Bug#565918: apt-get update and gpg database status

To: 565918@bugs.debian.org
Subject: Bug#565918: apt-get update and gpg database status
From: Ritesh Raj Sarraf <rrs@researchut.com>
Date: Wed, 20 Jan 2010 12:15:03 +0530
Message-id: <[🔎] 201001201215.11419.rrs@researchut.com>
Reply-to: Ritesh Raj Sarraf <rrs@researchut.com>, 565918@bugs.debian.org
In-reply-to: <[🔎] 20100119170322.6432.5596.reportbug@news.researchut.com>
References: <[🔎] 20100119170322.6432.5596.reportbug@news.researchut.com>
Doing an strace shows many of these:

--- SIGCHLD (Child exited) @ 0 (0) ---
unlink("/var/lib/apt/lists/partial/ftp.debian.org_debian_dists_testing_Release.gpg") 
= -1 ENOENT (No such file or directory)
stat64("/var/lib/apt/lists/ftp.debian.org_debian_dists_testing_Release.gpg", 
0xbfab09b4) = -1 ENOENT (No such file or directory)
unlink("/var/lib/apt/lists/partial/ftp.debian.org_debian_dists_unstable_Release.gpg") 
= -1 ENOENT (No such file or directory)
stat64("/var/lib/apt/lists/ftp.debian.org_debian_dists_unstable_Release.gpg", 
0xbfab09b4) = -1 ENOENT (No such file or directory)
unlink("/var/lib/apt/lists/partial/ftp.debian.org_debian_dists_experimental_Release.gpg") 
= -1 ENOENT (No such file or directory)
stat64("/var/lib/apt/lists/ftp.debian.org_debian_dists_experimental_Release.gpg", 
0xbfab09b4) = -1 ENOENT (No such file or directory)


So, in the update command, we are actually removing all the .gpg files. I 
noticed that even when I used the --simulate option, it still removes.


12:12:06 rrs@champaran:/var/lib/apt/lists $ ls *.gpg
deb.opera.com_opera_dists_sid_Release.gpg                 
mirrors.kernel.org_debian_dists_testing_Release.gpg
deb.opera.com_opera_dists_testing_Release.gpg             
mirrors.kernel.org_debian_dists_unstable_Release.gpg
dl.google.com_linux_deb_dists_stable_Release.gpg          pkg-
kde.alioth.debian.org_kdetrunk_dists_experimental_Release.gpg
dl.google.com_linux_deb_dists_testing_Release.gpg         pkg-
kde.alioth.debian.org_kdetrunk_dists_sid_Release.gpg
ftp.debian.org_debian_dists_experimental_Release.gpg      
security.debian.org_dists_testing_updates_Release.gpg
ftp.debian.org_debian_dists_testing_Release.gpg           www.debian-
multimedia.org_dists_testing_Release.gpg
ftp.debian.org_debian_dists_unstable_Release.gpg          www.debian-
multimedia.org_dists_unstable_Release.gpg
mirrors.kernel.org_debian_dists_experimental_Release.gpg
12:12:10 rrs@champaran:/var/lib/apt/lists $ sudo  apt-get -qq --print-uris --
simulate update 1>/dev/null
12:13:10 rrs@champaran:/var/lib/apt/lists $ ls *.gpg
ls: cannot access *.gpg: No such file or directory


