apt-get --allow-unauthenticated still prefers authenticated packages on network to unauthenticated on localhost

Automatically imported from Debian bug report #335112 http://bugs.debian.org/335112

Message-ID: <email address hidden>
Date: Sat, 22 Oct 2005 02:16:39 +0200
From: David Madore <email address hidden>
To: <email address hidden>
Subject: apt-get --allow-unauthenticated still prefers authenticated packages on network to
 unauthenticated on localhost

Package: apt
Version: 0.6.41
Severity: serious

The --allow-unauthenticated option does not revert to the exact
pre-0.6.27 behavior: even when this flag is passed on the command
line, apt still favors an authenticated package on the network to an
unauthenticated package on the local host (say with a file:/// URL in
the sources.list).

No combination of switches seems to be sufficient to _completely_
remove any kind of authentication-related feature (and revert to the
pre-0.6.27 behavior in all respects).

This severely breaks very-low-bandwidth systems where it is assumed
that the local package set will be favored over the networked ones.

--
     David A. Madore
    (<email address hidden>,
     http://www.madore.org/~david/ )

Message-ID: <email address hidden>
Date: Fri, 21 Oct 2005 17:25:25 -0700
From: Steve Langasek <email address hidden>
To: David Madore <email address hidden>, <email address hidden>
Subject: Re: Bug#335112: apt-get --allow-unauthenticated still prefers authenticated packages on
 network to unauthenticated on localhost

--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 335112 important
thanks

On Sat, Oct 22, 2005 at 02:16:39AM +0200, David Madore wrote:
> Package: apt
> Version: 0.6.41
> Severity: serious

> The --allow-unauthenticated option does not revert to the exact
> pre-0.6.27 behavior: even when this flag is passed on the command
> line, apt still favors an authenticated package on the network to an
> unauthenticated package on the local host (say with a file:/// URL in
> the sources.list).

> No combination of switches seems to be sufficient to _completely_
> remove any kind of authentication-related feature (and revert to the
> pre-0.6.27 behavior in all respects).

> This severely breaks very-low-bandwidth systems where it is assumed
> that the local package set will be favored over the networked ones.

This does not fit the description of a severity: serious bug. The obvious
workaround here would be to not list apt sources in your configuration that
you don't actually want apt to use...

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--6TrnltStXW4iwmi0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDWYb1KN6ufymYLloRAgn6AJ0UZNcZ1AKH3aGu25jT7VdZDKE0XACfaDFW
6b/9go1HRZcFkXhOUO47bHI=
=5HZb
-----END PGP SIGNATURE-----

--6TrnltStXW4iwmi0--

Message-ID: <email address hidden>
Date: Sat, 22 Oct 2005 02:41:18 +0200
From: David Madore <email address hidden>
To: Steve Langasek <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#335112: apt-get --allow-unauthenticated still prefers authenticated packages on
 network to unauthenticated on localhost

On Fri, Oct 21, 2005 at 05:25:25PM -0700, Steve Langasek wrote:
> The obvious
> workaround here would be to not list apt sources in your configuration that
> you don't actually want apt to use...

So I guess my bug report wasn't clean enough on what is required: the
sources should be used (for example for packages which are newer on
these sources), but with lower priority than the sources on the local
drive. As in previous versions of apt, that is.

--
     David A. Madore
    (<email address hidden>,
     http://www.madore.org/~david/ )

Message-ID: <email address hidden>
Date: Fri, 21 Oct 2005 17:54:35 -0700
From: Steve Langasek <email address hidden>
To: David Madore <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#335112: apt-get --allow-unauthenticated still prefers authenticated packages on
 network to unauthenticated on localhost

--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Oct 22, 2005 at 02:41:18AM +0200, David Madore wrote:
> On Fri, Oct 21, 2005 at 05:25:25PM -0700, Steve Langasek wrote:
> > The obvious
> > workaround here would be to not list apt sources in your configuration =
that
> > you don't actually want apt to use...

> So I guess my bug report wasn't clean enough on what is required: the
> sources should be used (for example for packages which are newer on
> these sources), but with lower priority than the sources on the local
> drive. As in previous versions of apt, that is.

No, that's clear; I just don't consider this release critical.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--SLDf9lqlvOQaIe6s
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDWY3LKN6ufymYLloRAqoIAKC9oILKBaLRvtb57gBbma50oDA62gCfYlwx
JVCYSM83Eyyywpunv5RFtgc=
=MIR8
-----END PGP SIGNATURE-----

--SLDf9lqlvOQaIe6s--

Message-Id: <email address hidden>
Date: Thu, 27 Oct 2005 05:38:31 +0100
From: Barrie Millar <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apt: Bug confirmed

Package: apt
Version: 0.6.41
Followup-For: Bug #335112

Hi

I can confirm this bug. It's absolutely crippling for those individuals who
run local repositories and results in a very serious limitation. There seems
to be no way around this through configuration either, so the only way of
getting around it is to downgrade. I suspect this is not always possible for
everything.

Removing the official sources from /etc/apt/sources.list to use the local
repository may seem like the perfect temporary solution. However, during
the downloading phase from the official servers, the local archives are
totally ignored and all required packages are downloaded from the remote
server with no regard for those you may already have. This is a serious
waste of bandwidth and disk space as you end up with multiple copies of
identical packages. This may not be the case with complex repositories, but
it is for trival ones.

