[Bug 1157943] Re: apt-get update fails hash checks on https repositories when file size changes
Brian Murray
brian at ubuntu.com
Mon Nov 25 15:38:22 UTC 2013
It looks to me like this may be resolved in Trusty due to the following
changelog entries:
apt (0.9.12) unstable; urgency=low
[ Christian Perrier ]
* Fix typo in apt-private/private-show.cc. Thanks to Benjamin
Keresa. Closes: #724073
[ Mark Hymers ]
* fix libapt-inst for >2G debs (closes: #725483)
[ David Kalnischkies ]
* don't strip :any from dependencies in single-arch (Closes: 723586)
* pkg from only trusted sources keeps being trusted (Closes: 617690)
* compression-neutral message for missing data.tar member (Closes: 722710)
* print-uris prints regardless of quiet-level again (Closes: 722207)
* retry without partial data after a 416 response (Closes: 710924)
* replace "filesize - 1" trick in http with proper 416 handling
* fix partial (206 and 416) support in https
* handle complete responses to https range requests (Closes: 617643, 667699)
(LP: 1157943)
* don't consider holds for autoremoval (Closes: 724995)
* put fetch errors in 'source' on our errorstack
* use pkgAcqArchive in 'download' for proper errors
* fix lzma-support detection via xz binary
* do not ++ on erased package pointers in autoremove
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1157943
Title:
apt-get update fails hash checks on https repositories when file size
changes
Status in “apt” package in Ubuntu:
New
Status in “apt” source package in Precise:
New
Bug description:
apt uses its own strategy for sending Range: requests on https,
instead of the libcurl handling. Here's is a scenario where it gets it
wrong:
1) apt downloads the file but doesn't put the file in place yet (perhaps it got interrupted or something)
2) the file on the server gets replaced by a smaller file
3) the next update run wants to download the file, sees a partial read, and asks for Range: (len(file)-1)-
4) the server sees a Range: request for a byte-range past the end of (the current version of) the file, considers it invalid, and streams the entire file. (This is correct behavior.)
5) apt assumes the response is the range it expected, and appends it to the local staging copy (minus one byte).
Instead of rolling apt's own attempt to handle ranges in the https
method, it should just use libcurl's. Attached is a patch which solves
the problem.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1157943/+subscriptions
More information about the foundations-bugs
mailing list