Your message dated Sat, 11 Jun 2016 16:34:42 +0000 with message-id <E1bBlru-0008PP-O3@franck.debian.org> and subject line Bug#819697: fixed in apt 1.3~exp2 has caused the Debian Bug report #819697, regarding timezone parsing bug on Valid-Until to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 819697: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819697 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: timezone parsing bug on Valid-Until
- From: Paul Tagliamonte <paultag@debian.org>
- Date: Thu, 31 Mar 2016 19:25:50 -0400
- Message-id: <20160331232550.GA6939@cassiel.pault.ag>
Package: apt Severity: important thanks apt appears to consider Valid-Until without proper timezone support. From a Release file: | Date: Thu, 31 Mar 2016 19:16:26 -0400 | Valid-Until: Thu, 31 Mar 2016 19:16:27 -0400 ^ 1s expiry I checked this three seconds (literally, heh) after signing it, and ran apt-get update. I was supprised to see the following: | E: Release file for http://localhost/infra/dists/unstable/InRelease is expired | (invalid since 4h 0min 2s). Updates for this repository will not be applied. 4 hours! At the time of writing the wall clock says: | Thu Mar 31 19:19:53 EDT 2016 (where EDT is -0400) So, not four hours! I strongly suspected that apt did this correctly, and that this was purely cosmetic, so I checked, I set a Valid-Until to 1h, and got: | E: Release file for http://localhost/infra/dists/unstable/InRelease is | expired (invalid since 3h 0min 3s). Updates for this repository will not | be applied. But it's still valid! Just for clarity: | (debian)[paultag@cassiel:~/tmp][⌚ 07:21 PM] ♥ cat infra/dists/unstable/InRelease | grep Valid-Until | Valid-Until: Thu, 31 Mar 2016 20:20:54 -0400 | (debian)[paultag@cassiel:~/tmp][⌚ 07:21 PM] ♥ date | Thu Mar 31 19:21:53 EDT 2016 In the case where our machines are often in UTC, this might not actually hit Debian all that hard, but it could be an issue if someone Baker Island's -12:00 timezone was being attacked by keeping a view of the archive stale for a day, for their target over in New Zealand's +13:45 timezone. Anyway, enough trouble for me tonight. Thanks for working on apt. Cheers, PaulAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 819697-close@bugs.debian.org
- Subject: Bug#819697: fixed in apt 1.3~exp2
- From: Julian Andres Klode <jak@debian.org>
- Date: Sat, 11 Jun 2016 16:34:42 +0000
- Message-id: <E1bBlru-0008PP-O3@franck.debian.org>
Source: apt Source-Version: 1.3~exp2 We believe that the bug you reported is fixed in the latest version of apt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 819697@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julian Andres Klode <jak@debian.org> (supplier of updated apt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 11 Jun 2016 17:23:19 +0200 Source: apt Binary: apt libapt-pkg5.0 libapt-inst2.0 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https Architecture: source Version: 1.3~exp2 Distribution: experimental Urgency: medium Maintainer: APT Development Team <deity@lists.debian.org> Changed-By: Julian Andres Klode <jak@debian.org> Description: apt - commandline package manager apt-doc - documentation for APT apt-transport-https - https download transport for APT apt-utils - package management related utility programs libapt-inst2.0 - deb package format runtime library libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst libapt-pkg-doc - documentation for APT development libapt-pkg5.0 - package management runtime library Closes: 819697 824456 824503 824702 825396 825742 826043 826291 Changes: apt (1.3~exp2) experimental; urgency=medium . [ Johannes 'josch' Schauer ] * edsp: document unique package identifiers . [ David Kalnischkies ] * edsp: warn if unexpected stanzas appear in the solution * show globalerrors before asking for confirmation * show final solution in --no-download --fix-missing mode * document --no- as --show-upgraded is the default (Closes: 824456) * fail instead of segfault on unreadable config files (Closes: 824503) * convert EDSP to be based on FileFd instead of FILE* * edsp: dump: support dumping into compressed file * edsp: add Forbid-{New-Install,Remove} and Upgrade-All * update symbols file * no-change bump of Standards-Version to 3.9.8 * override lintian on doxygens embedded-javascript-library * fix and document on the fly compressor config * prevent C++ locale number formatting in text APIs (Closes: #825396) * accept only the expected UTC timezones in date parsing (Closes: 819697) * avoid changing the global LC_TIME for Release writing * use de-localed std::put_time instead rolling our own * use std::locale::global instead of setlocale * look into the right textdomain for apt-utils again * try to detect sudo spawned root-shell in prefixing (Closes: 825742) * ignore std::locale exception on non-existent "" locale * apt-key: change to / before find to satisfy its CWD needs. Thanks to Samuel Thibault for 'finding' the culprit! (Closes: 826043) * edsp: use an ID mapping for the internal solver * edsp: use a stanza based interface for solution writing * edsp: optionally store a compressed copy of the last scenario * move 'dump' solver from apt-utils to apt package * edsp: if internal is used, keep this decision * edsp: if logging is requested, do it for internal, too * edsp: drop privileges before executing solvers * don't explicitly configure the last round of packages * drop Dpkg::MaxArgs in favor of Dpkg::MaxArgsBytes * do not hang on piped input in PipedFileFdPrivate * don't leak an FD in lz4 (de)compression * don't leak EDSP solver output fd * don't leak FD in AutoProxyDetect command return parsing . [ Julian Andres Klode ] * Provide complete apt bash completion. Thanks to Elias Fröhner and Svyatoslav Gryaznov for the initial work (LP: #1573547) * apt.systemd.daily: Put opening brace of check_power on extra line (LP: #1581985) * Add conflicting Signed-By values to error message * Normalize Signed-By values by removing trailing commas everywhere * Pass -fvisibility-inlines-hidden to g++ . [ Zhou Mo ] * zh_CN.po: update simplified Chinese translation. . [ Yuri Kozlov ] * Russian program translation update (Closes: 824702) . [ Takuma Yamada ] * Japanese program translation update (Closes: 826291) Checksums-Sha1: 20fbb0afa8a99cbe3f6a2d9fd2461280d7fe369b 2353 apt_1.3~exp2.dsc 7a586fb02e7035bf34adad7108dd67a10e8d7990 2066088 apt_1.3~exp2.tar.xz Checksums-Sha256: e6b3d0f9870343260da30f946a751120991d0a2edf22483dbd7bc903cf845983 2353 apt_1.3~exp2.dsc 29a88df31a680a31d7035ac8f8befebe5a34c8843c45dfc915f43f3c8dba6d43 2066088 apt_1.3~exp2.tar.xz Files: 210c78a3191970ee669aeef8e00c8147 2353 admin important apt_1.3~exp2.dsc 0b0a68913dd3934141f340f7230ae7a1 2066088 admin important apt_1.3~exp2.tar.xz -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXXC2jAAoJENc8OeVlgLOGV+kQAIQLwkxnEyX9dqMGTdqLGmGF XuWC1BrgLRaKpepSfRTpeOqZUeJWFIC0AkYC/dzkBTBncwc9LWAvnyubTU9cr8Wz QmxWn6HDsVlaG9gnSsdi30d2wOA6fCIgaTppvJh9Aax7Dpntf4nUSraovMFKaxLw /JBGrqcmsBSDQC+Knw9svImC24tkuhBVB4oVqvCC+RGbkL1eZD7DjQWU4laf6JIA LsQoQC4nczzR0kx5FgEZTc78mVosd5xOnZhV/iAk68mK3bs8z1FU/qVgdpUC4VFf soYvp+kL3kBO3Y7O3RSyP9/uhn6wbk+4pZx7CUHq4cRWtNMknajii9MKZ7HYiN4T 4uU2BZgxDyLm5m8RSRnLHqmpKthgPatfS0lSzzO4Qcsyi5RAZnJ+9R8eVAQch4Mr F7OYzXPH0vcO3WTXqZqhPIiDMhdX7YUvv0jdPmneakDYdSu9bhlBEm16aghFH/h7 nAtMWW7/pWtsOwo6crCTyIiQUT/LPdNC6rY7CJbMz05D8dER/qUullMtvWffIe0T 7OcIUftwsRGhWjAAfVwZSAR+DJFTjQMEO9pKEgaA9ypyJ/jadf7U/kfvti7qe1Q8 QWiGu3KDt+ncDEZ1h9vKzl6s5d20WVeGwCZdH3C2vbxQ775klQKliu8cv01wlvIg c8Do3nRp6wiBtuKSoxYe =Ehha -----END PGP SIGNATURE-----
--- End Message ---