:: Re: [DNG] beowulf-security (armhf)
Página Inicial
Delete this message
Reply to this message
Autor: Florian Zieboll
Data:  
CC: dng
Assunto: Re: [DNG] beowulf-security (armhf)
On Mon, 21 Dec 2020 14:12:21 +0100
"dng@???" <dng@???> wrote:

> On 21-12-2020 13:50, Florian Zieboll via Dng wrote:
> > On Mon, 21 Dec 2020 11:49:47 +0100
> > "dng@???" <dng@???> wrote:
> >
> >> On 21-12-2020 11:41, Florian Zieboll via Dng wrote:
> >>> Hallo,
> >>>
> >>> since yesterday, on /one/ of my two 'armhf' SBCs running Beowulf,
> >>> updating the available packages from the 'beowulf-security' repo
> >>> at 'http://deb.devuan.org/merged/' fails with a hash sum mismatch:
> >>>
> >>>     E: Failed to fetch
> >>>     http://deb.devuan.org/merged/dists/beowulf-security/main/binary-armhf/Packages.gz
> >>>     Hash Sum mismatch Hashes of expected file:
> >>>         - Filesize:313442 [weak]
> >>>         -
> >>>     SHA256:8bb364c5751d0f71cec2b6f62e460430dc10255dbdaa04824f8b4f4bfdb4056d
> >>>     Hashes of received file:
> >>>         -
> >>>     SHA256:e88fc4cfd052a1eab057ff1c61fbaa31e00d926bd513e9f629a9def18492bcc9
> >>>         - Filesize:313442 [weak]
> >>>        Last modification reported: Mon, 21 Dec 2020 03:21:07 +0000
> >>>        Release file created at: Mon, 21 Dec 2020 03:30:03 +0000

> >>>
> >>> I tried to update using TLS, but then I get a cert error:
> >>>
> >>>     Err:4 https://deb.devuan.org/merged beowulf-security
> >>>     Release Certificate verification failed: The certificate is
> >>> NOT trusted. The name in the certificate does not match the
> >>> expected. Could not handshake: Error in the certificate
> >>> verification. [IP: 195.85.215.180 443]

> >>>
> >>> The served certificate had been issued for
> >>> 'devuan.packet-gain.de':
> >>>
> >>>     Serial Number
> >>>     03:BD:C3:B7:3A:5C:21:6F:C2:AE:E3:EE:7F:EB:25:C6:64:0B

> >>>
> >>>     SHA-256
> >>>     24:8E:31:3C:3D:41:98:FC:CC:33:5A:D1:5A:70:4E:43:84:19:FF:9E:7E:B9:51:D6:49:A2:95:86:A4:9B:7B:AB

> >>>
> >>>     SHA-1
> >>>     D9:91:FF:59:E0:0E:86:1C:81:57:C0:EF:C2:71:72:04:8C:33:D8:5E

> >>>
> >>> The same happens with 'http://pkgmaster.devuan.org/merged' - as
> >>> already mentioned only with one device, the other one updates
> >>> fine.
> >>>
> >>> Is there any spare light to be shed on this issue?
> >>>
> >>> Thanks and best regards,
> >>> Florian
> >>>
> >> You could try to use https://devuan.packet-gain.de temporary
> >> instead of http://deb.devuan.org/merged/.
> >
> > Hallo Nick,
> >
> > thank you for the suggestion, but this solves the server certificate
> > problem only: The hash sum mismatch for the release file afterwards
> > remains. I suspect(ed, see below) a local issue on my side, as my
> > other armhf beowulf device with the identical 'beowulf-security'
> > line in the 'sources.list' updates (updated) fine.
> >
> > I tried with two suggestions from a websearch:
> >
> > After running
> >
> >     $ apt-get clean
> >     $ rm -rf /var/lib/apt/lists/*
> >     $ apt-get clean

> >
> > 'apt update' came up with a second hashsum mismatch, for the
> > 'beowulf/main' repository. Now I get
> >
> >     E: Failed to fetch
> > http://deb.devuan.org/merged/dists/beowulf/main/binary-armhf/Packages.gz
> > Hash Sum mismatch Hashes of expected file:
> >         - Filesize:10453353 [weak]
> >         -
> > SHA256:82e4bb0928025f1aa75bdb03eab02ff23c213531feb135a418f17c3c70e59e41
> > Hashes of received file:
> >         -
> > SHA256:80faa01ad41a6b626c699919112b8d5800db448f1237a5bdd3196f05b71a2f2d
> >         - Filesize:10453353 [weak]
> >        Last modification reported: Mon, 21 Dec 2020 03:21:00 +0000
> >        Release file created at: Mon, 21 Dec 2020 03:30:02 +0000
> >     E: Failed to fetch
> > http://deb.devuan.org/merged/dists/beowulf/main/Contents-armhf.gz
> > E: Failed to fetch
> > http://deb.devuan.org/merged/dists/beowulf-security/main/binary-armhf/Packages.gz
> > Hash Sum mismatch Hashes of expected file:
> >         - Filesize:313442 [weak]
> >         -
> > SHA256:8bb364c5751d0f71cec2b6f62e460430dc10255dbdaa04824f8b4f4bfdb4056d
> > Hashes of received file:
> >         -
> > SHA256:e88fc4cfd052a1eab057ff1c61fbaa31e00d926bd513e9f629a9def18492bcc9
> >         - Filesize:313442 [weak]
> >        Last modification reported: Mon, 21 Dec 2020 03:21:07 +0000
> >        Release file created at: Mon, 21 Dec 2020 03:30:03 +0000
> >     E: Failed to fetch
> > http://deb.devuan.org/merged/dists/beowulf-security/main/Contents-armhf.gz  