Regards,
Ritesh


On Tuesday 19 Jan 2010 22:33:22 Ritesh Raj Sarraf wrote:
> Package: apt
> Version: 0.7.25
> Severity: normal
> 
> Dear APT Devs,
> 
> Following is a problem that I see from a apt-offline user perspective.
> 
> 
> Step 1
> ======
> 
> 14:03:10 rrs@champaran:~ $ sudo aptitude update 1>/dev/null
> 
> We want to update the apt database here. This is taken care in apt-offline
>  too.
> 
> 
> Step 2
> ======
> 
> 14:04:19 rrs@champaran:~ $ sudo aptitude upgrade
> W: The "upgrade" command is deprecated; use "safe-upgrade" instead.
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Reading extended state information
> Initializing package states... Done
> Reading task descriptions... Done
> Resolving dependencies...
> Resolving dependencies...
> The following packages have been kept back:
>   tex-common{a} texlive-base{a} texlive-common{a} texlive-doc-base{a}
>  texlive-fonts-recommended{a} texlive-latex-base{a}
>  texlive-latex-recommended{a}
> The following NEW packages will be installed:
>   libbrlapi0.5{a}
> The following packages will be upgraded:
>   apt-cross apt-file crash dhcp3-client dhcp3-common dpkg dpkg-cross
>  dpkg-dev dselect graphviz irb1.8 libart2.0-cil libcache-apt-perl
>  libdebian-dpkgcross-perl libdmx-dev libdmx1 libgconf2.0-cil libgmp3-dev
>  libgmp3c2 libgmpxx4ldbl libgnome-vfs2.0-cil libgnome2.24-cil libgraphviz4
>  libndesk-dbus-glib1.0-cil libndesk-dbus1.0-cil libopenssl-ruby1.8
>  libreadline-ruby1.8 libruby1.8 libthai-data libthai0 libxxf86dga-dev
>  libxxf86dga1 libxxf86vm-dev libxxf86vm1 module-assistant python-beaker
>  python3.1 python3.1-dbg python3.1-doc python3.1-examples python3.1-minimal
>  qemu qemu-system qemu-user qemu-utils ruby1.8 user-mode-linux
>  x11proto-dmx-dev x11proto-fixes-dev x11proto-xf86bigfont-dev
>  x11proto-xf86dga-dev x11proto-xf86vidmode-dev xinput
> 53 packages upgraded, 1 newly installed, 0 to remove and 8 not upgraded.
> Need to get 15.0MB/58.4MB of archives. After unpacking 1,683kB will be
>  used. Do you want to continue? [Y/n/?]
> Writing extended state information... Done
> Get:1 http://ftp.debian.org testing/main libgraphviz4 2.20.2-7 [535kB]
> 0% [1 libgraphviz4 77828/535kB 14%]^C
> 
> 
> So the APT database is updated and it shows that there are a bunch of
>  packages that need to be downloaded. Point to note is that at this stage,
>  the apt database is GPG clean.
> 
> 
> Step 3
> ======
> 
> 14:05:55 rrs@champaran:~ $ sudo apt-get --print-uris upgrade
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following packages have been kept back:
>   qemu-system tex-common texlive-base texlive-common texlive-doc-base
>  texlive-fonts-recommended texlive-latex-base texlive-latex-recommended
> The following packages will be upgraded:
>   apt-cross apt-file crash dhcp3-client dhcp3-common dpkg dpkg-cross
>  dpkg-dev dselect graphviz irb1.8 libart2.0-cil libcache-apt-perl
>  libdebian-dpkgcross-perl libdmx-dev libdmx1 libgconf2.0-cil libgmp3-dev
>  libgmp3c2 libgmpxx4ldbl libgnome-vfs2.0-cil libgnome2.24-cil libgraphviz4
>  libndesk-dbus-glib1.0-cil libndesk-dbus1.0-cil libopenssl-ruby1.8
>  libreadline-ruby1.8 libruby1.8 libthai-data libthai0 libxxf86dga-dev
>  libxxf86dga1 libxxf86vm-dev libxxf86vm1 module-assistant python-beaker
>  python3.1 python3.1-dbg python3.1-doc python3.1-examples python3.1-minimal
>  qemu qemu-user qemu-utils ruby1.8 user-mode-linux x11proto-dmx-dev
>  x11proto-fixes-dev x11proto-xf86bigfont-dev x11proto-xf86dga-dev
>  x11proto-xf86vidmode-dev xinput The following packages will be DOWNGRADED:
>   apt-offline
> 52 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 8 not
