[Bug 1157943] Re: apt-get update fails hash checks on https repositories when file size changes

David Kalnischkies 1157943 at bugs.launchpad.net
Wed Mar 27 17:02:28 UTC 2013 

(assuming "David" means me: Better ask Michael Vogt as he is debugging
another https problem at the moment)

That said, step 4 is incorrect, Range answers with an error code of 416. The behavior described is that of Range with If-Range.
I haven't tested this at all, but browsing documentation makes me doubt that this is sent by curl (which date it should sent?).

So we need to check for a range error and retry without one – still
doesn't really solve the problem as we still get the "wrong" data in the
scenario above (just replace "smaller" with "bigger" to have valid
ranges).

I guess to really fix this we have to bit the bullet and work with a
CURLOPT_HEADERFUNCTION to see what the response is. I might be complete
wrong though and will leave that up to someone who actually has access
to infrastructure for testing this.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1157943

Title:
  apt-get update fails hash checks on https repositories when file size
  changes

Status in “apt” package in Ubuntu:
  New

Bug description:
  apt uses its own strategy for sending Range: requests on https,
  instead of the libcurl handling. Here's is a scenario where it gets it
  wrong:

  1) apt downloads the file but doesn't put the file in place yet (perhaps it got interrupted or something)
  2) the file on the server gets replaced by a smaller file
  3) the next update run wants to download the file, sees a partial read, and asks for Range: (len(file)-1)-
  4) the server sees a Range: request for a byte-range past the end of (the current version of) the file, considers it invalid, and streams the entire file. (This is correct behavior.)
  5) apt assumes the response is the range it expected, and appends it to the local staging copy (minus one byte).

  Instead of rolling apt's own attempt to handle ranges in the https
  method, it should just use libcurl's. Attached is a patch which solves
  the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1157943/+subscriptions

More information about the foundations-bugs mailing list