[CentOS-devel] kdebindings-3.5.4-6.el5.src.rpm seems to be wrong

Tue Apr 21 22:46:49 UTC 2009
Karanbir Singh <mail-lists at karan.org>

Hi Jeff, thanks for looking into this.

On 04/21/2009 11:14 PM, Jeff Johnson wrote:
>> 1) build some package
>> 2) use dd to truncate some of the payload.
>> 3) sign the package
>> 3) verify the signature.
>>
> If this reproduces the issue, I can pretty easily send you a
> patch that compares before and after header+payload MD5 digest
> and warns/errors if the two values do not match while signing.

This is indeed a part of the situation. The signature was added to a 
file that wasent complete at the time.

however, the problem does not end there. The file on the master server 
was then refreshed with the complete srpm on the next rsync ( about 12 
minutes later ) and resigned - but that package never made it down to 
the mirror's, they continued to run with the partial srpm even though 
they run a complete rsync every 15 minutes from the master.

Its getting a bit late now, but I will try and setup some tests for this 
over the next few days and see exactly what caused rsync to ignore this 
file inspite of timestamp and filesize being very different.

-- 
Karanbir Singh : http://www.karan.org/  : 2522219 at icq