Bug#986899: [pre-approval] unblock: apt/2.2.3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#986899: [pre-approval] unblock: apt/2.2.3
From: Julian Andres Klode <jak@debian.org>
Date: Tue, 13 Apr 2021 18:46:57 +0200
Message-id: <[🔎] 20210413183607.GA541392@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 986899@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: jak@debian.org

Please unblock package apt

[ Reason ]

Fix downloading packages from repositories without a Size field; those
fail if the unsized package is the largest one on the server that's in
the pipeline.

Add warnings for such repositories, to actually surface such
repositories.

We also fix a unit test to not trigger a test failure and hence FTBFS.
This only got triggered on Ubuntu's LTO toolchain so far, but is an
actual bug - it's unclear why we haven't seen it before.

[ Impact ]

Repositories without Size fields, such as those generated by pulp,
will have failing downloads.

Without the warning, users will have no clear deprecation, and the error
in 2.3.y that will land in bookworm will be hard on them.

The test case fix should not have any impact on bullseye; well it
_should_ not have worked before. It's mostly there for other
downstreams, but I can't rule out the possibility of it triggering at
some point after a toolchain update or by luck or whatever :D

[ Tests ]

We have added automatic integration tests for the unsized package
stuff; and the unit test is well a unit test itself.

[ Risks ]

CI that checks for APT warnings will fail on broken repositories, as
they'll get the warning :)

The maximum pipeline size now being calculated correctly for unsized
packages should not cause any issue, as that could have returned 0
(unknown) before already; though in practice, most times, you don't end
up with packages with unknown size.

If you don't have a repo without a Size field, there should be no risk,
as none of the code paths should be triggered.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock apt/2.2.3

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

diff -Nru apt-2.2.2/apt-pkg/acquire-item.cc apt-2.2.3/apt-pkg/acquire-item.cc
--- apt-2.2.2/apt-pkg/acquire-item.cc	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/apt-pkg/acquire-item.cc	2021-04-13 17:53:32.000000000 +0200
@@ -3469,6 +3469,12 @@
 		    Version.VerStr(), Version.ParentPkg().FullName(false).c_str());
       return;
    }
+   if (FileSize == 0 && not _config->FindB("Acquire::AllowUnsizedPackages", false))
+   {
+      _error->Warning("Repository is broken: %s (= %s) has no Size information",
+		      Version.ParentPkg().FullName(false).c_str(),
+		      Version.VerStr());
+   }
 
    // Check if we already downloaded the file
    struct stat Buf;
diff -Nru apt-2.2.2/CMakeLists.txt apt-2.2.3/CMakeLists.txt
--- apt-2.2.2/CMakeLists.txt	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/CMakeLists.txt	2021-04-13 17:53:32.000000000 +0200
@@ -200,7 +200,7 @@
 # Configure some variables like package, version and architecture.
 set(PACKAGE ${PROJECT_NAME})
 set(PACKAGE_MAIL "APT Development Team <deity@lists.debian.org>")
-set(PACKAGE_VERSION "2.2.2")
+set(PACKAGE_VERSION "2.2.3")
 string(REGEX MATCH "^[0-9.]+" PROJECT_VERSION ${PACKAGE_VERSION})
 
 if (NOT DEFINED DPKG_DATADIR)
diff -Nru apt-2.2.2/debian/changelog apt-2.2.3/debian/changelog
--- apt-2.2.2/debian/changelog	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/debian/changelog	2021-04-13 17:53:32.000000000 +0200
@@ -1,3 +1,16 @@
+apt (2.2.3) unstable; urgency=medium
+
+  * tests: Check for and discard expected warning from MaybeAddAuth. For some
+    reason, this was only noticed with LTO enabled, but should be a general
+    issue.
+  * Fix downloads of unsized files that are largest in pipeline (LP: #1921626)
+  * Warn on packages without a Size field. Such repositories are broken and
+    need to be fixed, as we do not test apt against them, see the bug above
+    for more details. Set Acquire::AllowUnsizedPackages to disable the
+    warning.
+
+ -- Julian Andres Klode <jak@debian.org>  Tue, 13 Apr 2021 17:53:32 +0200
+
 apt (2.2.2) unstable; urgency=medium
 
