[Bug 1657440] Update Released

Steve Langasek steve.langasek at canonical.com
Tue Apr 25 17:56:45 UTC 2017 

The verification of the Stable Release Update for apt has completed
successfully and the package has now been released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1657440

Title:
  apt won't redownload Release.gpg after inconsistent cache updates made
  while UCA is being updated

Status in APT:
  Fix Released
Status in apt package in Ubuntu:
  Fix Released
Status in apt source package in Xenial:
  Fix Committed
Status in apt source package in Yakkety:
  Fix Released

Bug description:
  # apt --version
  apt 1.2.18 (amd64)

  xenial

  I got myself into a situation where a repository has a Release and a
  Release.gpg file, but apt is just ignoring the gpg one and won't
  download it via apt update for some reason:

  The repository in question is http://ubuntu-
  cloud.archive.canonical.com/ubuntu/dists/xenial-updates/newton/. See
  how locally I have just the Release file:

  root at juju-cb14ed-0-lxd-3:/var/lib/apt/lists# l *Release*
  -rw-r--r-- 1 root root 100K Jan 15 18:03 archive.ubuntu.com_ubuntu_dists_xenial-backports_InRelease
  -rw-r--r-- 1 root root 242K Apr 21  2016 archive.ubuntu.com_ubuntu_dists_xenial_InRelease
  -rw-r--r-- 1 root root 100K Jan 18 11:42 archive.ubuntu.com_ubuntu_dists_xenial-updates_InRelease
  -rw-r--r-- 1 root root 100K Jan 18 11:42 security.ubuntu.com_ubuntu_dists_xenial-security_InRelease
  -rw-r--r-- 1 root root 7.7K Jan 18 11:45 ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_Release

  Now I try an update. See how the Release.gpg file gets a "Hit:" instead of a "Get:":
  root at juju-cb14ed-0-lxd-3:/var/lib/apt/lists# apt update
  Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
  Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease
  Ign:3 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton InRelease
  Get:4 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
  Hit:5 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton Release
  Get:6 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton Release.gpg [543 B]
  Hit:7 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
  Fetched 205 kB in 0s (395 kB/s)
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  8 packages can be upgraded. Run 'apt list --upgradable' to see them.

  And I can't install packages:
  root at juju-cb14ed-0-lxd-3:/var/lib/apt/lists# apt dist-upgrade
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  Calculating upgrade... Done
  The following NEW packages will be installed:
    python3-setuptools
  The following packages will be upgraded:
    dh-python dnsmasq-base python-pkg-resources python-setuptools python3-cryptography python3-pkg-resources python3-requests python3-urllib3
  8 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  Need to get 1,193 kB of archives.
  After this operation, 808 kB of additional disk space will be used.
  Do you want to continue? [Y/n]
  WARNING: The following packages cannot be authenticated!
    dh-python dnsmasq-base python-setuptools python-pkg-resources python3-pkg-resources python3-setuptools python3-cryptography python3-requests python3-urllib3
  Install these packages without verification? [y/N] n
  E: Some packages could not be authenticated
  root at juju-cb14ed-0-lxd-3:/var/lib/apt/lists#

  Somehow apt is thinking it has the Release.gpg file, but it doesn't?

  This server is behind a squid proxy.


  [Impact]
  An apt update of an apt repository that does not use InRelease during the time it is being updated can cause the gpg file to not be downloaded and updated. This makes the packages from the repository be unable to be authenticated.

  The Ubuntu Cloud Archive is one of the archives that meets this
  criteria.

  The impact to downstream automation deployment code is that if they
  are adding the UCA repo to a system and calling apt update during the
  time the UCA is being updated by Canonical, the repo can get into a
  state where the Release.gpg file is not there and all package installs
  will fail due to "unauthenticated packages" error.

  [Test Case]
  A detailed python script was attached.

  To reproduce this outside that script you would want to:
  1. Add the UCA repo
  2. Do the following in a loop starting at 43 minutes after the hour and run it until 55 minutes after the hour:
  2.1 Remove these files to simulate the UCA repo being added the first time.
  /var/lib/apt/lists/ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_Release
  /var/lib/apt/lists/ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_Release.gpg
  /var/lib/apt/lists/ubuntu-cloud.archive.canonical.com_ubuntu_dists_xenial-updates_newton_main_binary*Packages

  2.2 apt-get update
  3. Check the state of the 3 files you deleted. If you have the _Release file but not the _Release.gpg you have recreated the issue.
  4. If you have not recreated the issue, continue GOTO 2 and continue to loop.

  [Regression Potential]
  Unknown

To manage notifications about this bug go to:
https://bugs.launchpad.net/apt/+bug/1657440/+subscriptions

More information about the foundations-bugs mailing list