[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

This fix breaks CloudFront URLs, because the reencoding of URLs results in some HTML entities being replaced by their plain characters. CloudFront signing requires that the the whole URL matches the signature, as compared to S3 URLs which prune the querystring before validating the signature.

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

I still had the mscorefonts problem (errors in sourceforge mirrors) in 19.04. Found this workaround in #1655431. Quoting: Boris Rybalkin (ribalkin) wrote on 2017-11-26:#18 Was able to fix sf mirrors issue by replacing sf mirror with some github copy: sudo sed -i

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Additionally I ran this workaround but when running apt-get upgrade it still tries to upgrade this ttf install and fails the same way workaround: wget http://ftp.de.debian.org/debian/pool/contrib/m/msttcorefonts/ttf- mscorefonts-installer_3.6_all.deb sudo dpkg -i

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

I still have this issue. I upgraded from 16.04.4 LTS yesterday and now have 18.04LTS and still have this issue. I'd rather get it fixed than resulting to cheap tricks. Is anyone going to work on this? -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

I'm still having this issue. Has the fix been pushed out yet? I'm using Xubuntu 16.04 LTS 64-bit. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1651923 Title: apt https

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Yes, please file a new bug. And that really seems more like an unattended-upgrades bug, I can't believe it's a regression in 1.2.19 - the change in 1.2.19 is just that: + Uri.Path = QuoteString(Uri.Path, "+~ "); - just quoting the path component of the Uri before downloading it (in the https

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Martin, I think you should file a new issue for what you described. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1651923 Title: apt https method decodes redirect locations

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Before version 1.2.19, I was able to automatically upgrade package "gitlab-ce" using unattended-upgrades. The update to version 1.2.19 seems to render my configuration useless. >From file `apt/apt.conf.d/50unattended-upgrades`: Unattended-Upgrade::Origins-Pattern {

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Many thanks! Cheers, Nico -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1651923 Title: apt https method decodes redirect locations and sends them to the destination

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

This bug was fixed in the package apt - 1.2.19 --- apt (1.2.19) xenial; urgency=medium * https: Quote path in URL before passing it to curl (LP: #1651923) -- Julian Andres Klode Tue, 17 Jan 2017 15:48:51 +0100 -- You received this bug notification because

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

This bug was fixed in the package apt - 1.3.4 --- apt (1.3.4) yakkety; urgency=medium * https: Quote path in URL before passing it to curl (LP: #1651923) -- Julian Andres Klode Tue, 17 Jan 2017 15:46:33 +0100 ** Changed in: apt (Ubuntu Yakkety)

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

I got those error reports too. It happens when you run wget as root, and use that directory. I changed it to use /var/tmp and the message went away. You could also run wget without the sudo (some of the instructions I saw have done that). On Sun, Jan 22, 2017 at 1:13 PM, luca

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Xenial's package worked for me, although I got these warnings (I guess is an unrelated problem though): /etc/cron.daily/update-notifier-common: Get:1 http://downloads.sourceforge.net/corefonts/andale32.exe [198 kB] Fetched 198 kB in 2s (69,3 kB/s) W: Can't drop privileges for downloading as file

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

I have this problem still. What I found to work was to remove the failed install and install it using the deb. I wrote an article about it on my blog for future reference... https://computerobz.wordpress.com/2016/12/15/ttf-mscorefonts-installer-fails-to-installupgrade/ Basically: 1.) Launch a

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

The Content-Range issue with partial downloads on SF is tracked in bug 1657567 now. That's less urgent though, so we may just want to roll that one out when I do the next "scheduled" bugfix update. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages,

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

OK. We now have comments of success from yakkety and xenial, and I have also checked both, so marking it verified-done. I'll open up a new bug for the partial download issue. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

I have tested the new package on Xenial, following the instructions in https://wiki.ubuntu.com/Testing/EnableProposed APT packages installed before updating: apt 1.2.18 apt-transport-https 1.2.18 apt-utils1.2.18 libapt-inst2.0 1.2.18 libapt-pkg5.0

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Julian: Ah, indeed. If I make sure to use https against the SF, and make sure the file doesn't exist, it works reliably. Sorry for the confusion! So, LGTM from xenial. Thanks a lot for working this out! -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

The first log looks entirely correct. The server is broken, vorboss does not support partial requests, but instead of responding correctly with all the content, it just redirects to another location. That other location is http, so unencrypted which we do not allow for security reasons. Re the

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

And note that the redirect from vorboss is to a site that indicates a failure, not the file. Or in short: Sourceforge sucks, don't use it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu.

