Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
Package: apt Version: 1.8.2 Followup-For: Bug #879786 Dear Maintainer, I've had to spend far too much time to figure this out due the release yesterday. I'm running apt-get, and apt-get tells me nothing except | E: The repository 'http://security.debian.org testing/updates Release' no longer has a Release file. | N: Updating from such a repository can't be done securely, and is therefore disabled by default. | N: See apt-secure(8) manpage for repository creation and user configuration details. | E: Repository 'http://deb.debian.org/debian testing InRelease' changed its 'Codename' value from 'buster' to 'bullseye' | N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details. | E: Repository 'http://deb.debian.org/debian-debug testing-debug InRelease' changed its 'Codename' value from 'buster-debug' to 'bullseye-debug' | N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details. , and then apt-secure(8) yabbers on about how to create secure repositiories and whatever, but doesn't give a hint about how I would explicitly accept the change. This really sucks. Searching for the error string then turns up various "solutions" on the web that recommend deleting files from /var/lib/apt , or marking repositories as [Trusted=yes] or [Allow-Insecure=yes] in sources.list , so this is obviously a real problem that causes users to compromise the security of their machines. I think the message displayed should directly mention both "--allow-releaseinfo-change" and running "apt update" interactively. (apt-get knows it's not apt!) At the very least it needs to be prominently explained in apt-secure(8). Thanks for maintaining apt-get, Jan -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "amd64"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "0"; APT::Install-Suggests "0"; APT::Sandbox ""; APT::Sandbox::User "_apt"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$"; APT::NeverAutoRemove:: "^linux-image-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^linux-image-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-image-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-1-amd64$"; APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-5-amd64$"; APT::NeverAutoRemove:: "^linux-tools-4\.19\.0-1-amd64$"; APT::NeverAutoRemove::
Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
> IMO, the right answer would be to run "apt update" and confirm the > change when asked. I find it strange to recommend another tool, when there is a flag to confirm the change with apt-get. If the intent is to deprecate using apt-get interactively entirely, then that should be done at a more holistic level, such as a warning on every invocation, rather than when a specific error appears.
Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
On Wed, Nov 07, 2018 at 12:21:01PM -0600, Jesse Hathaway wrote: > On Wed, Nov 7, 2018 at 12:12 PM Julian Andres Klode wrote: > > > > On Wed, Nov 07, 2018 at 10:50:05AM -0600, Jesse Hathaway wrote: > > > Just ran into this issue with chrome package from Google: > > > > > > E: Repository 'http://dl.google.com/linux/chrome/deb stable > > > Release' changed its 'Origin' value from 'Google, Inc.' to 'Google > > > LLC' > > > N: This must be accepted explicitly before updates for this > > > repository can be applied. See apt-secure(8) manpage for details. > > > > > > Rather than adding information to apt-secure's man page, I think it > > > would be more helpful to output the command the user needs to accept > > > the change: > > > > > > E: Repository 'http://dl.google.com/linux/chrome/deb stable > > > Release' changed its 'Origin' value from 'Google, Inc.' to 'Google > > > LLC' > > > N: If you would like to accept this change, please rerun apt-get > > > update with the `--allow-releaseinfo-change` flag > > > > If you run it interactive, you get asked directly, and don't need > > the flag. Just recommending the flag is probably not a good idea, > > as it makes people add them to update scripts without thinking. > > What do you mean by running interactively? I ran `apt-get update` in > my terminal and I was not prompted, it just showed those error > messages. Oh, you might have to use apt instead of apt-get. > I also don't see why showing the flag is not helpful, that > was the only way I was able to confirm the change? IMO, the right answer would be to run "apt update" and confirm the change when asked. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
On Wed, Nov 7, 2018 at 12:12 PM Julian Andres Klode wrote: > > On Wed, Nov 07, 2018 at 10:50:05AM -0600, Jesse Hathaway wrote: > > Just ran into this issue with chrome package from Google: > > > > E: Repository 'http://dl.google.com/linux/chrome/deb stable > > Release' changed its 'Origin' value from 'Google, Inc.' to 'Google > > LLC' > > N: This must be accepted explicitly before updates for this > > repository can be applied. See apt-secure(8) manpage for details. > > > > Rather than adding information to apt-secure's man page, I think it > > would be more helpful to output the command the user needs to accept > > the change: > > > > E: Repository 'http://dl.google.com/linux/chrome/deb stable > > Release' changed its 'Origin' value from 'Google, Inc.' to 'Google > > LLC' > > N: If you would like to accept this change, please rerun apt-get > > update with the `--allow-releaseinfo-change` flag > > If you run it interactive, you get asked directly, and don't need > the flag. Just recommending the flag is probably not a good idea, > as it makes people add them to update scripts without thinking. What do you mean by running interactively? I ran `apt-get update` in my terminal and I was not prompted, it just showed those error messages. I also don't see why showing the flag is not helpful, that was the only way I was able to confirm the change?
Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
On Wed, Nov 07, 2018 at 10:50:05AM -0600, Jesse Hathaway wrote: > Just ran into this issue with chrome package from Google: > > E: Repository 'http://dl.google.com/linux/chrome/deb stable > Release' changed its 'Origin' value from 'Google, Inc.' to 'Google > LLC' > N: This must be accepted explicitly before updates for this > repository can be applied. See apt-secure(8) manpage for details. > > Rather than adding information to apt-secure's man page, I think it > would be more helpful to output the command the user needs to accept > the change: > > E: Repository 'http://dl.google.com/linux/chrome/deb stable > Release' changed its 'Origin' value from 'Google, Inc.' to 'Google > LLC' > N: If you would like to accept this change, please rerun apt-get > update with the `--allow-releaseinfo-change` flag If you run it interactive, you get asked directly, and don't need the flag. Just recommending the flag is probably not a good idea, as it makes people add them to update scripts without thinking. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
Just ran into this issue with chrome package from Google: E: Repository 'http://dl.google.com/linux/chrome/deb stable Release' changed its 'Origin' value from 'Google, Inc.' to 'Google LLC' N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details. Rather than adding information to apt-secure's man page, I think it would be more helpful to output the command the user needs to accept the change: E: Repository 'http://dl.google.com/linux/chrome/deb stable Release' changed its 'Origin' value from 'Google, Inc.' to 'Google LLC' N: If you would like to accept this change, please rerun apt-get update with the `--allow-releaseinfo-change` flag
Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
Package: apt Version: 1.6.3 Followup-For: Bug #879786 I second that apt-secure should mention the use of "apt" and, in detail, "apt-get --allow-releaseinfo-change" as well (pointing to apt-get for more details on the various finger-graned flags) since the manpage of apt(1) doesn't include any relevant information on metadata changes. I don't ever use "apt", I mostly use "aptitude" or directly "apt-get" when needed. aptitude doesn't have support for prompting for releaseinfo changes, and apt-get does neither. The error message is somewhat puzzling, since apt-secure(8) contains mostly redundand information for those who know already something about the signing infrastructure and just want to acknowledge the change. Thanks.
Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
On Wed, Oct 25, 2017 at 04:05:24PM -0400, js wrote: > Package: apt > Version: 1.5 > Severity: minor > > Dear Maintainer, > > == > I use only 2 packages from ubuntu (which are not available in debian): > chromium-codecs-ffmpeg-extra, oxideqt-codecs-extra. The first one does not make much sense, Debian's chromium should already contain all codecs. > For this I have the ubuntu repository in sources.list along with an > apt_preferences file to allow > only those 2 packages (with priority 476 < 500 for all debian). > > This recently gave these errors during apt-get update: > W: Conflicting distribution: http://archive.ubuntu.com/ubuntu devel > InRelease (expected devel but got bionic) > N: Repository 'http://archive.ubuntu.com/ubuntu devel InRelease' changed > its 'Version' value from '17.10' to '18.04' > E: Repository 'http://archive.ubuntu.com/ubuntu devel InRelease' changed > its 'Suite' value from 'artful' to 'bionic' > E: Repository 'http://archive.ubuntu.com/ubuntu devel InRelease' changed > its 'Codename' value from 'artful' to 'bionic' > N: This must be accepted explicitly before updates for this repository can > be applied. See apt-secure(8) manpage for details. > > The apt-secure man page is of no help in resolving this (see bottom). That's somewhat true. You likely want to use apt instead of apt-get, that would ask the question interactively. apt-get is mostly for scripting. BTW, your pinning and sources.list is extreme. That's not really a sensible thing to do and can cause a lot of trouble. Also, well, it took me a minute to clean them out for the reply - it can only delete one line at a time :/ -- Debian Developer - deb.li/jak | jak-linux.org - free software dev Ubuntu Core Developer
Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
Thanks, "BTW, your pinning and sources.list is extreme. That's not really a sensible thing to do and can cause a lotof trouble. " If you can be more explicit, I'd very much appreciate the feedback. As it is, the pinning I use is to prevent unintentional changes to nvidia drivers, linux kernel, and to block all ubuntu packages other than the 2 codecs not available in debian.Plus block versions of some packages, like vivaldi browser, that no longer work well with the latest codecs. It there's a better way to achieve these goals, I'd very much like to learn about it. thanks,--jack From: Julian Andres Klode <j...@debian.org> To: js <em2ja...@yahoo.com>; 879...