   [ David Kalnischkies ]
diff -Nru apt-2.2.2/doc/apt-verbatim.ent apt-2.2.3/doc/apt-verbatim.ent
--- apt-2.2.2/doc/apt-verbatim.ent	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/doc/apt-verbatim.ent	2021-04-13 17:53:32.000000000 +0200
@@ -274,7 +274,7 @@
 ">
 
 <!-- this will be updated by 'prepare-release' -->
-<!ENTITY apt-product-version "2.2.2">
+<!ENTITY apt-product-version "2.2.3">
 
 <!-- (Code)names for various things used all over the place -->
 <!ENTITY debian-oldstable-codename "buster">
diff -Nru apt-2.2.2/doc/examples/configure-index apt-2.2.3/doc/examples/configure-index
--- apt-2.2.2/doc/examples/configure-index	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/doc/examples/configure-index	2021-04-13 17:53:32.000000000 +0200
@@ -257,6 +257,7 @@
   AllowInsecureRepositories "<BOOL>";
   AllowWeakRepositories "<BOOL>";
   AllowDowngradeToInsecureRepositories "<BOOL>";
+  AllowUnsizedPackages "<BOOL>";
   // allow repositories to change information potentially breaking user config like pinning
   AllowReleaseInfoChange "<BOOL>"
   {
diff -Nru apt-2.2.2/doc/po/apt-doc.pot apt-2.2.3/doc/po/apt-doc.pot
--- apt-2.2.2/doc/po/apt-doc.pot	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/doc/po/apt-doc.pot	2021-04-13 17:53:32.000000000 +0200
@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: apt-doc 2.2.2\n"
+"Project-Id-Version: apt-doc 2.2.3\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2021-03-12 09:16+0100\n"
+"POT-Creation-Date: 2021-04-13 15:38+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
diff -Nru apt-2.2.2/methods/basehttp.cc apt-2.2.3/methods/basehttp.cc
--- apt-2.2.2/methods/basehttp.cc	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/methods/basehttp.cc	2021-04-13 17:53:32.000000000 +0200
@@ -882,7 +882,11 @@
 {
    unsigned long long MaxSizeInQueue = 0;
    for (FetchItem *I = Queue; I != 0 && I != QueueBack; I = I->Next)
+   {
+      if (I->MaximumSize == 0)
+	 return 0;
       MaxSizeInQueue = std::max(MaxSizeInQueue, I->MaximumSize);
+   }
    return MaxSizeInQueue;
 }
 									/*}}}*/
diff -Nru apt-2.2.2/po/apt-all.pot apt-2.2.3/po/apt-all.pot
--- apt-2.2.2/po/apt-all.pot	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/po/apt-all.pot	2021-04-13 17:53:32.000000000 +0200
@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: apt 2.2.2\n"
+"Project-Id-Version: apt 2.2.3\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2021-03-12 09:16+0100\n"
+"POT-Creation-Date: 2021-04-13 15:38+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
diff -Nru apt-2.2.2/test/integration/framework apt-2.2.3/test/integration/framework
--- apt-2.2.2/test/integration/framework	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/test/integration/framework	2021-04-13 17:53:32.000000000 +0200
@@ -486,6 +486,10 @@
 
 	echo 'APT::Machine-ID "912e43bd1c1d4ba481f9f8ccab25f9ee";' > rootdir/etc/apt/apt.conf.d/machine-id
 
+	# XXX: We really ought to make the packages in the test suite all have Size fields.
+	# But this needs a lot more changes, so let's keep it simple for stable updates.
+	echo 'Acquire::AllowUnsizedPackages "true";' >> rootdir/etc/apt/apt.conf.d/temporary-allow-unsized-packages
+
 	configcompression '.' 'gz' #'bz2' 'lzma' 'xz'
 	confighashes 'SHA256' # these are tests, not security best-practices
 
