Bug#986284: update InRelease files in place and changes owner and mode in the process

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#986284: update InRelease files in place and changes owner and mode in the process
From: Marc Haber <mh+debian-packages@zugschlus.de>
Date: Fri, 02 Apr 2021 13:41:59 +0200
Message-id: <[🔎] 161736371985.3570455.11371195891594479684.reportbug@drop.zugschlus.de>
Reply-to: Marc Haber <mh+debian-packages@zugschlus.de>, 986284@bugs.debian.org

Package: apt
Version: 2.2.2
Severity: minor

Hi,

when doing apt update, InRelease files seem to be downloaded and
upgraded in place. While this happens, the file's owner/mode changes
from root:root 644 to _apt:root 640 and back after a few seconds.

A simultaneously running aide (https://tracker.debian.org/pkg/aide)
process might pick this up and put it in a report. This has actually
happened (I have a black thumb for software).

While the file is still identical after the download, triggering this
behavior is somewhat unlikely, but I would still prefer if apt
downloaded InRelease files to a temporary file name and then rename the
new file in place iff the new contents differs fromt the old one
(keeping even the inode number the same in the 'did not change' case).

I did a few tests and have only found this behavior for InRelease files.
But of course, I'd love to have this behavior for all flies that apt
downloads and keeps around during its operation.

This is by no means somthing that needs to be fixed before the bullseye
release. Thanks for your consideration!

Greetings
Marc



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.11.10-zgws1 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.118
ii  debian-archive-keyring  2021.1.1
ii  gpgv                    2.2.27-1
ii  libapt-pkg6.0           2.2.2
ii  libc6                   2.31-10
ii  libgcc-s1               10.2.1-6
ii  libgnutls30             3.7.1-1
ii  libseccomp2             2.5.1-1
ii  libstdc++6              10.2.1-6
ii  libsystemd0             247.3-3

Versions of packages apt recommends:
ii  ca-certificates  20210119

Versions of packages apt suggests:
ii  apt-doc         2.2.2
ii  aptitude        0.8.13-3
ii  dpkg-dev        1.20.7.1
ii  gnupg           2.2.27-1
ii  gnupg2          2.2.27-1
ii  powermgmt-base  1.36

-- no debconf information

Reply to:

Next by Date: Bug#603340: ugly error messages with "http:" appended when cannot connect
Next by thread: Bug#603340: ugly error messages with "http:" appended when cannot connect
Index(es):
- Date
- Thread