@bugs.debian.org Sent: Wednesday, October 25, 2017 4:23 PM Subject: Re: Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes On Wed, Oct 25, 2017 at 04:05:24PM -0400, js wrote: > Package: apt > Version: 1.5 > Severity: minor > > Dear Maintainer, > > == > I use only 2 packages from ubuntu (which are not available in debian): > chromium-codecs-ffmpeg-extra, oxideqt-codecs-extra. The first one does not make much sense, Debian's chromium should already contain all codecs. > For this I have the ubuntu repository in sources.list along with an > apt_preferences file to allow > only those 2 packages (with priority 476 < 500 for all debian). > > This recently gave these errors during apt-get update: > W: Conflicting distribution: http://archive.ubuntu.com/ubuntu devel >InRelease (expected devel but got bionic) > N: Repository 'http://archive.ubuntu.com/ubuntu devel InRelease' changed its >'Version' value from '17.10' to '18.04' > E: Repository 'http://archive.ubuntu.com/ubuntu devel InRelease' changed its >'Suite' value from 'artful' to 'bionic' > E: Repository 'http://archive.ubuntu.com/ubuntu devel InRelease' changed its >'Codename' value from 'artful' to 'bionic' > N: This must be accepted explicitly before updates for this repository can >be applied. See apt-secure(8) manpage for details. > > The apt-secure man page is of no help in resolving this (see bottom). That's somewhat true. You likely want to use apt instead of apt-get, that would ask the question interactively. apt-get is mostly for scripting. BTW, your pinning and sources.list is extreme. That's not really a sensible thing to do and can cause a lot of trouble. Also, well, it took me a minute to clean them out for the reply - it can only delete one line at a time :/ -- Debian Developer - deb.li/jak | jak-linux.org - free software dev Ubuntu Core Developer
Bug#879786: apt-secure man page needs to provide useful pointers for Release file info changes
Package: apt Version: 1.5 Severity: minor Dear Maintainer, == I use only 2 packages from ubuntu (which are not available in debian): chromium-codecs-ffmpeg-extra, oxideqt-codecs-extra. For this I have the ubuntu repository in sources.list along with an apt_preferences file to allow only those 2 packages (with priority 476 < 500 for all debian). This recently gave these errors during apt-get update: W: Conflicting distribution: http://archive.ubuntu.com/ubuntu devel InRelease (expected devel but got bionic) N: Repository 'http://archive.ubuntu.com/ubuntu devel InRelease' changed its 'Version' value from '17.10' to '18.04' E: Repository 'http://archive.ubuntu.com/ubuntu devel InRelease' changed its 'Suite' value from 'artful' to 'bionic' E: Repository 'http://archive.ubuntu.com/ubuntu devel InRelease' changed its 'Codename' value from 'artful' to 'bionic' N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details. The apt-secure man page is of no help in resolving this (see bottom). The apt-secure man page should be expanded to mention the apt options needed for what it alludes to: "the user must therefore explicitly confirm changes to signal...": apt-get update --allow-releaseinfo-change (and related apt.conf) I was able to get around the lack of detail in the man page through a search that yielded only one page with the needed info: https://fossies.org/linux/misc/apt-1.5.tar.gz/apt-1.5/test/integration/test-apt-update-releaseinfo-changes INFORMATION CHANGES A Release file contains beside the checksums for the files in the repository also general information about the repository like the origin, codename or version number of the release. This information is shown in various places so a repository owner should always ensure correctness. Further more user configuration like apt_preferences(5) can depend and make use of this information. Since version 1.5 the user must therefore explicitly confirm changes to signal that the user is sufficiently prepared e.g. for the new major release of the distribution shipped in the repository (as e.g. indicated by the codename). USER ... == -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "i386"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "false"; APT::Install-Suggests "0"; APT::Sandbox ""; APT::Sandbox::User "_apt"; APT::Cache ""; APT::Cache::AllVersions "false"; APT::Cache-Limit "0"; APT::Clean-Installed "false"; APT::Get ""; APT::Get::AutomaticRemove "false"; APT::Get::Show-Upgraded "true"; APT::Get::Upgrade-Allow-New "true"; APT::Archives ""; APT::Archives::MaxAge "0"; APT::Archives::MaxSize "0"; APT::Archives::MinAge "2"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::Keep-Downloaded-Packages "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image.*"; APT::NeverAutoRemove:: "^linux-headers.*"; APT::NeverAutoRemove:: "^kfreebsd-image.*"; APT::NeverAutoRemove:: "^linux-restricted-modules.*"; APT::NeverAutoRemove:: "^linux-ubuntu-modules-.*"; APT::NeverAutoRemove:: "^gnumach$"; APT::NeverAutoRemove:: "^gnumach-image.*"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "restricted/metapackages"; APT::Never-MarkAuto-Sections:: "universe/metapackages"; APT::Never-MarkAuto-Sections:: "multiverse/metapackages"; APT::Never-MarkAuto-Sections:: "oldlibs"; APT::Never-MarkAuto-Sections:: "restricted/oldlibs"; APT::Never-MarkAuto-Sections:: "universe/oldlibs"; APT::Never-MarkAuto-Sections:: "multiverse/oldlibs"; APT::Periodic ""; APT::Periodic::Update-Package-Lists "0"; APT::Periodic::Download-Upgradeable-Packages "0"; APT::Periodic::AutocleanInterval "0"; APT::Periodic::Unattended-Upgrade "0"; APT::Periodic::BackupArchiveInterval "1"; APT::Update ""; APT::Update::Post-Invoke ""; APT::Update::Post-Invoke:: "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true"; APT::Update::Post-Invoke-Success ""; APT::Update::Post-Invoke-Success:: "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null"; APT::Architectures ""; APT::Architectures:: "i386"; APT::Compressor ""; APT::Compressor::. ""; APT::Compressor::.::Name "."; APT::Compressor::.::Extension ""; APT::Compressor::.::Binary "";