> >
> >
> > Running
> >
> >     $ apt-get -o Acquire::BrokenProxy="true" -o
> > Acquire::http::No-Cache="true" -o Acquire::http::Pipeline-Depth="0"
> > update

> >
> > did not result in any further changes, also after repeating the 'apt
> > clean' attempt. Therefore, with these two repos not available, the
> > upgrade wants to pull in all the packages from pinned (150)
> > backports.
> >
> >
> > In the meantime, my other 'armhf' device started to get hash sum
> > mismatches on update as well. For better visibility, I embezzle the
> > third error for 'beowulf-updates':
> >
> >     E: Failed to fetch
> > http://deb.devuan.org/merged/dists/beowulf/main/Contents-armhf.gz
> > Hash Sum mismatch Hashes of expected file:
> >         - Filesize:31984703 [weak]
> >         -
> > SHA256:b2c022ec6bfc1544e75a4c4619e525c4028fdee374ea5af5723cfe501d3986be
> > Hashes of received file:
> >         -
> > SHA256:1bf6ed78d1d42ff2742845e31eedd35a97e90657aea0779715a5ca0ba365bfd2
> >         - Filesize:31984703 [weak]
> >        Last modification reported: Sun, 20 Dec 2020 01:36:34 +0000
> >        Release file created at: Mon, 21 Dec 2020 03:30:02 +0000
> >     E: Failed to fetch
> > http://deb.devuan.org/merged/dists/beowulf-security/main/Contents-armhf.gz
> > Hash Sum mismatch Hashes of expected file:
> >         - Filesize:36 [weak]
> >         -
> > SHA256:77a4c02b866715c333d61d7f0968893bfccc4bd3f19dadf74178b0a722c05cf2
> > Hashes of received file:
> >         -
> > SHA256:8a54ddffbc409e34ac4c037acf36a6c2b6ac8a44a66ec798c37a097c9f341f9a
> >         - Filesize:36 [weak]
> >        Last modification reported: Sun, 20 Dec 2020 01:36:39 +0000
> >        Release file created at: Mon, 21 Dec 2020 03:30:03 +0000

> >
> >
> > Interestingly, both systems seem to expect different files
> > (regarding file size and hash), while on each system the 'expected'
> > and 'received' file sizes do concur with each other and the
> > rejected files' hashes do not change over several runs.
> >
> >
> > thanks and libre Grüße,
> > Florian
>
> Hallo Florian,
>
> Did you try with another mirror in your apt list? That worked for me
> some time ago. It could be that the official Contents-armhf.gz at
> deb.devuan.org is of later date than used mirror.
>
> Grtz
>
> Nick



Hallo Nick,

yes, I had tried with 'deb.devuan.org', 'packages.devuan.org' and just
now another time with 'pkgmaster.devuan.org', which all resolve to
different IP addresses. And 'devuan.packet-gain.de', but I guess that
one doesn't count, as it had been chosen by the 'roundr' at
'deb.devuan.org'.

Oh, and the armbian repo now started failing, too - with a file /size/
mismatch. But this error is not persistent, it shows up only every
third or fourth try:

    E: Failed to fetch https://armbian.hosthatch.com/apt/dists/buster/main/binary-armhf/Packages.gz File has unexpected size (646152 != 645022). Mirror sync in
    progress? [IP: 31.220.4.23 443]
       Hashes of expected file:
        - Filesize:645022 [weak]
        -
    SHA512:e9b50990aeb3dd9f4c608ee350f2ea3acfaba3bbd21c1cc6f7c78922fd6f907f98cb6e3bf150204a32457905f10cef668e9bfd51dbf7c16f1ff1ec7ce252a7b0
        -
    SHA256:4aa7297cdf610d0d64fea6959c9965e2edeac241d7ca9a15f978e9997cd37ac1
        - SHA1:a50b9b3eab88be5842801af7dd4211bbf5fc19c2 [weak]
        - MD5Sum:caf79173376defef63fe679386fd6eb3 [weak]
       Release file created at: Sat, 12 Dec 2020 15:07:27 +0000
    E: Failed to fetch
    https://armbian.systemonachip.net/apt/dists/buster/main/Contents-armhf  



So this probably happens on a networking layer...!? But why so consistently?


libre Grüße,
Florian