[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1014517:



I understand and agree the behavior doesn't quite make sense.
While I know this code has not recently changed inside apt, I believe
it must have recently started expressing itself when combined with
some other change on the mirrors or in the release process.

I do think this is a regression in a practical sense compared to
oldstable. I'm currently unable to create new containers for stable
but am able to for oldstable:
➜  ~ docker run  -it --rm debian:oldstable apt update
Unable to find image 'debian:oldstable' locally
oldstable: Pulling from library/debian
70705a13f194: Pull complete
Digest: sha256:2053cf94aadec2cc167488183a928165313c281b954d042d45ba65cb84459fde
Status: Downloaded newer image for debian:oldstable
Get:1 http://deb.debian.org/debian oldstable InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security oldstable-security
InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian oldstable-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian oldstable/main amd64 Packages [8183 kB]
Get:5 http://deb.debian.org/debian-security oldstable-security/main
amd64 Packages [252 kB]
Get:6 http://deb.debian.org/debian oldstable-updates/main amd64
Packages [14.8 kB]
Fetched 8658 kB in 2s (3764 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
➜  ~ docker run -it --rm debian:stable apt update
Get:1 http://deb.debian.org/debian stable InRelease [151 kB]
Get:2 http://deb.debian.org/debian stable-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security stable-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian stable/main amd64 Packages [8906 kB]
Get:5 http://deb.debian.org/debian stable-updates/main amd64 Packages [4732 B]
Get:6 http://deb.debian.org/debian-security stable-security/main amd64
Packages [48.0 kB]
Fetched 9210 kB in 2s (4051 kB/s)
fatal error in libgcrypt, file ../../src/misc.c, line 92, function
_gcry_fatal_error: requested algo not in md context

Fatal error: requested algo not in md context

I was able to reproduce this behavior on a fresh EC2 instance with AMI
ID ami-0f2bfd15cb2cab7e0, so I don't think it should have anything to
do with our particular environment.

Is there any other information I can provide?

On Wed, Jul 26, 2023 at 10:55 AM Julian Andres Klode <jak@debian.org> wrote:
>
> On Mon, Jul 24, 2023 at 10:35:35PM -0400, Dillon Amburgey wrote:
> > I have seen this as well. This has recently started breaking apt
> > update on bookworm docker images as well as images built off bookworm
> > (e.g. python:3.8)
> >
> > This can be easily reproduced on FIPS-enabled hosts:
> > docker run  -it --rm debian:bookworm apt update
> > Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
> > Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
> > Get:3 http://deb.debian.org/debian-security bookworm-security
> > InRelease [48.0 kB]
> > Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8906 kB]
> > Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [4732 B]
> > Get:6 http://deb.debian.org/debian-security bookworm-security/main
> > amd64 Packages [48.0 kB]
> > Fetched 9210 kB in 2s (4169 kB/s)
> > fatal error in libgcrypt, file ../../src/misc.c, line 92, function
> > _gcry_fatal_error: requested algo not in md context
> >
> > Fatal error: requested algo not in md context
> >
> > I also was able to use snapshot.debian.org to isolate when the
> > failures started. 20230722T085252Z was the last good snapshot with
> > 20230722T110049Z being the first failing snapshot.
> > docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt update
> > Get:1 http://snapshot.debian.org/archive/debian/20230722T110049Z
> > bookworm InRelease [151 kB]
> > Get:2 http://snapshot.debian.org/archive/debian/20230722T110049Z
> > bookworm-updates InRelease [52.1 kB]
> > Get:3 http://snapshot.debian.org/archive/debian-security/20230722T110049Z
> > bookworm-security InRelease [48.0 kB]
> > Get:4 http://snapshot.debian.org/archive/debian/20230722T110049Z
> > bookworm/main amd64 Packages [8906 kB]
> > Get:5 http://snapshot.debian.org/archive/debian/20230722T110049Z
> > bookworm-updates/main amd64 Packages [4732 B]
> > Get:6 http://snapshot.debian.org/archive/debian-security/20230722T110049Z
> > bookworm-security/main amd64 Packages [48.0 kB]
> > Fetched 9210 kB in 1min 8s (136 kB/s)
> > fatal error in libgcrypt, file ../../src/misc.c, line 92, function
> > _gcry_fatal_error: requested algo not in md context
> >
> > Fatal error: requested algo not in md context
> >
> > docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt update
> > Get:1 http://snapshot.debian.org/archive/debian/20230722T085252Z
> > bookworm InRelease [147 kB]
> > Get:2 http://snapshot.debian.org/archive/debian/20230722T085252Z
> > bookworm-updates InRelease [52.1 kB]
> > Get:3 http://snapshot.debian.org/archive/debian-security/20230722T085252Z
> > bookworm-security InRelease [48.0 kB]
> > Get:4 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z
> > bookworm-debug InRelease [49.8 kB]
> > Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> > bookworm/main amd64 Packages [8904 kB]
> > Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> > bookworm/main amd64 Packages
> > Get:6 http://snapshot.debian.org/archive/debian/20230722T085252Z
> > bookworm-updates/main amd64 Packages [4732 B]
> > Get:7 http://snapshot.debian.org/archive/debian-security/20230722T085252Z
> > bookworm-security/main amd64 Packages [48.0 kB]
> > Get:8 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z
> > bookworm-debug/main amd64 Packages [3564 kB]
> > Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> > bookworm/main amd64 Packages [8904 kB]
> > Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> > bookworm/main amd64 Packages
> > Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
> > bookworm/main amd64 Packages [8904 kB]
> > Fetched 11.2 MB in 5min 13s (35.9 kB/s)
> > Reading package lists... Done
> > Building dependency tree... Done
> > Reading state information... Done
> > All packages are up to date.
> >
>
> This doesn't make sense, let's be clear about this. MD5 is an integral
> part of the archive, it doesn't suddenly pop up, and APT uses any MD5
> it can find as an additional (untrusted) hash.
>
> And APT itself has been using libgcrypt for hashing since 1.9.6;
> oldstable is shipping 2.2.4.
>
> This is fixed in 2.7.2, fsvo of fixed. I do believe that this is
> bullshit and libgcrypt's FIPS mode should be entirely disabled,
> as in Ubuntu, as Debian's libgcrypt is not FIPS certified.
>
> As this is not a regression vs oldstable, and we realistically
> may be preempting configuration of libgcrypt by applications using
> the apt-pkg library, I do not think this is a change that should
> be released to a stable update.
>
> I did pick it for unstable and testing, but ultimately we need
> to replace libgcrypt with nettle.
>
> --
> debian developer - deb.li/jak | jak-linux.org - free software dev
> ubuntu core developer                              i speak de, en



-- 
Dillon Amburgey
Managing Director, Zetier
+1 (703) 635-3302


Reply to: