Bug#322714: debmirror: --ignore-release-gpg doesn't
Baurzhan Ismagulov
I also experience the same problem. Here's an example:
ibr@medeu:~/tmp/h/z$ debmirror /mnt/sda1/ibr/slind/host -p -e http -h www.emdebian.org -r /slind/host -d suffolk -s main -a i386 --postcleanup --ignore-release-gpg
Mirroring to /mnt/sda1/ibr/slind/host from http://anonymous:www.emdebian.org//slind/host/
Arches: i386
Dists: suffolk
Sections: main
Including source.
Will clean up AFTER mirroring.
Attempting to get lock, this might take 2 minutes before it fails.
Get Release files.
[0%] Getting: dists/suffolk/Release... ok
[0%] Getting: dists/suffolk/Release.gpg... dists/suffolk/Release.gpg failed 404 Not Found
dists/suffolk/Release.gpg failed md5sum check, removing
Release signature does not verify, use -v to see the gpg error.
Get Packages and Sources files and other miscellany.
Won't mirror without dists/suffolk/main/binary-i386/Packages.gz signature in Release at /usr/bin/debmirror line 1300.
WARNING: releasing 1 pending lock...
Thanks in advance,
Baurzhan.
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Goswin von Brederlow
> Hello Goswin,
>
> I also experience the same problem. Here's an example:
>
> ibr@medeu:~/tmp/h/z$ debmirror /mnt/sda1/ibr/slind/host -p -e http -h www.emdebian.org -r /slind/host -d suffolk -s main -a i386 --postcleanup --ignore-release-gpg
> Mirroring to /mnt/sda1/ibr/slind/host from http://anonymous:www.emdebian.org//slind/host/
> Arches: i386
> Dists: suffolk
> Sections: main
> Including source.
> Will clean up AFTER mirroring.
> Attempting to get lock, this might take 2 minutes before it fails.
> Get Release files.
> [0%] Getting: dists/suffolk/Release... ok
> [0%] Getting: dists/suffolk/Release.gpg... dists/suffolk/Release.gpg failed 404 Not Found
> dists/suffolk/Release.gpg failed md5sum check, removing
> Release signature does not verify, use -v to see the gpg error.
> Get Packages and Sources files and other miscellany.
> Won't mirror without dists/suffolk/main/binary-i386/Packages.gz signature in Release at /usr/bin/debmirror line 1300.
> WARNING: releasing 1 pending lock...
>
> Thanks in advance,
> Baurzhan.
Your problem is "Won't mirror without
dists/suffolk/main/binary-i386/Packages.gz signature in Release at
/usr/bin/debmirror line 1300.". The Release.gpg problem is just that
it shows the error of a failed Release.gpg file when such errors are
ignored.
You should encourage www.emdebian.org to add a Release signature. With
the upcoming etch apt-get will complain about it on every run.
MfG
Goswin
Baurzhan Ismagulov
thanks for you fast response!
On Mon, Jul 31, 2006 at 02:06:44PM +0200, Goswin von Brederlow wrote:
> Your problem is "Won't mirror without
> dists/suffolk/main/binary-i386/Packages.gz signature in Release at
> /usr/bin/debmirror line 1300.". The Release.gpg problem is just that
> it shows the error of a failed Release.gpg file when such errors are
> ignored.
Aha, I see Release doesn't have the "MD5Sum:" header. Do I also need the
"SHA1:" header?
> You should encourage www.emdebian.org to add a Release signature. With
> the upcoming etch apt-get will complain about it on every run.
I had already, but wanted to mirror anyway till they fix it. Is there a
way to ignore this problem, too?
Thanks in advance,
Baurzhan.
Goswin von Brederlow
> Hello Goswin,
>
> thanks for you fast response!
>
> On Mon, Jul 31, 2006 at 02:06:44PM +0200, Goswin von Brederlow wrote:
>> Your problem is "Won't mirror without
>> dists/suffolk/main/binary-i386/Packages.gz signature in Release at
>> /usr/bin/debmirror line 1300.". The Release.gpg problem is just that
>> it shows the error of a failed Release.gpg file when such errors are
>> ignored.
