Bug 45950 - python-apt does not trust cdrom
python-apt does not trust cdrom
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UCS Installer - DVD
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Richard Ulmer
Philipp Hahn
:
: 46758 (view as bug list)
Depends on: 45896
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-22 15:18 CET by Philipp Hahn
Modified: 2018-05-10 08:15 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2017-12-22 15:18:01 CET
+++ This bug was initially created as a clone of Bug #45896 comment 3 +++
There is a bug is in python-apt, where updating the APT cache using only a CD-ROM returns a fatal error, even when the CDROM should be trusted:

$ python
>>> from apt import Cache
>>> cache = Cache()
>>> cache.update()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/apt/cache.py", line 464, in update
    raise FetchFailedException(e)
apt.cache.FetchFailedException: E:The repository 'cdrom://[UCS Linux 4.3 GNU/Linux 4.3-0 _Ucs430_ -
Official amd64 DVD Binary-1 20171219-16:32] ucs430 Release' does not have a Release file.
>>> from apt import apt_pkg
>>> print(apt_pkg.config.get('APT::Authentication::TrustCDROM'))
'true'

I have started debugging this, but so far failed to find the cause.
Comment 1 Philipp Hahn univentionstaff 2017-12-22 16:21:45 CET
#0  AllowInsecureRepositories (msg=msg@entry=InsecureType::NORELEASE, repo="cdrom://[UCS Linux 4.3 GNU/Linux 4.3-0 _Ucs430_ - Official amd64 DVD Binary-1 20171220-08:40] ucs430 Release", MetaIndexParser=0x555555d63e10, 
    TransactionManager=0x555555db1f60, I=I@entry=0x555555db1130) at ./apt-pkg/acquire-item.cc:222
#1  0x00007ffff6910527 in pkgAcqMetaIndex::Failed (this=0x555555db1130, Message=..., Cnf=<optimized out>) at ./apt-pkg/acquire-item.cc:1814
#2  0x00007ffff6923b7a in pkgAcquire::Worker::RunMessages (this=this@entry=0x555555db2790) at ./apt-pkg/acquire-worker.cc:530
#3  0x00007ffff692660c in pkgAcquire::Worker::InFdReady (this=this@entry=0x555555db2790) at ./apt-pkg/acquire-worker.cc:737
#4  0x00007ffff69282ea in pkgAcquire::RunFdsSane (this=this@entry=0x7fffffffd4b0, RSet=RSet@entry=0x7fffffffd1d0, WSet=WSet@entry=0x7fffffffd250) at ./apt-pkg/acquire.cc:532
#5  0x00007ffff692ceaa in pkgAcquire::Run (this=this@entry=0x7fffffffd4b0, PulseIntervall=<optimized out>) at ./apt-pkg/acquire.cc:704
#6  0x00007ffff6a18797 in AcquireUpdate (Fetcher=..., PulseInterval=PulseInterval@entry=0, RunUpdateScripts=RunUpdateScripts@entry=true, ListCleanup=ListCleanup@entry=true) at ./apt-pkg/update.cc:57

# apt-cache policy apt python-apt
apt:
  Installed: 1.4.8A~4.3.0.201711271936
  Candidate: 1.4.8A~4.3.0.201711271936
  Version table:
 *** 1.4.8A~4.3.0.201711271936 500
        500 cdrom://[UCS Linux 4.3 GNU/Linux 4.3-0 _Ucs430_ - Official amd64 DVD Binary-1 20171220-08:40] ucs430/main amd64 Packages
        100 /var/lib/dpkg/status
python-apt:
  Installed: 1.4.0~beta3
  Candidate: 1.4.0~beta3
  Version table:
 *** 1.4.0~beta3 500
        500 cdrom://[UCS Linux 4.3 GNU/Linux 4.3-0 _Ucs430_ - Official amd64 DVD Binary-1 20171220-08:40] ucs430/main amd64 Packages
        100 /var/lib/dpkg/status
Comment 2 Jürn Brodersen univentionstaff 2018-02-15 13:51:12 CET
r17892
debian-installer/4.3-0-0-ucs/20170615+deb9u2/0010-local-univention-sources.patch
is also a workaround for that.

Note: I think due to this workaround, setting the repository for 4.3 dvd builds has currently no effect.
Comment 3 Richard Ulmer univentionstaff 2018-03-23 14:04:09 CET
Due to recent changes in apt-secure the template for the UCRV update/secure_apt has become outdated. Thus the old way, of allowing for insecure repositories, failed here.

"man apt-secure" in Debian Stretch [1] suggests using different configuration options. I have committed an updated version of the UCRV-template.

univention-base-files.yaml
099878ddfc16 | Bug #45950: Add yaml entry

univention-base-files (7.0.0-10)
05f5806dc959 | Bug #45950: Update broken template for UCRV update/secure_apt

[1] https://manpages.debian.org/stretch/apt/apt-secure.8.en.html
Comment 4 Philipp Hahn univentionstaff 2018-03-23 18:13:15 CET
OK: 05f5806dc9
OK: 099878ddfc
OK: errata-announce -V --only univention-base-files.yaml
OK:
 ucr set repository/online=no repository/mirror=no
 apt-cdrom add
 echo 'Acquire::AllowInsecureRepositories "true";' >>/etc/apt/apt.conf.d/00trustcdrom
 python -c 'from apt import Cache;cache = Cache();cache.update()'
 apt -qq update
 apt-get -qq update
Comment 5 Dirk Wiesenthal univentionstaff 2018-04-04 14:13:41 CEST
This breaks installing Apps from the Test App Center.

Please include

APT::Get::AllowUnauthenticated "true";
Comment 6 Dirk Wiesenthal univentionstaff 2018-04-04 14:19:35 CEST
*** Bug 46758 has been marked as a duplicate of this bug. ***
Comment 7 Richard Ulmer univentionstaff 2018-04-09 13:03:43 CEST
I have added APT::Get::AllowUnauthenticated to the configuration, again.
 
univention-base-files.yaml
051d1a58d9 | Bug #45950: Update yaml entry

univention-base-files (7.0.0-12)
8b4541960e | Bug #45950: Update broken template for UCRV update/secure_apt
Comment 8 Philipp Hahn univentionstaff 2018-05-02 13:07:38 CEST
OK: 8b4541960e
OK: 051d1a58d9
OK: errata-announce -V --only univention-base-files.yaml

WIP: ucs-test
Comment 9 Arvid Requate univentionstaff 2018-05-02 13:31:19 CEST
<http://errata.software-univention.de/ucs/4.3/23.html>
Comment 10 Philipp Hahn univentionstaff 2018-05-02 14:43:34 CEST
(In reply to Philipp Hahn from comment #8)
> WIP: ucs-test

[4.3-0] c49e14f023 Bug #45950 QA: Test secure apt-cdrom
[4.3-0] 76f439bc6b Bug #45950 QA: Test secure APT