apt signature requirements prevent updates from some repositories
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
High
|
Julian Andres Klode | ||
Xenial |
Won't Fix
|
High
|
Unassigned |
Bug Description
Since xenial updated the requirements for the strength of PGP signatures of packages, packages from some repositories are no longer updated. Apt-get update reports these errors:
E: Failed to fetch http://[...]/Release No Hash entry in Release file /var/lib/
E: Some index files failed to download. They have been ignored, or old ones used instead.
While the motivation for the change is valid, the result is a potential security problem, as the new versions of the packages that may fix recently discovered vulnerabilities are not automatically installed.
One less important but unfortunate effect is a scary message that is displayed to the user, without clear explanation that the problem needs to be addressed by the repository owner.
Related: Bug #1558331
Changed in apt (Ubuntu): | |
importance: | Undecided → High |
Changed in appstream (Ubuntu): | |
importance: | Undecided → High |
assignee: | nobody → Julian Andres Klode (juliank) |
status: | Confirmed → In Progress |
status: | In Progress → Triaged |
assignee: | Julian Andres Klode (juliank) → nobody |
tags: | removed: patch |
no longer affects: | appstream (Ubuntu) |
no longer affects: | appstream (Ubuntu Xenial) |
Changed in apt (Ubuntu Xenial): | |
importance: | Undecided → High |
tags: |
added: rls-x-notfixing removed: rls-x-incoming |
summary: |
- apt signature requierements prevent updates from some repositories + apt signature requirements prevent updates from some repositories |
Changed in apt (Ubuntu): | |
status: | In Progress → Fix Released |
This is fixed in my bugfix/ sha1-deprecated branch:
https:/ /github. com/julian- klode/apt/ compare/ master. ..bugfix/ sha1-deprecated
I spent half my night working on it. David also has a more involved branch fixing this as well and further generalizing stuff, but I think we should go with a less intrusive solution for now.
I know that it's somewhat unclear that the repository owner is responsible, but I don't really feel like adding another message for that, as I want to get the messages translated now, and I'm not sure it's possible in a sensible way. It also helps people think about what repositories they use and remove unneeded ones, like Google's talkplugin if they use Chrome.