Bug#772676: apt: accesses files not listed in Release file

To: David Kalnischkies <david@kalnischkies.de>
Cc: 772676@bugs.debian.org
Subject: Bug#772676: apt: accesses files not listed in Release file
From: Thorsten Glaser <tg@mirbsd.de>
Date: Thu, 11 Dec 2014 15:29:07 +0000 (UTC)
Message-id: <[🔎] Pine.BSM.4.64L.1412111520570.13158@herc.mirbsd.org>
Reply-to: Thorsten Glaser <tg@mirbsd.de>, 772676@bugs.debian.org
In-reply-to: <20141211003734.GB16834@crossbow>
References: <[🔎] Pine.BSM.4.64L.1412092159440.4243@herc.mirbsd.org> <20141211003734.GB16834@crossbow>

David Kalnischkies dixit:

>That would be nice… we can't really us an unsigned Release file though

Uhm, it downloads Release.gpg right after Release and before all
the Packages* files, so this is not an excuse.

>The Translation files are a different matter: They are requested because
>they weren't in the Release file for years, so we have to guess that
>they exist.

Ah. But asides from the Debian repositories (and even then, only
for recent versions), almost no other repos have these files.

>Split long descriptions out (Translation-en) or just create
>an empty Translation-tlh_DE (for german-based Klingons) which you
>mention in the Release file (In fact, any file matching Translation-*
>will work) to hint apt that you mention all the Translation files you
>got in the Release file, so that it doesn't have to guess. You should be

Ugh. But ok, we have a workaround then…

>using Translation-en anyhow if you are a good boy…

Not for a 100-packages personal repository…

>To remove the last remaining 404, add an InRelease file. Helps a lot in

I used to have that. Then, APT decided to not use them any more.
Then, APT decided that, when a repo had an InRelease file it does
not use any more, it does not need to download the new Release and
Release.gpg files, and threw errors and/or used old information.
The switch to not use InRelease files was almost silent, only
mentioned in changelog entries and all that.

Then I disabled InRelease file generation, which had cost me quite
some effort to write in the first place.

Now you tell me I should be using it? Since when *does* APT use
them again? I did not get that message.

(Actually, since I occasionally have use cases for as far back
as sarge and dapper, a list for which releases of both InRelease
is safe to use would be welcome.)

>Having explained both behaviours as non-bug, I hope its clear why I also
>mark this bugreport as done with this message.

As I wrote above, the first behaviour is IMO still buggy as it
occurs after APT has already received the Release.gpg file.
(Would it behave the same with InRelease?)

Generally, APT should not download *any* files from a mirror
before it has not verified the {,In}Release file content and
can then act upon that. I cannot see any valid reason for it
to do otherwise; maybe there is, in which case please tell ;)

bye,
//mirabilos
-- 
21:49⎜<allamoox:#sendmail> I have a question guys,
     ⎜    Can I use my PC as SMTP server, I use Windows 7 .
     ⎜    Already googled and Installed IIS
     ⎜    but Still I can't send E-mail

Reply to:

Follow-Ups:
- Bug#772676: apt: accesses files not listed in Release file
  - From: David Kalnischkies <david@kalnischkies.de>

References:
- Bug#772676: apt: accesses files not listed in Release file
  - From: Thorsten Glaser <tg@mirbsd.de>

Prev by Date: Bug#772641: apt: "E: Setting TIOCSCTTY for slave fd <fd> failed" when run as a session leader
Next by Date: Bug#772839: apt-cache: option --no-all-versions missing
Previous by thread: Bug#772676: marked as done (apt: accesses files not listed in Release file)
Next by thread: Bug#772676: apt: accesses files not listed in Release file
Index(es):
- Date
- Thread