[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#766206: Acknowledgement (apt: Stale partial -> confusing bogus 404 (manual intervention needed, not obvious))

On 21/10/14 15:21, Debian Bug Tracking System wrote:
> Thank you for filing a new Bug report with Debian.
>
> This is an automatically generated reply to let you know your message
> has been received.
>
> Your message is being forwarded to the package maintainers and other
> interested parties for their attention; they will reply in due course.
>
> As you requested using X-Debbugs-CC, your message was also forwarded to
>   matthew@toselandcs.co.uk
> (after having been given a Bug report number, if it did not have one).
>
> Your message has been sent to the package maintainer(s):
>  APT Development Team <deity@lists.debian.org>
>
> If you wish to submit further information on this problem, please
> send it to 766206@bugs.debian.org.
>
> Please do not send mail to owner@bugs.debian.org unless you wish
> to report a problem with the Bug-tracking system.
>
The IRC log may be relevant in terms of how confusing this can be.
Please delete if irrelevant. Thanks.

[ Skip 10min+ session previous day ]

[13:59] <toad_> has security support been discontinued for 32-bit i386 ?
security.debian.org is still giving 404's on apt-get update
[13:59] <toad_> and the updated packages are still not on the mirrors
[14:03] <jmlongo> are you on wheezy?
[14:03] <toad_> yes
[14:03] <toad_> 7.7
[14:04] <jmlongo> I just did an apt-get update and got -> "Des: 6
http://security.debian.org wheezy/updates/main i386 Packages [229 kB]  "
[14:05] <toad_> jmlongo: I get "Err http://security.debian.org
wheezy/updates/main i386 Packages \n 404  Not Found [IP: 195.20.242.89 80]"
[14:06] <toad_> jmlongo: yesterday the IP address was different (212.*?)
so AFAICS it's not just one server
[14:08] <toad_> ideas?
[14:08] <toad_> I guess I need to contact the security team directly ...
[14:08] <toad_> it's been at least TWO DAYS
[14:12] <petn-randall> toad_: Yes, s.d.o resolves to 2 IPv4 addresses,
and one IPv6 one, so that's expected.
[14:14] <toad_> petn-randall: what is expected? critical bugs that can't
be fixed because critical server is broken for two days on a common
architecture?
[14:15] <petn-randall> toad_: No, that it resolves to two different IP
addresses.
[14:15] <toad_> the fact that it gives the same errors on both IPv4
addresses might indicate that the problem isn't with one server, but
somewhere else ...
[14:15] <toad_> yes ok
[14:15] <toad_> so I should email security@?
[14:16] <petn-randall> !tell toad_ -about squeeze lts
[14:16] <petn-randall> toad_: Check the factoid first.
[14:16] <toad_> I'm using wheezy!
[14:17] <toad_> so there's nothing else I should check?
[14:18] <petn-randall> toad_: Can you show us the full output of
'apt-get update' on http://paste.debian.net?
[14:18] <petn-randall> toad_: Sorry about the squeeze/wheezy mixup, read
it wrong. Which update are you missing in particular?
[14:19] <toad_> http://paste.debian.net/127901/
[14:20] <toad_> it doesn't get the recent mysql stuff
[14:20] <petn-randall> toad_: Can you also paste your /etc/apt/sources.list?
[14:20] <toad_> it's all still at 5.5.38-0+wheezy1 even after apt-get
dist-upgrade says there's nothing to do
[14:21] <toad_> http://paste.debian.net/127902/
[14:21] <toad_> it still breaks if i turn off contrib non-free in the
security line
[14:21] * toad_ tries commenting out deb-multimedia
[14:22] --> Slydder has joined this channel
(~chuck@ip1f13dea6.dynamic.kabel-deutschland.de).
[14:23] <toad_> hmmm, i wonder if there could be a symlink missing?
should i try stable rather than wheezy?
[14:25] <toad_>
http://security.debian.org/dists/wheezy/updates/main/binary-i386/
[14:25] <peter1138> deb http://security.debian.org/ wheezy/updates main
contrib non-free
[14:25] <peter1138> works for me
[14:25] <toad_> the log says it's trying to fetch the uncompressed
package file ... surely that's a lie?