According to Debian policy, this bug seems to clearly fit into the
"important" severity level. However, I consider this bug more serious than
any other "important" bug I've submitted to date, given the impact it has
and the number of users it is likely to effect. Perhaps a higher priority
"important" level would be worth considering for Debian in the future.

Regards,

Barrie

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Cache-Limit "120000000";
APT::Get "";
APT::Get::AllowUnauthenticated "true";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi";

-- (no /etc/apt/preferences present) --

-- (/etc/apt/sources.list present, but not submitted) --

-- System Information:
Debian Release: 3.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-bm041127-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages apt depends on:
ii libc6 2.3.5-3 GNU C Library: Shared libraries an
ii libgcc1 1:4.0.1-3 GCC support library
ii libstdc++6 ...

Message-ID: <email address hidden>
Date: Wed, 9 Nov 2005 07:27:31 +0100
From: Michael Vogt <email address hidden>
To: David Madore <email address hidden>, <email address hidden>
Subject: Re: Bug#335112: apt-get --allow-unauthenticated still prefers authenticated packages on
 network to unauthenticated on localhost

--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Oct 22, 2005 at 02:16:39AM +0200, David Madore wrote:
> Package: apt
> Version: 0.6.41
> Severity: serious

Thanks for your bugreport.

> The --allow-unauthenticated option does not revert to the exact
> pre-0.6.27 behavior: even when this flag is passed on the command
> line, apt still favors an authenticated package on the network to an
> unauthenticated package on the local host (say with a file:/// URL in
> the sources.list).
>
> No combination of switches seems to be sufficient to _completely_
> remove any kind of authentication-related feature (and revert to the
> pre-0.6.27 behavior in all respects).
>
> This severely breaks very-low-bandwidth systems where it is assumed
> that the local package set will be favored over the networked ones.

Could you please test if the attached patch fixes the problem?

Cheers,
 Michael

--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="apt-trusted-fetching.diff"

* looking for <email address hidden>/apt--mvo--0--patch-88 to compare with
* comparing to <email address hidden>/apt--mvo--0--patch-88: .. done.

* modified files

--- orig/apt-pkg/acquire-item.cc
+++ mod/apt-pkg/acquire-item.cc
@@ -770,6 +770,12 @@
       }
    }

+ // "allow-unauthenticated" restores apts old fetching behaviour
+ // that means that e.g. unauthenticated file:// uris are higher
+ // priority than authenticated http:// uris
+ if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true)
+ Trusted = false;
+
    // Select a source
    if (QueueNext() == false && _error->PendingError() == false)
       _error->Error(_("I wasn't able to locate file for the %s package. "

--SLDf9lqlvOQaIe6s--

Message-Id: <email address hidden>
Date: Wed, 09 Nov 2005 20:17:05 -0800
From: Michael Vogt <email address hidden>
To: <email address hidden>
Subject: Bug#335112: fixed in apt 0.6.42.3

Source: apt
Source-Version: 0.6.42.3

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:

apt-doc_0.6.42.3_all.deb
  to pool/main/a/apt/apt-doc_0.6.42.3_all.deb
apt-utils_0.6.42.3_i386.deb
  to pool/main/a/apt/apt-utils_0.6.42.3_i386.deb
apt_0.6.42.3.dsc
  to pool/main/a/apt/apt_0.6.42.3.dsc
apt_0.6.42.3.tar.gz
  to pool/main/a/apt/apt_0.6.42.3.tar.gz
apt_0.6.42.3_i386.deb
  to pool/main/a/apt/apt_0.6.42.3_i386.deb
libapt-pkg-dev_0.6.42.3_i386.deb
  to pool/main/a/apt/libapt-pkg-dev_0.6.42.3_i386.deb
libapt-pkg-doc_0.6.42.3_all.deb
  to pool/main/a/apt/libapt-pkg-doc_0.6.42.3_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <email address hidden> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 9 Nov 2005 07:22:31 +0100
Source: apt
Binary: apt-utils libapt-pkg-doc libapt-pkg-dev apt-doc apt
Architecture: source all i386
Version: 0.6.42.3
Distribution: unstable
Urgency: low
Maintainer: APT Development Team <email address hidden>
Changed-By: Michael Vogt <email address hidden>
Description:
 apt - Advanced front-end for dpkg
 apt-doc - Documentation for APT
 apt-utils - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 329910 333599 335112 335164 335213 337078 337163 337306 337910 337949 338101
Changes:
 apt (0.6.42.3) unstable; urgency=low
 .
   * Merge <email address hidden>/apt--main--0 up to patch-129:
     - patch-118: Russian translation update by Yuri Kozlov (closes: #335164)
     - patch-119: add update-po as a pre-req for binary (closes: #329910)
     - patch-121: Complete French translation
     - patch-125: Fixed localization of y/n questions in German translation
                  (closes: #337078)
     - patch-126: Swedish translation update (closes: #337163)
     - patch-127: Complete Tagalog translation (closes: #337306)
     - patch-128: Danish translation update (closes: #337949)
     - patch-129: Basque translation update (closes: #338101)
   * cmdline/apt-get.cc:
     - bufix in FindSrc (closes: #335213, #337910)
   * added armeb to archtable (closes: #333599)
   * with --allow-unauthenticated use the old fallback behaviour for
     sources (closes: #335112)
Files:
 aef61765106a06833cec7e0df5ddc793 789 admin important apt_0.6.42.3.dsc
 990abfcb7c17fc7a82c1b6c0b92c906b 1453891 admin important apt_0.6.42.3.tar.gz
...

We have this fix in dapper now.