Bug#835195: apt: "apt-get update" segfaults in pkgAcquire::Queue::Cycle() with specific apt-line.

To: Tatsuki Sugiura <sugi@nemui.org>, 835195@bugs.debian.org
Cc: aregemaster@arege.jp
Subject: Bug#835195: apt: "apt-get update" segfaults in pkgAcquire::Queue::Cycle() with specific apt-line.
From: David Kalnischkies <david@kalnischkies.de>
Date: Wed, 24 Aug 2016 10:20:14 +0200
Message-id: <[🔎] 20160824082013.zqwikcmlyouonsly@crossbow>
Mail-followup-to: David Kalnischkies <david@kalnischkies.de>, Tatsuki Sugiura <sugi@nemui.org>, 835195@bugs.debian.org, aregemaster@arege.jp
Reply-to: David Kalnischkies <david@kalnischkies.de>, 835195@bugs.debian.org
In-reply-to: <[🔎] 147195564060.4464.17612690404258567596.reportbug@tempest.nemui.org>
References: <[🔎] 147195564060.4464.17612690404258567596.reportbug@tempest.nemui.org>

On Tue, Aug 23, 2016 at 09:34:00PM +0900, Tatsuki Sugiura wrote:
> When I add following apt-line to /etc/sources.list, "apt-get update" 
> always segfaults.
> 
> -------------------
> deb http://ftp.arege.jp/debian-arege unstable ALL
> -------------------

The segfault shouldn't happen of course and I have a fix for that, but
please realize that this repository operates on borrowed time, which is
why I am cc'ing the proclaimed repository provider and write this mail
as a warning.

The repository is unsigned – apt-get (not 'apt'!) will allow the use of
these repositories with a big warning by default in Debian stretch, but
afterwards it will be disabled for apt-get as well. It already is for apt,
aptitude, synaptics, …

Worse, it doesn't have any sort of security information in its Release file
which is very bad from a security POV – and the redirection on the
domain plays a role in this bug, too. So, even then apt is fixed (the
commit notification should follow soon) it is far from all good in terms
of apt and this repository.

The error message shown (by apt) for such repositories is btw:
E: The repository 'http://ftp.arege.jp/debian-arege unstable Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

And a fixed apt-get produces this set:
W: The repository 'http://ftp.arege.jp/debian-arege unstable Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: No Hash entry in Release file /home/donkult/var/lib/apt/lists/partial/ftp.arege.jp_debian-arege_dists_unstable_Release
W: Invalid 'Date' entry in Release file /home/donkult/var/lib/apt/lists/partial/ftp.arege.jp_debian-arege_dists_unstable_Release
E: Failed to fetch http://ftp.arege.jp/debian-arege/dists/unstable/ALL/i18n/Translation-en  404  Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.

Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Bug#835195: apt: "apt-get update" segfaults in pkgAcquire::Queue::Cycle() with specific apt-line.
  - From: Tatsuki Sugiura <sugi@nemui.org>

Prev by Date: Processed: Bug#834767 in apt marked as pending
Next by Date: Processed: Bug#835094 in apt marked as pending
Previous by thread: Bug#835195: apt: "apt-get update" segfaults in pkgAcquire::Queue::Cycle() with specific apt-line.
Next by thread: Processed: Bug#835195 in apt marked as pending
Index(es):
- Date
- Thread