaeec96300257ab63494c1616b732a1d48e457b61c7**-app-icons.tar.gz"/>
<timestamp>1432491310</timestamp>
<size>49994</size>
</data>
On 2015-06-16 19:26, dwestf wrote:
>
> My script uses aria2c because it is able to use the mirror brain system.
> The meta4 file that aria2c gets from download.opensuse.org tells the
> program were it can find local copies of files and what the checksums
> are. If it find an bad copy it will then search for another host. I
> tried a single file download from a web page and got the same result.
> The sha256sum did not match the file name. RSYNC is block by the
> firewall, and I do not have control of the firewall. that is why I am
> asking for other to try and download one of the repodata files and check
> the checksums.
Confirm, on 13.1, updates. I downloaded using wget.
As you see, the sha256 in there matches the locally calculated string, but not the file name.
Either the string in the name is incorrect, or is calculated using another algorithm.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
On 2015-06-16 20:36, dwestf wrote:
>
> I did some more digging, when you look into repomd.xml you can see what
> check sums it is looking for. In the repomd.xml from 24 May you can see
> the the file name checksum matches the sha256sum check sum. When you
> look at 15 June the check sum in the file name does not match either
> check sum in the repomd.xml file. So we need to find out if there was
> an error in the build process or if some one is trying to tamper with
> the repo. If all of the checksums do not match up then something is
> wrong.
This is only happening in the update repo? It must be an error in how
they are created, I don’t think we both are getting tampered files.
If there are no discrepancies in the non-oss repo, then create a
bugzilla, on security.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)