unsigned repomd.xml

frank_from_ch · February 18, 2012, 9:39am

Hi,
I just wanted to check for updates of my OS12.1 and got the message that the file repomd.xml of the repository Index of /update/12.1 would be unsigned. Is it me who has a problem or is it the server?

Cheers
Frank

mjost · February 18, 2012, 10:05am

Hi Frank,

seems to be the server (unfortunately) - I’m getting the same problem.
So: Who can check and fix this ?

Martin

koehli · February 18, 2012, 1:24pm

Good luck.

“Quick, let’s upload that new repomd thingy we played around with, before we all go into the weekend.”

robin_listas · February 18, 2012, 1:43pm

On 2012-02-18 10:06, mjost wrote:
>
> Hi Frank,
>
> seems to be the server (unfortunately) - I’m getting the same problem.
> So: Who can check and fix this ?

You can try write a bugzilla, and wait for Monday

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

DenverD · February 18, 2012, 3:09pm

On 02/18/2012 10:06 AM, mjost wrote:
>
> So: Who can check and fix this ?

this page http://en.opensuse.org/openSUSE:Services_help says to notify
admin@opensuse.org

with any luck, that message will find someone awake, even on three day
(USA) weekends…

but, i wouldn’t hold my breath until fixed (until monday is a LONG way
off)…

–
DD http://tinyurl.com/SUSEonDW

frank_from_ch · February 18, 2012, 3:42pm

O.k. I have sent an email to that address. Let’s see what happens.

I do not know what you think about it. But I believe that it should NEVER happen that the central repositories are unsigned.

Cheers
Frank

robin_listas · February 18, 2012, 4:28pm

On 2012-02-18 15:46, frank from ch wrote:

> I do not know what you think about it. But I believe that it should
> NEVER happen that the central repositories are unsigned.

So, what’s the problem? The software stopped, did not install and warned
the admin user.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

frank_from_ch · February 18, 2012, 5:06pm

On the one hand, I agree. Nothing happened except that I do not get any updates for the moment. I could have installed them nevertheless. YAST just asked if I want to continue or not. But do I trust an unsigned repository? Not really! Though if it happens again may be I get used to it and install from an unsigned repository? And what would a more inexperienced user do? Most likely he/she would quite quickly get used to this. And this is were I see the problem. If it should happen that there is a good reason that the repo is unsigned, e.g. that is has been hacked, some users might just think that is just again the stupid server that failed and happily install hacked packages. So, I see two options. Either the repositories remain under all circumstances signed. Or Yast/Zypper does not allow to install packages from repositories which are known that they must have a signature, e.g. official openSUSE update repos.

Though, may be I am just to cautious.

Cheers
Frank

caf4926 · February 18, 2012, 7:31pm

I see it too
SUSE Paste

mjost · February 18, 2012, 7:40pm

Hello,

I somewhat disagree with the "So, what’s the problem? ". I’m currently at my secondary system (at my mothers place). It lacks patches from 1 1/2 months. First thing I tried was to update. On getting the error message, I declined.
Now I have two options, both not looking that bright:

using a system, missing 1 1/ month of patches, some security relevant
patching without knowing what I get

I considered the first option to be the less risky…

Regards

Martin

duncreg · February 18, 2012, 9:03pm

I encountered this issue while installing OpenSUSE 12.1 in VirtualBox. Something’s definitely changed. This time none of the updates were in the form of delta diff files; they were all whole files. This made the update process fly in VirtualBox. Maybe it was downloading malware, and maybe it would be slower for those with very slow Internet connections, but it was really fast.

ned_ulbricht · February 18, 2012, 11:18pm

Bug 747781 - File ‘repomd.xml’ from update repository is unsigned
https://bugzilla.novell.com/show_bug.cgi?id=747781

susequint · February 19, 2012, 5:04am

I’m getting it too.

Maybe it IS hacked, or maybe someone just forgot to update a setting.

pistazienfresser · February 19, 2012, 6:15pm

Me too.

Has anybody not this issue with the openSUSE 12.1 update repository?
Is there any server/mirror with a signed repomd.xml file
(probably with repomd.xml.asc and repomd.xml.key )?

Regards
Martin

Kalenz · February 19, 2012, 6:35pm

Thanks Ned.

Same issue here. Hopefully will get someone’s attention through the bugzilla.
K.

pistazienfresser · February 19, 2012, 6:57pm

Something has changed:

Index of /update/12.1/repodata

repomd.xml.asc 19-Feb-2012 18:28 481
repomd.xml.key 19-Feb-2012 18:27 1.0K

mjost · February 19, 2012, 6:58pm

Hello,

it is fixed. Just updated my system without a problem.
Hope that posting here gets you informed, in case yoiu have set up a notification.

A thank you to the admins !

Martin

pistazienfresser · February 19, 2012, 7:08pm

https://bugzilla.novell.com/show_bug.cgi?id=747781#c13

[reply] -] Comment 13 Ruediger Oertel 2012-02-19 17:33:38 UTC

the repo on the buildservice backend side was not signed for whatever reason,
I’ve manually signed it there and synced again to the staging server,
should hopefully be visible on the outside soon

Yes, thanks to Rüdiger!
Regards
(also) Martin

Kalenz · February 19, 2012, 7:09pm

Yup, looks ok from here too.
I closed the bug.
K.

frank_from_ch · February 19, 2012, 7:21pm

It’s good that it’s solved. But unfortunately the cause remains unknown…

Cheers
Frank