[Piuparts-devel] Bug#884899: piuparts-master: piuparts-report should validate Packages hashes against Release

Andreas Beckmann anbe at debian.org
Thu Dec 21 04:29:04 UTC 2017


Package: piuparts-master
Severity: important

As a protection against network problems piuparts-report should validate
the downloaded Packages and Sources files against the md5/sha* hashes in
the Release files. There is no point in verifying the Release signatures
(that is done by apt in the slave chroot anyway).

I had just observed that piuparts-report archived half a section after
it downloaded a partial Packages.xz due to some network problems. That
probably didn't result in a (ignored) download error.

piuparts-master could do the same, but the impact there will be much
smaller: it might not send out new work or discard the logfiles it
receives.

As a quick hack to limit the impact of network glitches we should limit
the archival to 1000 packages per section and piuparts-report run.


Andreas



More information about the Piuparts-devel mailing list