Your message dated Tue, 22 Mar 2016 11:47:44 +0100 with message-id <20160322104744.GC22647@crossbow> and subject line Re: Bug#618334: apt: ignores all repositories if only one is expired has caused the Debian Bug report #618334, regarding apt: ignores all repositories if only one is expired to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 618334: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618334 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: apt: ignores all repositories if only one is expired
- From: Daniel Baumann <daniel.baumann@progress-technologies.net>
- Date: Mon, 14 Mar 2011 13:52:13 +0100
- Message-id: <4D7E0F7D.2010109@progress-technologies.net>
- Reply-to: daniel.baumann@progress-technologies.net
Package: apt Version: 0.8.10.3 Hi, i've several different repositories configured in my sources.list. one was pointing to an outdated local mirror (apt says that it's expired etc). eventhough there are updates available in all of the other repositories, which are not expired, apt now skips all of them. i'd prefere if apt either is updated to just ignore the *expired* repository and only that, or, if the apt message is updated to say that, since repository $foo is expired, all repositories are ignored now. Regards, Daniel -- Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist Email: daniel.baumann@progress-technologies.net Internet: http://people.progress-technologies.net/~daniel-baumann/
--- End Message ---
--- Begin Message ---
- To: Michael Deegan <m.deegan@murdoch.edu.au>, 618334-done@bugs.debian.org
- Subject: Re: Bug#618334: apt: ignores all repositories if only one is expired
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Tue, 22 Mar 2016 11:47:44 +0100
- Message-id: <20160322104744.GC22647@crossbow>
- In-reply-to: <[🔎] 20160322061542.31274.88036.reportbug@cnspc18.murdoch.edu.au>
- References: <[🔎] 20160322061542.31274.88036.reportbug@cnspc18.murdoch.edu.au>
Version: 1.1~exp13 but first an important "sidenote": On Tue, Mar 22, 2016 at 02:15:42PM +0800, Michael Deegan wrote: > Also note that adding the "trusted=yes" option to sources.list entries > doesn't help at all: > > root@pinky:/home/michael# grep ^deb.*squeeze-lts /etc/apt/sources.list.d/*list > /etc/apt/sources.list.d/squeeze.sources.list:deb [ trusted=yes ] http://archive.debian.org/debian squeeze-lts main non-free contrib > /etc/apt/sources.list.d/squeeze.sources.list:deb-src [ trusted=yes ] http://archive.debian.org/debian squeeze-lts main non-free contrib THIS IS A GIANT SECURITY HOLE. I highly doubt you have a locally secured connection to archive.debian.org which would allow you to sidestep apts security infrastructure. Instead you have enabled root access for everyone capable of playing MITM on your internet connection including but not limited to your neighbor who hacked into your home WLAN, the coffeeshop owner who has free WLAN, your ISP, all administrators of computers involved in routing your requests, basically all national security agencies including the one of your country and that of your biggest enemy country, the janitor of the place the mirror server stands, … and they all use your machine now as a "private cloud" to host childporn, so in an hour or two the police might show up at your place, shot you on the spot and the report will say "Suspect was killed in preemptive self-defensive"… all for a little defunct squeeze-toy. That is called dedication I guess… Its strange that people think bugs like heartbleed or shellschock would be a problem if they happily ignore all warnings in the documentation and open the biggest security holes all by themselves. That trusted=yes isn't working in the case of expired repositories is a feature btw as that signals that the archive is stale. The expire checking can be disabled as well as the timeframe prolonged quiet easily, see apt.conf(5) in the ACQUIRE section: Check-Valid-Until and the two following options. In case of this repository just removing the source is better through… > apt-get aborts as soon as it sees the expired source. This means wheezy > machines that still have squeeze sources do not receive wheezy updates While that is mostly true, an error from apt is never to be desmissed lightly, so users should know that something is up. It is also quite pointless to still carry squeeze sources if you upgraded to wheezy. Especially as squeeze is archived now, so the repository will never change ever again and all packages it provides are available in newer (and supported!) versions in wheezy. Enough of the "sidenote" through, the initial report can be closed as done now as we worked tirelessly for more than the last two years on the acquire system (see also talks at DebConf14 and 15). The commit which has perhaps the biggest effect on this might be https://anonscm.debian.org/cgit/apt/apt.git/commit/?id=95278287f4e1eeaf5d96749d6fc9bfc53fb400d0 as it explicitly mentions this situation, but many before and after are dealing with a better separation of concerns – so stretch will see the resolution of this and plenty of other problem, which can already be experienced in unstable and testing today, hence closing as done. Best regards David KalnischkiesAttachment: signature.asc
Description: PGP signature
--- End Message ---