Bug#513157: Additional information, bug found in apt/0.8.10 as well
Package: apt
Version: 0.8.10
Control: severity -1 important
Hi,
lately this bug prevented two of my Sqeeze/LTS machines from updating some
packages. The other Squeeze/LTS machines updated just fine.
apt-get update reported:
WARNING: The following packages cannot be authenticated!
Of course, I did not install the unauthenticed packages. The root
cause for this problem was the existence of a partial "Release" file in
/var/lib/apt/lists/partial/. The apt version in question is 0.8.10.
I'd say this is a security bug, because it prevents installation of
security updates.
This is a long-standing, security relevant bug in a Debian specific
package. This should not happen. :-(
The obvious solution is for 'apt-get update' to retrieve fresh versions
of every partial list and replace the old partial list if a complete list
could be downloaded. As an optimization apt may try to continue from the
partial list, but if that should fail for any reason, it needs to start
a fresh download of the complete list. This must be done automatically.
In addition, bug #762891 should be fixed as well, because partial lists
are just a kind of cache. Perhaps the location of the partial Release
files should be moved to /var/cache/apt/lists/partial/ to clearly
show that.
The non-obvious workaround for this bug is
# rm /var/lib/apt/lists/partial/*
# apt-get update
That should not be necessary. Neither should be 'apt-get clean' (with
a fix for #762891). Apt itself should handle this situation safely and
automatically.
The bug is easily reproducible by placing incomplete Realease lists
inside the /var/lib/apt/lists/partial/ directory. Please fix this bug.
Thanks,
Erik
--
Dipl.-Inform. Erik Auerswald http://www.fg-networking.de/
auerswald@fg-networking.de T:+49-631-4149988-0 M:+49-176-64228513
Gesellschaft für Fundamental Generic Networking mbH
Geschäftsführung: Volker Bauer, Jörg Mayer
Gerichtsstand: Amtsgericht Kaiserslautern - HRB: 3630
Reply to: