Package: approx
Version: 5.13-1+b5
Severity: critical
X-Debbugs-Cc: adrelanos@whonix.org, arraybolt3@gmail.com
Set severity as "critical" because this bug may result in systems that
use `approx` being stuck on outdated packages until the sysadmin
notices, potentially hindering the installation of security updates.
approx caches all files that are fetched from a remote apt repository,
including metadata files (InRelease, binary-amd64 files, etc.). approx
does not seem to store any metadata that would allow it to determine
when some part of metadata has gone out of date however. Whatever
metadata it downloads the first time is what it continues to show to apt
every time `apt update` is run, theoretically forever. The main hint
the end user will get that this is happening is when they attempt to
install a package that they do not already have installed, and some of
the downloads fail because the metadata references remote files that no
longer exist. (They may also notice that they've not gotten any updates
in a while and start becoming suspicious.)
One can partially mitigate this for some repositories by periodically
deleting the "InRelease" file out of the "dists" subdirectories of all
repositories approx is caching. This works well with the Debian Trixie
repos, which appear to use a "by-hash" naming convention for the
Packages files, presumably so that each time a Packages file changes,
its name changes as well. This does not work so well with, for instance,
deb.torproject.org, which is still using traditional Packages and
Packages.gz files. What ends up happening is if one periodically deletes
the InRelease files, approx will fetch a new InRelease file from the
repo, but continue providing the old Packages(.gz) file, causing apt to
complain when there is a hash or file size mismatch between the expected
Packages(.gz) file and the one it was actually served by approx.
A full workaround would be to delete the entire metadata cache before
every time one runs a batch of `apt` commands. This is not something the
average sysadmin will know to do however, so it is very likely they will
simply live with systems not being updated for an extended period of
time, leaving them open to possible security holes in packages that
never get updated.
The "interval" feature in approx.conf appears to be designed to prevent
this exact scenario, and according to /etc/approx.conf it defaults to
60 minutes. I've seen the mentioned issues several times and actually
implemented the InRelease workaround in a production codebase because I
was running into it, so I can only assume that this default isn't being
honored for some reason. (Either that or else I'm doing something
fundamentally wrong with how I use approx.)
My approx.conf file, for reference, is as follows:
debian https://deb.debian.org/debian
debian-security https://deb.debian.org/debian-security
debian-fasttrack https://fasttrack.debian.net/debian-fasttrack
debian-frozen http://snapshot.debian.org/archive/debian/20150609T203313Z
debian-security-frozen http://snapshot.debian.org/archive/debian-security/20150609T203313Z
tpo https://deb.torproject.org/torproject.org
ubuntu http://us.archive.ubuntu.com/ubuntu
kicksecure https://deb.kicksecure.com
whonix https://deb.whonix.org
## Not strictly required. Usefor for porting to next major version of Debian.
## Does nothing by itself without a corresponding .sources file.
qubes https://deb.qubes-os.org/r4.2/vm
$cache /var/cache/approx-derivative-maker
$verbose true
$debug true
-- System Information:
Debian Release: 13.1
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.48+deb13-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages approx depends on:
ii adduser 3.152
ii bzip2 1.0.8-6
ii curl 8.14.1-2
ii libc6 2.41-12
ii xz-utils 5.8.1-1
approx recommends no packages.
Versions of packages approx suggests:
pn libconfig-model-approx-perl <none>
-- no debconf information
Attachment:
pgpg6lSUaZLjQ.pgp
Description: OpenPGP digital signature