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Yep, fixed! Great work! Thanks for your time! ``` norru@GBWWSRUNUBWS02:~$ sudo apt install apt-transport-https Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: apt-transport-https 1 to upgrade, 0 to newly

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Again: You need to install apt-transport-https, not apt. Nobody cares about your version of the apt package, the fix is in apt-transport- https. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu.

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Another test case is downloading "https://people.debian.org/~jak/a b/c" with apt-helper. That fails in 1.2.18 and succeeds in 1.2.19. ** Description changed: [Impact] - Downloads via HTTPS fail if the URL contains a space. This breaks packages like ttf-mscorefonts-installer and various

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

This problem does not occur with that file on xenial, as it first redirects to an https URI without a space which then redirects to an HTTPS uri with a space (http w/o space -> https w/o space -> https w/ space). In xenial, https->https redirects where handled internally by curl. Another test

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Here is the debug output with 1.2.18. ** Attachment added: "debug-output.txt" https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1651923/+attachment/4805952/+files/debug-output.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

@Robin: I just confirmed that apt 1.2.19 fixes the corefonts issue: All fonts downloaded and installed. Setting up ttf-mscorefonts-installer (3.4+nmu1ubuntu2) ... Did you really upgrade apt-transport-https or only apt? But bdmurray is right, the ardour thing works fine in 1.2.18. In xenial

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Could you provide logs with -o debug::acquire::https=1 and debug::acquire::http=1 Maybe thw redirect changed and the test case this started working again? I'll check soon. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

While the new version of the package worked for me, so did apt version 1.2.18 - shouldn't it have failed? bdmurray@clean-xenial-amd64:~$ apt-cache policy apt apt: Installed: 1.2.18 Candidate: 1.2.18 Version table: *** 1.2.18 500 500 http://192.168.10.7/ubuntu xenial-updates/main

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Just checked apt 1.2.9 from proposed on an x86_64 16.04 system . The package ttf-mscorefonts-installer version 3.4+nmu1ubuntu2 fails to download font files, but rather returns a 403 error on the first file download attempt. Directly accessing the failed link through a browser gives the expected

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

@llucax there are two versions (and two calls for testing). 1.2.19 for xenial and 1.3.4 for yakkety. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1651923 Title: apt https

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Should we test that package too in xenial? Or there will be another test package for xenial? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1651923 Title: apt https method

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Hello Nico, or anyone else affected, Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.19 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Thanks for the hard work! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1651923 Title: apt https method decodes redirect locations and sends them to the destination

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Releases uploaded. The fix is exactly the same as in zesty, I just added an additional test case based on the new 1.4~beta4 release (the test case also needed some porting because the framework between 1.4 and 1.3 is a bit different). ** Changed in: apt (Ubuntu Xenial) Status: Triaged =>

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

** Description changed: + [Impact] + Downloads via HTTPS fail if the URL contains a space. This breaks packages like ttf-mscorefonts-installer and various third party hosters. + + [Test case] + Check that /usr/lib/apt/apt-helper download-file

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Fix has been committed upstream with an additional test case: https://anonscm.debian.org/cgit/apt/apt.git/commit/?id=994515e689dcc5f963f5fed58284831750a5da03 I'll sync the new version from Debian unstable once I have uploaded and it is known by Launchpad. I will also upload SRUs tomorrow - the

