apt won't redownload Release.gpg after inconsistent cache updates made while UCA is being updated
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
APT |
Fix Released
|
Unknown
|
|||
apt (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Yakkety |
Fix Released
|
Medium
|
Unassigned |
Bug Description
# apt --version
apt 1.2.18 (amd64)
xenial
I got myself into a situation where a repository has a Release and a Release.gpg file, but apt is just ignoring the gpg one and won't download it via apt update for some reason:
The repository in question is http://
root@juju-
-rw-r--r-- 1 root root 100K Jan 15 18:03 archive.
-rw-r--r-- 1 root root 242K Apr 21 2016 archive.
-rw-r--r-- 1 root root 100K Jan 18 11:42 archive.
-rw-r--r-- 1 root root 100K Jan 18 11:42 security.
-rw-r--r-- 1 root root 7.7K Jan 18 11:45 ubuntu-
Now I try an update. See how the Release.gpg file gets a "Hit:" instead of a "Get:":
root@juju-
Get:1 http://
Hit:2 http://
Ign:3 http://
Get:4 http://
Hit:5 http://
Get:6 http://
Hit:7 http://
Fetched 205 kB in 0s (395 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
8 packages can be upgraded. Run 'apt list --upgradable' to see them.
And I can't install packages:
root@juju-
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
python3-
The following packages will be upgraded:
dh-python dnsmasq-base python-
8 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,193 kB of archives.
After this operation, 808 kB of additional disk space will be used.
Do you want to continue? [Y/n]
WARNING: The following packages cannot be authenticated!
dh-python dnsmasq-base python-setuptools python-
Install these packages without verification? [y/N] n
E: Some packages could not be authenticated
root@juju-
Somehow apt is thinking it has the Release.gpg file, but it doesn't?
This server is behind a squid proxy.
[Impact]
An apt update of an apt repository that does not use InRelease during the time it is being updated can cause the gpg file to not be downloaded and updated. This makes the packages from the repository be unable to be authenticated.
The Ubuntu Cloud Archive is one of the archives that meets this criteria.
The impact to downstream automation deployment code is that if they are adding the UCA repo to a system and calling apt update during the time the UCA is being updated by Canonical, the repo can get into a state where the Release.gpg file is not there and all package installs will fail due to "unauthenticated packages" error.
[Test Case]
A detailed python script was attached.
To reproduce this outside that script you would want to:
1. Add the UCA repo
2. Do the following in a loop starting at 43 minutes after the hour and run it until 55 minutes after the hour:
2.1 Remove these files to simulate the UCA repo being added the first time.
/var/lib/
/var/lib/
/var/lib/
2.2 apt-get update
3. Check the state of the 3 files you deleted. If you have the _Release file but not the _Release.gpg you have recreated the issue.
4. If you have not recreated the issue, continue GOTO 2 and continue to loop.
[Regression Potential]
Unknown
summary: |
- apt won't redownload Release.gpg + apt won't redownload Release.gpg after inconsistent cache updates made + while UCA is being updated |
Changed in apt: | |
status: | Unknown → Fix Released |
Changed in apt (Ubuntu): | |
importance: | Undecided → Medium |
Changed in apt (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in apt (Ubuntu Yakkety): | |
importance: | Undecided → Medium |
tags: | added: xenial yakkety |
Changed in apt (Ubuntu Xenial): | |
status: | Triaged → In Progress |
Changed in apt (Ubuntu Yakkety): | |
status: | Triaged → In Progress |
tags: | removed: verification-needed |
The proxy shows no attempts to download Release.gpg, just InRelease:
18/Jan/ 2017:12: 29:02 +0000 69 y.y.y.y TCP_MISS/404 631 GET http:// ubuntu- cloud.archive. canonical. com/ubuntu/ dists/xenial- updates/ newton/ InRelease - FIRSTUP_ PARENT/ x.x.x.x text/html 2017:12: 29:02 +0000 67 y.y.y.y TCP_REFRESH_ UNMODIFIED/ 304 335 GET http:// ubuntu- cloud.archive. canonical. com/ubuntu/ dists/xenial- updates/ newton/ Release - FIRSTUP_ PARENT/ x.x.x.x - 2017:12: 29:02 +0000 133 y.y.y.y TCP_REFRESH_ UNMODIFIED/ 304 420 GET http:// archive. ubuntu. com/ubuntu/ dists/xenial/ InRelease - FIRSTUP_ PARENT/ x.x.x.x - 2017:12: 29:02 +0000 134 y.y.y.y TCP_REFRESH_ UNMODIFIED/ 304 438 GET http:// security. ubuntu. com/ubuntu/ dists/xenial- security/ InRelease - FIRSTUP_ PARENT/ x.x.x.x - 2017:12: 29:02 +0000 67 y.y.y.y TCP_REFRESH_ UNMODIFIED/ 304 423 GET http:// archive. ubuntu. com/ubuntu/ dists/xenial- updates/ InRelease - FIRSTUP_ PARENT/ x.x.x.x - 2017:12: 29:02 +0000 66 y.y.y.y TCP_REFRESH_ UNMODIFIED/ 304 420 GET http:// archive. ubuntu. com/ubuntu/ dists/xenial- backports/ InRelease - FIRSTUP_ PARENT/ x.x.x.x -
18/Jan/
18/Jan/
18/Jan/
18/Jan/
18/Jan/