>  upgraded. Need to get 15.0MB/46.9MB of archives.
> After this operation, 1,434kB of additional disk space will be used.
> Do you want to continue [Y/n]? y
> 'http://ftp.debian.org/debian/pool/main/g/graphviz/libgraphviz4_2.20.2-7_i3
> 86.deb' libgraphviz4_2.20.2-7_i386.deb 535016
>  SHA256:b65b11adc0821a87525834e69f075fd444c060f07e39983086958cdbac400ff0
>  ....snipped...
> 
> 
> This is what apt-offline calls internally to get the list of packages that
>  need to be downloaded. So, as we see here, the APT database is still GPG
>  clean. There are no complains about the authenticity of the pacakge
>  database.
> 
> 
> Step 4
> ======
> 
> 14:06:18 rrs@champaran:~ $ sudo aptitude upgrade
> W: The "upgrade" command is deprecated; use "safe-upgrade" instead.
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Reading extended state information
> Initializing package states... Done
> Writing extended state information... Done
> Reading task descriptions... Done
> Resolving dependencies...
> Resolving dependencies...
> The following packages have been kept back:
>   tex-common{a} texlive-base{a} texlive-common{a} texlive-doc-base{a}
>  texlive-fonts-recommended{a} texlive-latex-base{a}
>  texlive-latex-recommended{a}
> The following NEW packages will be installed:
>   libbrlapi0.5{a}
> The following packages will be upgraded:
>   apt-cross apt-file crash dhcp3-client dhcp3-common dpkg dpkg-cross
>  dpkg-dev dselect graphviz irb1.8 libart2.0-cil libcache-apt-perl
>  libdebian-dpkgcross-perl libdmx-dev libdmx1 libgconf2.0-cil libgmp3-dev
>  libgmp3c2 libgmpxx4ldbl libgnome-vfs2.0-cil libgnome2.24-cil libgraphviz4
>  libndesk-dbus-glib1.0-cil libndesk-dbus1.0-cil libopenssl-ruby1.8
>  libreadline-ruby1.8 libruby1.8 libthai-data libthai0 libxxf86dga-dev
>  libxxf86dga1 libxxf86vm-dev libxxf86vm1 module-assistant python-beaker
>  python3.1 python3.1-dbg python3.1-doc python3.1-examples python3.1-minimal
>  qemu qemu-system qemu-user qemu-utils ruby1.8 user-mode-linux
>  x11proto-dmx-dev x11proto-fixes-dev x11proto-xf86bigfont-dev
>  x11proto-xf86dga-dev x11proto-xf86vidmode-dev xinput
> 53 packages upgraded, 1 newly installed, 0 to remove and 8 not upgraded.
> Need to get 15.0MB/58.4MB of archives. After unpacking 1,683kB will be
>  used. Do you want to continue? [Y/n/?]
> Writing extended state information... Done
> Get:1 http://ftp.debian.org testing/main libgraphviz4 2.20.2-7 [535kB]
> 0% [1 libgraphviz4 120671/535kB 22%]^C
> 
> Same goes here. The APT database is still GPG clean. There are no complains
>  about the authenticity of the pacakge database.
> 
> 
> Step 5
> ======
> 
> 14:06:36 rrs@champaran:~ $ sudo apt-get -qq --print-uris update
> 'http://mirrors.kernel.org/debian/dists/testing/main/binary-i386/Packages.b
> z2' mirrors.kernel.org_debian_dists_testing_main_binary-i386_Packages 0 :
>  'http://mirrors.kernel.org/debian/dists/testing/contrib/binary-i386/Packag
> es.bz2'
>  mirrors.kernel.org_debian_dists_testing_contrib_binary-i386_Packages 0 :
>  ....snipped...
> 
> 
> Now assume, you repeat Step 3, this time asking for update uris.
> 
> 
> Step 6
> ======
> 
> 14:06:50 rrs@champaran:~ $ sudo aptitude upgrade
> W: The "upgrade" command is deprecated; use "safe-upgrade" instead.
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Reading extended state information
> Initializing package states... Done
> Writing extended state information... Done
> Reading task descriptions... Done
> Resolving dependencies...
> Resolving dependencies...
> The following packages have been kept back:
>   tex-common{a} texlive-base{a} texlive-common{a} texlive-doc-base{a}
