Debian GNU/Linux

apt does not handle HTTP redirects

Reported by Asheesh Laroia on 2005-07-04
46
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apt (Debian)
Fix Released
Unknown
apt (Ubuntu)
Wishlist
Michael Vogt

Bug Description

Problem: apt considers 3xx HTTP server responses the

Reproducability: Always

Solution: Make apt's HTTP method follow redirects

Discussion:

I want to set up a package repository on my home (cable modem-based) server that
can scale to many Internet clients.

Since my use is non-commercial, the Coral Cache <http://www.coralcdn.org/> can
be used to distribute the package files. I want to count downloads, so I can
get a sense of how popular my packages are. So, I want to store my package
files in an HTTP-accessible directory and have Apache redirect packages to the
Coralized URL. That way, a client's apt-get install with hit my server, which
will return a "302 Found" redirect to the Coral cache; I count package hits
without serving the huge files.

Unfortunately, apt doesn't handle redirects at all; it treats all 3xx HTTP
responses from the web server as errors.

I have a blog entry here - http://blogs.jhu.edu/users/paulproteus/18033.html -
where I give a tiny bit more detail, but I think this bug report is adequate.

Asheesh Laroia (paulproteus) wrote :

For what it's worth, switching apt's HTTP method to use an existing HTTP library
that is already well-behaved would be one way to solve this problem. One such
library is libcURL.

Michael Vogt (mvo) wrote :

Thanks for your bugreport

Support for apt redirection is available in the
<email address hidden>/apt--http-authentication--0

baz branch.

Cheers,
 Michael

Asheesh Laroia (paulproteus) wrote :

(In reply to comment #2)
> Thanks for your bugreport
>
> Support for apt redirection is available in the
> <email address hidden>/apt--http-authentication--0
>
> baz branch.

Interesting. How does one check this out? (I've only ever used cvs and svn
before.)

Also, on what timeframe will this be distributed with Ubuntu? With Debian?

Michael Vogt (mvo) wrote :

(In reply to comment #3)
> (In reply to comment #2)
> > Support for apt redirection is available in the
> > <email address hidden>/apt--http-authentication--0
>
> Interesting. How does one check this out? (I've only ever used cvs and svn
> before.)

Sorry, I should have been more verbose. You need to install the package "bazaar".
Then run:
$ baz register-archive http://people.ubuntu.com/~mvo/arch/ubuntu
$ baz get <email address hidden>/apt--http-authentication--0
apt--http-authentication
$ cd apt--http-authentication
$ debian/rules arch-build
and then you find the deb packages in debian/arch-build

> Also, on what timeframe will this be distributed with Ubuntu? With Debian?

I can't give you a timeframe. It depends on what Matt thinks about the code.
Testing is welcome.

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 7 Dec 2000 13:51:40 +0000
From: Lee Maguire <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: http method should support HTTP redirects

Package: apt
Version: 0.3.19
Severity: wishlist

The http apt method doesn't appear to support HTTP redirection codes,
i.e. when recieving 301 (Permanent Redirect) or 302 (Temp) code it
gives back "Err".

I can see this facility to be desirable in several instances, including
 - temp redirects when mirrors are in the process of being updated
   or undergoing maintainance.
 - redirects to software that is stored in .deb format, but not in
   an apt-able archive.

See [RFC2068 10.3]

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: 11 Dec 2000 08:01:44 -0500
From: Itai Zukerman <email address hidden>
To: <email address hidden>
Subject: Re: Bug#79002: http method should support HTTP redirects

Looking at the http method, it seems like it would be pretty easy to
enqueue new (HTTP) URIs for redirects in http.cc. That "solution" is
definitely a hack (it messes up concurrent downloads?), and what we
really need, I think, is a new message we can pass back to apt:

  30x URI Redirection

Then, apt can re-issue a 600 to the appropriate method. Is this being
worked on? I need it for a project I'm doing...

-itai

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 11 Dec 2000 11:38:02 -0700 (MST)
From: Jason Gunthorpe <email address hidden>
To: Itai Zukerman <email address hidden>, <email address hidden>
cc: <email address hidden>,
        APT Development Team <email address hidden>
Subject: Re: Bug#79002: http method should support HTTP redirects

On 11 Dec 2000, Itai Zukerman wrote:

> Looking at the http method, it seems like it would be pretty easy to
> enqueue new (HTTP) URIs for redirects in http.cc. That "solution" is
> definitely a hack (it messes up concurrent downloads?), and what we
> really need, I think, is a new message we can pass back to apt:
>
> 30x URI Redirection
>
> Then, apt can re-issue a 600 to the appropriate method. Is this being
> worked on? I need it for a project I'm doing...

Doing redirects is extremly risky, you may not get the file you requested
after following the redirect, and it tends to hide misconfigured mirrors.
I am not super interested in having it supported by default.

Generajing redirect messages is probably the best way to do it, but that
is somewhat complicated to get right.

Jason

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 25 Jul 2003 08:52:31 -0400
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: ...

retitle 178854 [methods/http] Should apt's HTTP engine follow 302 redirects?
retitle 79002 [methods/http] http method should support HTTP redirects
merge 178854 79002
thanks

--
 - mdz

João Pinto (joaopinto) wrote :

Hello,
this feature would allow to provide a "smart" apt selector that would redirect users to a known working and synchronized mirror .
Are the any plans to implement this ?

Thank you

Michael Vogt (mvo) wrote :

We have a "mirror" method in apt now that supports this kind of redirection. See https://wiki.ubuntu.com/DynamicMirrorDecisions for some background information.

Hi,
I think the "mirror" method Michael Vogt described above is useful in many situation. In other situations, it would be highly preferable to simply have apt honor 3xx status codes and follow redirects. I can see no reason why this should be either hard or insecure. Speaking of security, as long as the packages are signed, the signatures are valid and the keys used for the signatures can be trusted: What are the implications here?

I would like the maintainers of apt/aptitude to reconsider implementing redirection in apt/aptitude.

Thanks!

Some packagers use the opensuse build server to cross distro build and provide packages for Linux (all distros). The build server simply uses redirects to point to mirrored repos.

As long as main apt won't get http redirects we can also provide a patched apt, but it would be nicer to have that feature 'upstream'.

PS: the original posters blog permalink has changed :) to http://blogs.jhu.edu/paulproteus/2005/coral-cache-and-debian-packages

João Pinto (joaopinto) wrote :

Hello,
we are planning to convert the packages provided on getdeb to a proper repository, one of the adoption blockers is the HTTP redirect support.

Thanks

Christoph Korn (c-korn) wrote :

Has the bug been fixed in jaunty now?

The changelog says so.
http://bazaar.launchpad.net/~ubuntu-core-dev/apt/ubuntu/revision/1688

http://changelogs.ubuntu.com/changelogs/pool/main/a/apt/apt_0.7.20.2ubuntu1/changelog

  * [ABI break] merge support for http redirects, thanks to
     Jeff Licquia and Anthony Towns

João Pinto (joaopinto) wrote :

It's fixed, the bug should be closed.

Jonathan Davies (jpds) wrote :

This has been implemented in Jaunty (may need some testing) - please file any bugs you may encounter.

Changed in apt (Ubuntu):
status: Confirmed → Fix Released
Changed in apt (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.