Bug#975903: apt-get update fails to (permanently) download index files after time skew

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#975903: apt-get update fails to (permanently) download index files after time skew
From: Philipp Hahn <hahn@univention.de>
Date: Thu, 26 Nov 2020 12:58:06 +0100
Message-id: <[🔎] 160639188693.24611.7389894950031835072.reportbug@fixa.knut.univention.de>
Reply-to: Philipp Hahn <hahn@univention.de>, 975903@bugs.debian.org

Package: apt
Version: 1.8.2.1
Severity: normal

Suspending a VM (Qemu/KVN) to disk while it is running also saves the
current time, which is restored on resume. If NTP does not work quickly
enough to fix that on resume, the VM lives in the past.
Running `apt-get update` will then print something like this:
> E: Release file for http://192.168.0.10/xxx/Release is not valid yet (invalid for another 2 d 19 h 44 min 10 s). Updates for this repository will not be applied

`apt` stores the file below `/var/lib/apt/lists/` using the local time.
The file itself is considered valid (correct signature, ...), but due to
the time skew the referenced `Packages*` and `Sources*` files are *NOT*
downloaded.

When next you invoke `apt-get update` again - even after fixing the time
and thus moving the VM to current wall clock - nothing gets updated.

`apt` find the valid `Release` file and checks it with the server.
If there is an updated version, everything works as expected.

But if there is no updated version, `apt` skips the following steps to
download the index files as it thinks, that they are still valid from
the *previous* download, which never happened.

This can be "fixed" by deleting the files `/var/lib/apt/lists/*Release`,
which forces `apt` to download thoses files again; the "changed"
`Release` file then triggeres the download of the changed index files,
too.


Reproducer:
  /etc/init.d/ntp stop
  date -s '2020-11-01'
  truncate -s 0 /var/lib/apt/lists/*_Packages
  touch /var/lib/apt/lists/*_*
  apt-get update -o Debug::Acquire::http=true
  > If-Modified-Since: Sat, 31 Oct 2020 23:00:10 GMT
  < HTTP/1.1 200 OK
  < Date: Thu, 26 Nov 2020 11:35:30 GMT
  < Last-Modified: Thu, 26 Nov 2020 11:16:48 GMT
  # will complain about times in the future
  ls -gGh /var/lib/apt/lists/*_*
  # will list `Packages*` files with size 0
  ntpdate 1.debian.pool.ntp.org
  apt-get update -o Debug::Acquire::http=true
  ls -gGh /var/lib/apt/lists/*_*
  # `Release` files will be downloaded again
  # `Packages*` files still has size 0

To me it looks like `apt`
1. gets an "HTTP 200 OK",
2. downloads the (unchagned) file,
3. but sees that it is the same as the locall file,
4. skips downloadthe the index files.

I haven't yet checked the code, but on first impulse `apt` should not
store the `Release` file if it is considered invalid due to time skew.

Or always try to download the referenced index files if the `Release`
file was downloaded, even when it remains unchanged to the previous
local version. Only on a "HTTP 304 Not Modified" should `apt` optimize
the index files download.


This issue can be mitigated by setting `Acquire::Max-FutureTime` to
a large value.

-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (no /etc/apt/preferences.d/* present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- (/etc/apt/sources.list.d/debian-backports.list present, but not submitted) --


-- (/etc/apt/sources.list.d/google-talkplugin.list present, but not submitted) --


-- (/etc/apt/sources.list.d/pbuilder.list present, but not submitted) --


-- (/etc/apt/sources.list.d/skype-stable.list present, but not submitted) --


-- (/etc/apt/sources.list.d/teamviewer.list present, but not submitted) --


-- (/etc/apt/sources.list.d/teamviewer.list.dpkg-dist present, but not submitted) --


-- (/etc/apt/sources.list.d/univention.list present, but not submitted) --


-- System Information:
Debian Release: 10.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-12-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apt depends on:
ii  adduser                 3.118
ii  debian-archive-keyring  2019.1
ii  gpgv                    2.2.12-1+deb10u1
ii  libapt-pkg5.0           1.8.2.1
ii  libc6                   2.28-10
ii  libgcc1                 1:8.3.0-6
ii  libgnutls30             3.6.7-4+deb10u5
ii  libseccomp2             2.3.3-4
ii  libstdc++6              8.3.0-6

Versions of packages apt recommends:
ii  ca-certificates  20200601~deb10u1

Versions of packages apt suggests:
pn  apt-doc         <none>
ii  aptitude        0.8.11-7
ii  dpkg-dev        1.19.7
ii  gnupg           2.2.12-1+deb10u1
ii  gnupg1          1.4.23-1
ii  gnupg2          2.2.12-1+deb10u1
ii  powermgmt-base  1.34

-- no debconf information

Reply to:

Prev by Date: python-apt_2.1.6_source.changes ACCEPTED into unstable
Next by Date: Bug#976168: apt: Typo when updating/installing packages
Previous by thread: python-apt_2.1.6_source.changes ACCEPTED into unstable
Next by thread: Bug#976168: apt: Typo when updating/installing packages
Index(es):
- Date
- Thread