Bug#776152: provide meaningful exit codes for network failures
Package: apt
Severity: important
When "apt-get update" fails the program exits with a 0 status.
It would be useful if it exited with a non-zero status in that case
(or if there were a switch to tell it to do so).
This is similar to bug 41053 [1] from 1999, that says it's fixed, but it
doesn't say how it was fixed and it's apparently unfixed.
See output (shortened that a little).
> sudo apt-get update
> Could not resolve 'ecurity.debian.org'
> Hit http://ftp.us.debian.org wheezy Release
> Reading package lists... Done
> W: Failed to fetch
http://ecurity.debian.org/dists/wheezy/updates/Release.gpg Could not
resolve 'ecurity.debian.org'
>
> W: Some index files failed to download. They have been ignored, or old
ones used instead.
> ~ $ echo $?
> 0
(For demonstration purposes, I just added a defunct deb line
deb http://ecurity.debian.org wheezy/updates main contrib non-free)
Detecting such situations in scripts is important. At least if you
really care if some extra repository gets used during a build script or
if you care an image to be build as verifiable / reproducible as possible.
Otherwise and adversary could just prevent one from connecting to a
repository one cares to received upgrades from (such as
security.debian.org), which would effectively render apt-get's security
check for expired release files (valid-until field) [2] [3] ineffective.
There is also another issue related to exit codes. [4]
Cheers,
Patrick
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=41053
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897
[3]
http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745735
Reply to: