Bug 1087829

Summary: Installer continues despite digest verification failure
Product: [openSUSE] openSUSE Tumbleweed Reporter: Jean Delvare <jdelvare>
Component: InstallationAssignee: YaST Team <yast-internal>
Status: RESOLVED WORKSFORME QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P4 - Low CC: jdelvare
Version: Current   
Target Milestone: ---   
Hardware: i686   
OS: All   
URL: https://trello.com/c/cwzB977M
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Picture of the dialog

Description Jean Delvare 2018-04-03 06:42:15 UTC 
Due to bug #1087824, installing Tumbleweed results in error "Digest verification failed" for me at the moment. The dialog box offers to continue ("OK") or stop ("Back") at this point. "Back" is the default choice, which seems safe. However if I press Enter, the installation continues, effectively bypassing the digest verification.

The installer should stop if the user selects "Back" on digest verification failure.
Comment 1 Steffen Winterfeldt 2018-04-03 08:40:04 UTC 
Which dialog do you mean, exactly? Do you have at least a screen shot?
Comment 2 Jean Delvare 2018-04-03 11:34:49 UTC 
Created attachment 765767 [details]
Picture of the dialog
Comment 3 Steffen Winterfeldt 2018-04-03 11:56:07 UTC 
This particular translation file is optional. If you skip it, the installation can still continue.

This mirror site looks a bit desolate to me. If you actually get yast started this would mean you are redirected to different mirrors for different parts of the installation system. Which would be a bit weird in itself.

I don't see much I could do here.
Comment 4 Jean Delvare 2018-04-03 13:10:15 UTC 
What is the purpose of yast2-trans-en_US.rpm, and why do we bother downloading it if installation works just the same without it? As a user, I am not able to say if yast2-trans-en_US.rpm is being used or not. Everything looks the same, whether I answer "OK" or "Back" to this dialog.

As a user, I have no idea which packages are optional and which are mandatory. The dialog says that I can stop or continue in insecure more. It does not say that I can skip this package and continue without it - which is what is actually happening, right? This is where the confusion comes from.

If some packages are considered optional, then this dialog should be different for optional packages. Currently the dialog says "stop or continue in insecure more", but the code does "skip this package or continue in insecure mode."

For optional packages, the user should be explicitly given an extra option when there is a problem: continue without this package (in secure mode.)

If you are not going to do that then I would argue that all packages should be considered mandatory, so that the dialog is always aligned with the code. As long as the dialog and the code behind are not aligned, it will look like a bug.
Comment 5 Steffen Winterfeldt 2018-04-03 13:30:46 UTC 
yast2-trans-en_US are the en_US translations (used mainly for spelling corrections).

While this is all true you normally do not run into this situation. And security is not compromised as files failing signature checks are not used.

I can still schedule this but there's unlikely to happen anything anytime soon.


Tracking in YaST scrum board.
Comment 6 Stefan Hundhammer 2024-01-09 14:52:52 UTC 
For starters, this was in linuxrc, not YaST.
And, as mentioned, those digests are an optional thing.

This was 5+ years ago with no duplicates, and nothing bad happened anyway.

Closing.