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

downloads.sourceforge.net is just a redirection service to an auto- selected mirror. Using the full URL (sourceforge.net/projects/corefonts/files/...) also auto-selects a mirror (credited on the right of the web page: "Mirror provided by ..."). -- You received this bug notification because you

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

As far as ttf-mscorefonts-installer is concerned, I looked on the sourceforge website and it's no longer at http://downloads.sourceforge.net/corefonts/andale32.exe . The file has been moved and I velieve is located at : https://sourceforge.net/projects/corefonts/files/the fonts/final/andale32.exe

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Bumping the severity because this is causing problems for a lot of people. There are hundreds of people who have marked this bug (or a duplicate) as affecting them. ** Changed in: apt (Ubuntu Yakkety) Importance: Medium => High ** Changed in: apt (Ubuntu Xenial) Importance: Medium => High

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

** Changed in: apt (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: apt (Ubuntu Yakkety) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu.

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

This bug was fixed in the package apt - 1.4~beta3ubuntu1 --- apt (1.4~beta3ubuntu1) zesty; urgency=medium * https: Quote path in URL before passing it to curl (LP: #1651923) -- Julian Andres Klode Wed, 11 Jan 2017 00:13:59 +0100 ** Changed in: apt (Ubuntu)

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

I just uploaded 1.4~rc3ubuntu1 to zesty. It's building now, and should hit zesty-proposed soon, and hopefully migrate without issues to zesty release repository. This is the included workaround for now: commit 12d5863a6ecd358db5645a4c1ca75576ef3c6232 Author: Julian Andres Klode

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apt (Ubuntu Yakkety) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu.

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

** No longer affects: apt (Ubuntu Trusty) ** Changed in: apt (Ubuntu Yakkety) Status: Confirmed => Triaged ** Changed in: apt (Ubuntu Xenial) Status: Confirmed => Triaged ** Changed in: apt (Ubuntu) Status: In Progress => Fix Committed -- You received this bug

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apt (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu.

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apt (Ubuntu Trusty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu.

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

** Also affects: apt (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: apt (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: apt (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

** Changed in: apt (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1651923 Title: apt https method decodes redirect locations

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Bah, I was not clear. Github apparently started adding spaces into their URI. That's what is causing this issue, it's not really a change in apt that is causing it. That said, the redirect handling changed a bit - https redirects used to be handled by curl itself prior to 1.3. ** Changed in: apt

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

No regression. The quick hack we can try for now is parsing the URI we get and then encoding the local part. This is what I'm aiming for this month and it will fix this issue. The correct fix requires restructuring the whole acquire system to not decode URIs in redirect requests and encode given

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

+1 for a backport, even if it's a "dirty hack" -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1651923 Title: apt https method decodes redirect locations and sends them to the

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

A year to fix a regression (bug not apparent in 14.04)? Oh, dear! :( -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1651923 Title: apt https method decodes redirect locations

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

"A correct fix will have to wait until the end of the year" - do you really mean the end of 2017? But even if you can only release a workaround for now, please backport to 16.04 LTS as well, where it broke e.g. the ttf-mscorefonts-installer. -- You received this bug notification because you

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

I believe this will take quite some time to fix. A correct fix will have to wait until the end of the year, but we might be able to hack something in like what I did there - but really only quoting the local part and not the entire URL - which obviously fails. -- You received this bug

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Good news, thanks! Would it be possible to schedule a backported patch to 16.10? The problem is significant in the general case. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu.

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

Currently running CI on https://github.com/Debian/apt/compare/master ...julian-klode:bugfix/lp-1653094-https-quote?expand=1 let's see if that simple change works or if it needs more work. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

The problem is: the http methods URL-encodes URLs before sending them, the https one does not. And our redirecting code decodes the locations given, because the http method encodes them. This is of course horribly broken: We should not decode the location and re-encode it in the first place. That

[Touch-packages] [Bug 1651923] Re: apt https method decodes redirect locations and sends them to the destination undecoded.

** Summary changed: - 505 HTTP Version not supported - installing kxstudio packages + apt https method decodes redirect locations and sends them to the destination undecoded. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to