apt-key net-update does not obey APT::Acquire::http::Proxy

Bug #226780 reported by Michael
108
This bug affects 20 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

[Impact]
IWBNI apt-key obeyed apt's network preferences like the rest of the apt-* tools do. The fix is to append a timeout option to wget which is invoked in apt-key during key retrieval. An example, would be attempting to reduce the number of retries wget performs in order to receive the gpg key. The default is 20 tries, however, if the firewall is set to DROP packets then thats a 90*20 timeout.

[Test Case]
# iptables -A OUTPUT -p tcp --dport 80 -j DROP
# wget -q -N http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
[endless hang] ^C

# iptables -F
# iptables -A OUTPUT -p tcp --dport 80 -j REJECT
# wget --timeout=90 -q -N http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
[returns in 90 seconds]
#
# iptables -F
# wget --timeout=90 -q -N http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
[returns instantly]
#
#
# iptables -A OUTPUT -p tcp --dport 80 -j DROP
# route del default
# wget --timeout=90 -q -N http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
[returns instantly]

[Regression Potential]
Potential for regression is minimal as this would allow apt-key to successfully timeout if the keyserver is unreachable and allow for continued operation required by other services (i.e. cron executed instances)

Revision history for this message
Mark Goldfinch (mark-goldfinch) wrote :

I can confirm this is a problem for servers in environments which require the use of an http proxy for outbound HTTP:

Excerpt from ps uaxww at local time 08:15:

root 6779 0.0 0.3 2432 880 ? S 06:25 0:00 /USR/SBIN/CRON
root 6780 0.0 0.1 1772 484 ? Ss 06:25 0:00 /bin/sh -c test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
root 6781 0.0 0.2 1700 548 ? S 06:25 0:00 run-parts --report /etc/cron.daily
root 6783 0.0 0.2 1772 516 ? S 06:25 0:00 /bin/sh /etc/cron.daily/apt
root 6812 0.0 0.2 1772 516 ? S 06:42 0:00 /bin/sh /usr/bin/apt-key net-update
root 6816 0.0 0.5 3868 1428 ? S 06:42 0:00 wget -q -N http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg

The problem machine is 8.04.2 server. In this current state "apt-key net-update" prevents unattended-upgrades from running.

Please see attached for a proposed patch to fix this problem..

Revision history for this message
Dimas (dimasmjunior) wrote :

I can confirm that on Jaunty.

Revision history for this message
Adelie (dave-solar1) wrote :

I can confirm this bug on Karmic as well.

Revision history for this message
Stanislas Couix (stanislas-couix) wrote :

Hi,

I can confirm this bug on Karmic too. I am behind a proxy (without authentication needed) at work. Apt-get works great and use the proxy settings in GNOME. Apt-key seems to use the proxy as well (seen with "sudo netstat -taupe") but the connection is time-out.

Stan

Adam Guthrie (therigu)
Changed in apt (Ubuntu):
status: New → Confirmed
Revision history for this message
Stéphane Loeuillet (leroutier) wrote :

10.04/Lucid is affected too ...

Revision history for this message
Mathias (mathias-me) wrote :

11.04/natty is affected too ...

Revision history for this message
Johannes Martin (jmartin-notamusica) wrote :

11.10/oneiric is affected too. This also creates problems with anacron, since /etc/cron.daily/apt runs apt-key net-update.

See https://bugs.launchpad.net/ubuntu/+source/anacron/+bug/606491

Changed in apt (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Steve Langasek (vorlon)
tags: added: rls-mgr-p-tracking
Chris J Arges (arges)
tags: added: precise
Changed in apt (Ubuntu Precise):
importance: Undecided → Medium
Changed in apt (Ubuntu Lucid):
importance: Undecided → Medium
status: New → Triaged
Changed in apt (Ubuntu Precise):
status: New → Triaged
Chris J Arges (arges)
Changed in apt (Ubuntu Precise):
milestone: none → ubuntu-12.04.1
description: updated
description: updated
Revision history for this message
Michael (miiichael) wrote :

I feel the updated description describes a different bug to what I (and other commenters) are reporting on, ie. as per the bug *title*, that apt-key does not obey APT::Acquire::http::Proxy. The new description merely suggests changing behaviour such that it fails sooner, rather than not make it fail in the first place!

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu Natty):
status: New → Confirmed
Changed in apt (Ubuntu Oneiric):
status: New → Confirmed
Changed in apt (Ubuntu Precise):
milestone: ubuntu-12.04.1 → precise-updates
Changed in apt (Ubuntu Natty):
status: Confirmed → Won't Fix
Changed in apt (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in apt (Ubuntu Lucid):
status: Triaged → Won't Fix
Changed in apt (Ubuntu Precise):
status: Triaged → Won't Fix
Mathew Hodson (mhodson)
no longer affects: apt (Ubuntu Lucid)
no longer affects: apt (Ubuntu Natty)
no longer affects: apt (Ubuntu Oneiric)
no longer affects: apt (Ubuntu Precise)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.