diff -Nru apt-2.2.2/test/integration/test-ubuntu-bug-1921626-unsized-packages apt-2.2.3/test/integration/test-ubuntu-bug-1921626-unsized-packages
--- apt-2.2.2/test/integration/test-ubuntu-bug-1921626-unsized-packages	1970-01-01 01:00:00.000000000 +0100
+++ apt-2.2.3/test/integration/test-ubuntu-bug-1921626-unsized-packages	2021-04-13 17:53:32.000000000 +0200
@@ -0,0 +1,46 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+
+setupenvironment
+configarchitecture "i386"
+confighashes 'SHA512'
+
+mkdir tree
+head -c $((5*1024)) /dev/urandom > tree/data-file
+
+buildsimplenativepackage 'a' 'all' '1.0' 'stable'
+buildsimplenativepackage 'b' 'all' '1.0' 'stable' '' '' '' '' "$PWD/tree"
+buildsimplenativepackage 'c' 'all' '1.0' 'stable'
+
+setupaptarchive
+changetowebserver
+
+# Disable sandbox
+echo 'APT::Sandbox::User "root";' > rootdir/etc/apt/apt.conf.d/no-acquire-sandbox
+# XXX: Remove temporary hack
+rm rootdir/etc/apt/apt.conf.d/temporary-allow-unsized-packages
+
+testsuccess apt update
+
+for file in rootdir/var/lib/apt/lists/*Packages; do
+  awk '!(/^Size/ && ++cnt==2)'  $file > $file.new
+  mv $file.new $file
+done
+
+
+size_a=$(wc -c aptarchive/pool/a_1.0_all.deb | awk '{print $1}')
+size_b=$(wc -c aptarchive/pool/b_1.0_all.deb | awk '{print $1}')
+size_c=$(wc -c aptarchive/pool/c_1.0_all.deb | awk '{print $1}')
+
+testsuccessequal "Get:1 http://localhost:${APTHTTPPORT} stable/main all a all 1.0 [$size_a B]
+Get:2 http://localhost:${APTHTTPPORT} stable/main all b all 1.0 [$size_b B]
+Get:3 http://localhost:${APTHTTPPORT} stable/main all c all 1.0 [$size_c B]" apt download a b c -o Acquire::AllowUnsizedPackages=true
+
+rm *.deb
+testwarningequal "Get:1 http://localhost:${APTHTTPPORT} stable/main all a all 1.0 [$size_a B]
+Get:2 http://localhost:${APTHTTPPORT} stable/main all b all 1.0 [$size_b B]
+Get:3 http://localhost:${APTHTTPPORT} stable/main all c all 1.0 [$size_c B]
+W: Repository is broken: b:i386 (= 1.0) has no Size information" apt download a b c
diff -Nru apt-2.2.2/test/libapt/authconf_test.cc apt-2.2.3/test/libapt/authconf_test.cc
--- apt-2.2.2/test/libapt/authconf_test.cc	2021-03-12 09:15:59.000000000 +0100
+++ apt-2.2.3/test/libapt/authconf_test.cc	2021-04-13 17:53:32.000000000 +0200
@@ -1,5 +1,6 @@
 #include <config.h>
 
+#include <apt-pkg/error.h>
 #include <apt-pkg/fileutl.h>
 #include <apt-pkg/netrc.h>
 #include <apt-pkg/strutl.h>
@@ -235,11 +236,15 @@
    EXPECT_EQ("foo1", U.User);
    EXPECT_EQ("bar", U.Password);
 
+   _error->PushToStack();
    EXPECT_TRUE(fd.Seek(0));
    U = URI("http://https.example/foo";);
    EXPECT_TRUE(MaybeAddAuth(fd, U));
    EXPECT_TRUE(U.User.empty());
    EXPECT_TRUE(U.Password.empty());
+   EXPECT_FALSE(_error->empty());
+   EXPECT_TRUE(U.Password.empty());
+   _error->RevertToStack();
 
    EXPECT_TRUE(fd.Seek(0));
    U = URI("http://http.example/foo";);

Reply to:

Follow-Ups:
- Bug#986899: [pre-approval] unblock: apt/2.2.3
  - From: Ivo De Decker <ivodd@debian.org>
- Processed: Re: [pre-approval] unblock: apt/2.2.3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: [pre-approval] unblock: apt/2.2.3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#986899: marked as done ([pre-approval] unblock: apt/2.2.3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#986898: buster-pu: package yubikey-manager/2.1.0-1
Next by Date: Processed (with 1 error): Re: [Pkg-auth-maintainers] Bug#986865: yubikey-manager should depend on python3-pkg-resources
Previous by thread: Bug#986898: buster-pu: package yubikey-manager/2.1.0-1
Next by thread: Bug#986899: [pre-approval] unblock: apt/2.2.3
Index(es):
- Date
- Thread