smart does not gracefully handle invalid Releases/Packages files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Smart Package Manager |
New
|
Undecided
|
Unassigned | ||
smart (Ubuntu) |
Confirmed
|
Medium
|
Unassigned | ||
Bug Description
The Landscape Client, which uses smart, fails with the following error at times:
error: Channel 'lucid-updates - main restricted universe multiverse' signed with unknown key
This causes the Landscape Client to break package related operations, with messages such as these in package-
2011-09-20 10:32:12,428 WARNING [MainThread] '/usr/lib/
exited with status 1 (error: Channel 'stable - main' signed with unknown key
This issue is not restricted to a particular mirror/
This issue can be worked around using:
$ sudo rm -vrf /var/lib/smart/*
$ sudo /usr/share/
The issue appears to be that smart does not verify if the file it has downloaded is a valid Releases{.gpg} file and caches it regardless. Once this is placed in /var/lib/
APT verifies that a Release/Package file is valid by seeing if it can be RFC822 parsed. It will simply discard and delete that which cannot be parsed. This is the code it uses for this:
$ bzr diff -r 2125..2127 http://
Attached is an example of a corrupted smart directory where:
- var/lib/
Is an HTML redirect page which has been cached.
Changed in smart (Ubuntu): | |
status: | New → Confirmed |
summary: |
- smart does not gracefully handle Releases/Packages files + smart does not gracefully handle invalid Releases/Packages files |
Changed in smart (Ubuntu): | |
importance: | Undecided → Medium |
There is a smart package currently in {lucid, maverick, natty}- proposed that catches http error codes. One such case was a 401 error (unauthorized), which was also being downloaded as a Release file.
You nominated this bug for oneiric, are you sure it happens there as well? I ask because the fix which was backported to lucid, maverick and natty is already present in oneiric.