Bug#1099018: apt: provide HTTP headers on checksum mismatch (and other failures)
Control: tag -1 wontfix
On Thu, Feb 27, 2025 at 11:21:21AM +0100, Chris Hofstaedtler wrote:
> Package: apt
> Version: 2.9.30
>
> While investigating a checksum mismatch error today, DSA and me
> would have had a much easier time if APT would print the received
> HTTP headers on such an error.
>
> IOW:
>
> When printing...
>
> E: Failed to fetch http://deb.debian.org/debian/pool/main/p/pyjwt/pyjwt_2.10.1-2.dsc File has unexpected size (24636 != 2390). Mirror sync in progress? [IP: 199.232.18.132 80]
> Hashes of expected file:
> - SHA256:18c7ac34d689629fef29f06a3de41a4c998c2a4ee42f9c36d7ebcaa12e051e8c
> - Filesize:2390 [weak]
> - MD5Sum:1dd7eb9413a1831538d87c7a1627d266 [weak]
>
> ..., please also print all received HTTP headers (including values),
> for example (but not limited to) X-Served-By, X-Cache, X-Cache-Hits,
> Age, Via, Last-Modified, Content-Length, Date.
I am going to say no; because this is a significant detriment to
the user experience, and carries significant security concerns as
well. All the headers need to have unsafe characters removed, etc.
We have many many years ago implemented a hook system for mirror
failure reports that nobody actually started using, but that would
be the appropriate infrastructure to use.
We should rather go in the opposite direction: Error messages should
include actionable information for the user. Neither the hashes nor
the sizes are relevant in the error message, and we should not show
them; the correct error would be:
E: Failed to fetch http://deb.debian.org/debian/pool/main/p/pyjwt/pyjwt_2.10.1-2.dsc; mirror seems damaged.
That's all they need to know, and adding more information just confuses
them into wondering what _they_ should do about it.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: