Bug#776152: provide meaningful exit codes for network failures

To: Patrick Schleizer <adrelanos@riseup.net>, 776152@bugs.debian.org
Subject: Bug#776152: provide meaningful exit codes for network failures
From: Julian Andres Klode <jak@debian.org>
Date: Mon, 27 Jun 2016 11:08:36 +0200
Message-id: <[🔎] 20160627110043.GA7000@debian.org>
Mail-followup-to: Julian Andres Klode <jak@debian.org>, Patrick Schleizer <adrelanos@riseup.net>, 776152@bugs.debian.org
Reply-to: Julian Andres Klode <jak@debian.org>, 776152@bugs.debian.org
In-reply-to: <54C3CD3C.7020709@riseup.net>
References: <54C3CD3C.7020709@riseup.net>

On Sat, Jan 24, 2015 at 04:50:04PM +0000, Patrick Schleizer wrote:
> Package: apt
> Severity: important
> 
> When "apt-get update" fails the program exits with a 0 status.
> It would be useful if it exited with a non-zero status in that case
> (or if there were a switch to tell it to do so).

I disagree that it should do that. We just redefined successful update
(for the success hook) to mean "not all sources failed". In case we
fetch anything, that's still a success, as we update the cache with
the new data.

The question what a successful update is is complicated and depends
on the expections of the person using APT. 

> This is similar to bug 41053 [1] from 1999, that says it's fixed, but it
> doesn't say how it was fixed and it's apparently unfixed.
> 
> See output (shortened that a little).
> 
> > sudo apt-get update
> >   Could not resolve 'ecurity.debian.org'
> > Hit http://ftp.us.debian.org wheezy Release
> 
> > Reading package lists... Done
> > W: Failed to fetch
> http://ecurity.debian.org/dists/wheezy/updates/Release.gpg  Could not
> resolve 'ecurity.debian.org'
> >
> > W: Some index files failed to download. They have been ignored, or old
> ones used instead.
> > ~ $ echo $?
> > 0
> 
> (For demonstration purposes, I just added a defunct deb line
> deb http://ecurity.debian.org wheezy/updates main contrib non-free)
> 
> Detecting such situations in scripts is important. At least if you
> really care if some extra repository gets used during a build script or
> if you care an image to be build as verifiable / reproducible as possible.
> 
> Otherwise and adversary could just prevent one from connecting to a
> repository one cares to received upgrades from (such as
> security.debian.org), which would effectively render apt-get's security
> check for expired release files (valid-until field) [2] [3] ineffective.

Maybe we should do some apt-cache check-expiry command that people can
run from their script to check if their downloaded lists are still
considered "safe"?

And possibly check gpg sigs as well?

> 
> There is also another issue related to exit codes. [4]
> 
> Cheers,
> Patrick
> 
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=41053
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897
> [3]
> http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html
> [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745735

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.

Reply to:

Follow-Ups:
- Bug#776152: provide meaningful exit codes for network failures
  - From: Patrick Schleizer <adrelanos@riseup.net>

Prev by Date: Processed: Bug#420940 in apt marked as pending
Next by Date: Bug#576649: marked as done ([apt]: Very slow apt-get update)
Previous by thread: Processed: Bug#420940 in apt marked as pending
Next by thread: Bug#776152: provide meaningful exit codes for network failures
Index(es):
- Date
- Thread