Bug 1087829 - Installer continues despite digest verification failure
Installer continues despite digest verification failure
Status: CONFIRMED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Installation
Current
i686 openSUSE Factory
: P4 - Low : Normal (vote)
: ---
Assigned To: YaST Team
Jiri Srain
https://trello.com/c/cwzB977M
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-03 06:42 UTC by Jean Delvare
Modified: 2018-04-03 13:30 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Picture of the dialog (192.19 KB, image/jpeg)
2018-04-03 11:34 UTC, Jean Delvare
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jean Delvare 2018-04-03 06:42:15 UTC
Due to bug #1087824, installing Tumbleweed results in error "Digest verification failed" for me at the moment. The dialog box offers to continue ("OK") or stop ("Back") at this point. "Back" is the default choice, which seems safe. However if I press Enter, the installation continues, effectively bypassing the digest verification.

The installer should stop if the user selects "Back" on digest verification failure.
Comment 1 Steffen Winterfeldt 2018-04-03 08:40:04 UTC
Which dialog do you mean, exactly? Do you have at least a screen shot?
Comment 2 Jean Delvare 2018-04-03 11:34:49 UTC
Created attachment 765767 [details]
Picture of the dialog
Comment 3 Steffen Winterfeldt 2018-04-03 11:56:07 UTC
This particular translation file is optional. If you skip it, the installation can still continue.

This mirror site looks a bit desolate to me. If you actually get yast started this would mean you are redirected to different mirrors for different parts of the installation system. Which would be a bit weird in itself.

I don't see much I could do here.
Comment 4 Jean Delvare 2018-04-03 13:10:15 UTC
What is the purpose of yast2-trans-en_US.rpm, and why do we bother downloading it if installation works just the same without it? As a user, I am not able to say if yast2-trans-en_US.rpm is being used or not. Everything looks the same, whether I answer "OK" or "Back" to this dialog.

As a user, I have no idea which packages are optional and which are mandatory. The dialog says that I can stop or continue in insecure more. It does not say that I can skip this package and continue without it - which is what is actually happening, right? This is where the confusion comes from.

If some packages are considered optional, then this dialog should be different for optional packages. Currently the dialog says "stop or continue in insecure more", but the code does "skip this package or continue in insecure mode."

For optional packages, the user should be explicitly given an extra option when there is a problem: continue without this package (in secure mode.)

If you are not going to do that then I would argue that all packages should be considered mandatory, so that the dialog is always aligned with the code. As long as the dialog and the code behind are not aligned, it will look like a bug.
Comment 5 Steffen Winterfeldt 2018-04-03 13:30:46 UTC
yast2-trans-en_US are the en_US translations (used mainly for spelling corrections).

While this is all true you normally do not run into this situation. And security is not compromised as files failing signature checks are not used.

I can still schedule this but there's unlikely to happen anything anytime soon.


Tracking in YaST scrum board.