>
> Aha, I see Release doesn't have the "MD5Sum:" header. Do I also need the
> "SHA1:" header?
Currently nothing in Debian uses the SHA1 entry and the checksums
there seem to have been completly corrupted by apt-ftparchive until
someone noticed the bug.
So I wouldn't worry about it. Nothing in etch will need them and
probably nothing will even use them.
>> You should encourage www.emdebian.org to add a Release signature. With
>> the upcoming etch apt-get will complain about it on every run.
>
> I had already, but wanted to mirror anyway till they fix it. Is there a
> way to ignore this problem, too?
Add '--ignore-missing-release' to your options. That should turn the
error into warnings.
>
> Thanks in advance,
> Baurzhan.
MfG
Goswin
Baurzhan Ismagulov
On Tue, Aug 01, 2006 at 03:26:02PM +0200, Goswin von Brederlow wrote:
> Add '--ignore-missing-release' to your options. That should turn the
> error into warnings.
thanks much, this works! I still don't understand how this works,
though. The man page says "Don't fail if the Release file is missing",
but I do have that file, which is confusing. Before I can suggest any
improbement, could you perhaps point me to a short current overview of
how this works (what is meant by signature (seems not to mean a hash
encoded with a private key), who checks which signature, and so on)?
With kind regards,
Baurzhan.
Goswin von Brederlow
> Hello Goswin,
>
> On Tue, Aug 01, 2006 at 03:26:02PM +0200, Goswin von Brederlow wrote:
>> Add '--ignore-missing-release' to your options. That should turn the
>> error into warnings.
>
> thanks much, this works! I still don't understand how this works,
> though. The man page says "Don't fail if the Release file is missing",
> but I do have that file, which is confusing. Before I can suggest any
> improbement, could you perhaps point me to a short current overview of
> how this works (what is meant by signature (seems not to mean a hash
> encoded with a private key), who checks which signature, and so on)?
>
> With kind regards,
> Baurzhan.
This is a sideeffect of the support for missing Release files. When
the file is missing the md5sums and sizes for Packages files are
unknown. So the --ignore-missing-release option disables the md5sum
and size check for the Packages files as well as not failing when
Release file can't be found. In your case the Release file can be
found but contains no usefull information (for debmirror), which is
pretty much the same as no Release file. The same code path applies.
A proper Debian archive has the following signatures:
Release.gpg: detached gpg signature for Release
Release: md5sum/size for Packages and Sources files
Packages/Sources: md5sum/size for debs and sources
--ignore-release-gpg ignores any failures related to Release.gpg and
--ignore-missing-release any failures related to Release. For both
downloading and content. Debmirror will always try to use them even
with the options, it just ignores failures.
MfG
Goswin
Baurzhan Ismagulov
On Wed, Aug 02, 2006 at 01:17:29PM +0200, Goswin von Brederlow wrote:
> This is a sideeffect of the support for missing Release files. When
> the file is missing the md5sums and sizes for Packages files are
> unknown. So the --ignore-missing-release option disables the md5sum
> and size check for the Packages files as well as not failing when
> Release file can't be found. In your case the Release file can be
> found but contains no usefull information (for debmirror), which is
> pretty much the same as no Release file. The same code path applies.
Thanks much for the explanation! What do you think about the following:
diff -Naurp debmirror-20051209.orig/debmirror debmirror-20051209/debmirror
--- debmirror-20051209.orig/debmirror 2005-12-09 19:13:09.000000000 +0100
+++ debmirror-20051209/debmirror 2006-08-07 11:25:28.000000000 +0200
@@ -228,7 +228,8 @@ Download at most number of files with ea
=item --ignore-missing-release
-Don't fail if the Release file is missing.
+Don't fail if the Release file is missing or MD5 sums of Packages files
+cannot be verified.
=item --ignore-release-gpg
With kind regards,
Baurzhan.