>  texlive-fonts-recommended{a} texlive-latex-base{a}
>  texlive-latex-recommended{a}
> The following NEW packages will be installed:
>   libbrlapi0.5{a}
> The following packages will be upgraded:
>   apt-cross apt-file crash dhcp3-client dhcp3-common dpkg dpkg-cross
>  dpkg-dev dselect graphviz irb1.8 libart2.0-cil libcache-apt-perl
>  libdebian-dpkgcross-perl libdmx-dev libdmx1 libgconf2.0-cil libgmp3-dev
>  libgmp3c2 libgmpxx4ldbl libgnome-vfs2.0-cil libgnome2.24-cil libgraphviz4
>  libndesk-dbus-glib1.0-cil libndesk-dbus1.0-cil libopenssl-ruby1.8
>  libreadline-ruby1.8 libruby1.8 libthai-data libthai0 libxxf86dga-dev
>  libxxf86dga1 libxxf86vm-dev libxxf86vm1 module-assistant python-beaker
>  python3.1 python3.1-dbg python3.1-doc python3.1-examples python3.1-minimal
>  qemu qemu-system qemu-user qemu-utils ruby1.8 user-mode-linux
>  x11proto-dmx-dev x11proto-fixes-dev x11proto-xf86bigfont-dev
>  x11proto-xf86dga-dev x11proto-xf86vidmode-dev xinput
> 53 packages upgraded, 1 newly installed, 0 to remove and 8 not upgraded.
> Need to get 15.0MB/58.4MB of archives. After unpacking 1,683kB will be
>  used. Do you want to continue? [Y/n/?]
> WARNING: untrusted versions of the following packages will be installed!
> 
> Untrusted packages could compromise your system's security.
> You should only proceed with the installation if you are certain that
> this is what you want to do.
> 
>   apt-cross dhcp3-client irb1.8 python-beaker module-assistant
>  x11proto-xf86dga-dev qemu-user libgconf2.0-cil libxxf86vm1 qemu-system
>  libgmp3-dev qemu libart2.0-cil libxxf86dga-dev dhcp3-common
>  libgnome2.24-cil libndesk-dbus1.0-cil python3.1 libdmx-dev
>  python3.1-minimal ruby1.8 python3.1-examples libdmx1 apt-file xinput
>  libgmpxx4ldbl libbrlapi0.5 x11proto-dmx-dev libxxf86dga1 libgmp3c2
>  x11proto-xf86bigfont-dev libdebian-dpkgcross-perl libthai0 dpkg
>  python3.1-dbg python3.1-doc x11proto-fixes-dev dpkg-dev dpkg-cross
>  libcache-apt-perl libthai-data x11proto-xf86vidmode-dev crash qemu-utils
>  libndesk-dbus-glib1.0-cil libxxf86vm-dev libruby1.8 libgnome-vfs2.0-cil
>  libgraphviz4 libopenssl-ruby1.8 libreadline-ruby1.8 graphviz
>  user-mode-linux dselect
> 
> Do you want to ignore this warning and proceed anyway?
> To continue, enter "Yes"; to abort, enter "No": ^C
> 
> 
> 
> And now you again call apt-get/aptitude upgrade. And at this point, the APT
>  database is not GPG clean.
> 
> 
> Any particular reason for doing this ? We instructed apt-get to use
>  --print-uris in Step 5 but looks like it goes ahead and alters the APT
>  database at that point.
> 
> I rely on the --print-uris option in apt-offline. If the user uses the
>  --print-uris option with the update command, they get a fake impression
>  that the APT database is not GPG clean.
> 
> Can/Should this be changed to not touch the database when using
>  --print-uris ? Or is there another way I should handle it ?
> 

-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."
Attachment: signature.asc
Description: This is a digitally signed message part.
Reply to:
Follow-Ups:
- Bug#565918: apt-get update and gpg database status
  - From: Ritesh Raj Sarraf <rrs@researchut.com>
References:
- Bug#565918: apt-get update and gpg database status
  - From: Ritesh Raj Sarraf <rrs@researchut.com>
Prev by Date: Bug#565918: apt-get update and gpg database status
Next by Date: Processing of python-apt_0.7.93_amd64.changes
Previous by thread: Bug#565918: apt-get update and gpg database status
Next by thread: Bug#565918: apt-get update and gpg database status
Index(es):
- Date
- Thread