[14:26] <toad_> W: Failed to fetch
http://security.debian.org/dists/wheezy/updates/main/binary-i386/Packages 
404  Not Found [IP: 195.20.242.89 80]
[14:26] <toad_> of course Packages doesn't exist ... we want
Packages.bz2 or Packages.gz
[14:26] <toad_> but maybe it's lying about the url?
[14:27] <toad_> why would it try to fetch the uncompressed file?
[14:27] <peter1138> Yes it always says just Release
[14:28] <peter1138> (Or Packages)
[14:29] <toad_> hmmm
[14:29] <toad_> but if i wget the .bz2 file from the same box, it
downloads it successfully
[14:30] <toad_> how do i splice the packages file in manually? in
/var/somewhere?
[14:31] <toad_> can i just put it in /var/lib/apt/lists/ ?
[14:32] * rfreeman-w eyes toad_
[14:33] <rfreeman-w> wget 
http://security.debian.org/dists/wheezy/updates/main/binary-i386/Packages 
2014-10-21 15:33:23 ERROR 404: Not Found
[14:33] <jmlongo> well .. If I use that ip of yours on my sources lists
it gives me the 404 error ..
[14:33] <toad_> yay, it workked
[14:34] <toad_> rfreeman-w: yeah, it lies about the URL that it's fetching
[14:34] <rfreeman-w> toad_, you should never have to bypass
apt-get/aptitude and install things manually by grabbing tarball
[14:34] <toad_> agreed, but it won't install security updates!
[14:34] <toad_> for two days running!
[14:34] <rfreeman-w> if you have to then something is wrong and it is
not safe as it bypasses apt-get gpg
[14:34] <toad_> not installing the update isn't safe either ... and
aren't the individual packages signed?
[14:34] <rfreeman-w> did you just installed not gpg verified update
package though?  I hope it's not the devel box ;)    I would not
[14:35] <toad_> the Release is signed
[14:35] <toad_> there are no warnings
[14:35] <jmlongo> how about changing security.debian.org with
200.17.202.197??
[14:35] <toad_> so no, i didn't have to tell apt-get dist-upgrade to
install unsigned packages
[14:35] <rfreeman-w> if something is really broken I'm quite sure guys
in #debian-security will look into it
[14:35] <toad_> yes, I have emailed them :(
[14:36] <toad_> I had expected it would be fixed in two days, but it
wasn't ... but it's possible it's some obscure property of my system
that I don't understand ...
[14:36] <toad_> w.r.t. security, IIRC the signatures are checked at
apt-get dist-upgrade time - I've always got errors in the past at that
point - isn't this correct?
[14:36] <rfreeman-w> I'm not 100% sure, but afair apt-get update chancks
them and then remembers which checksums to expect
[14:37] <weasel> toad_: find /var/lib/apt -type f -exec rm {} \+
[14:37] <weasel> toad_: apt-get update
[14:37] <toad_> I 100% agree that this should never be necessary though
... :(
[14:37] <weasel> does it work now?
[14:37] <weasel> erm
[14:37] <weasel> find /var/lib/apt/lists
[14:37] <weasel> the lists is important
[14:38] <rfreeman-w> toad_, next time just paste to IRC/freenet/etc the
checksum of file you downloaded before installing it - that way at least
we can check in retrospection, so it takes just 3 seconds more to be
"paranoid" :)
[14:38] <toad_> :)
[14:39] <toad_> hmmm ... so you can get a 404 error as the result of
having a stale file in lists/partial ?! WTF?!
[14:39] <rfreeman-w> toad_, #debian-security tells to append .gz or .bz2
to end of URL, indeed it works with the .bz
[14:39] <toad_> oh, because it's doing a partial fetch, and it's
unclean? isn't there a different error code for that though?!
[14:39] <rfreeman-w> .gz
[14:39] <toad_> yeah, I got that bit
[14:40] <toad_> I downloaded it and unpacked it and stuck it in lists/
and it worked fine
[14:40] <toad_> however it sounds like the sigs weren't checked as a result?
[14:40] <weasel> toad_: that 404 is just a horrible error message.
[14:40] <toad_> yep
[14:41] <weasel> toad_: apt tries Packages.bz2, falls over for some
reason.  tries Packages.gz, falls over for some reason.  tries Packages,
oh that doesn't exist.  reports last error.
Reply to: