-
-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mirrorring depends on non-required MD5sum field of the Binary Package Index #228
Comments
Yes, aptly requires MD5sum, do you have example |
Random bintray link: http://dl.bintray.com:80/sbt/debian/Packages |
As aptly requires MD5sum, most probably it would have to calculate it on its own. |
Why not just use the SHA instead of the MD5 as an option. |
If different package index would have MD5Sum for the same package, we would have split-brain: two entries for the same package. |
This bug has broken the ability for me to use google-cloud-sdk (example Packages file with missing MD5sum field). Given that MD5sum is no longer required by the repository format spec (in fact, it's discouraged), I believe the responsibility should fall on aptly to conform to the spec. Specifically, instead of requiring MD5, require SHA256. Here's what the spec reads:
If I'm reading this correctly, in this context, aptly would be considered a 'client' and thus should not use MD5sum or SHA1. It also means that even if there are repositories that only provide md5sum field for some reason (old, etc), Apt clients ought not use them anyway. |
Hello, same problem :-( |
I'm also encountering this issue with repos hosted on Artifactory. Artifactory does not use the deprecated MD5 sums. |
From my short look at the sources, it seems that Aptly is storing the package files in a global pool by their MD5 hash (source code). There is nothing particularly wrong with doing this, however, it seems like this hash is not computed locally but, instead, the MD5 hash is taken from the Packages file (source code). If there is no MD5 hash, then we get the errors. If this is a correct analysis, it seems like the best approach would be to simply do the MD5 computation for each package. Or maybe use the upstream hash and only compute it locally as a fallback if the MD5, specifically, isn't given. This seems like the simplest solution which wouldn't break things, even if it incurs an efficiency hit. The other approach, of using SHA256 for example, has the drawbacks of 1) breaking existing pools (at best when you update a mirror, all packages will be re-downloaded and you'll never have access to your history again), and 2) when SHA256 goes away in the future, we are left with the same problem all over again. Because MD5 is being used for uniquely identifying files and not being used for security, I see no reason why not to continue using MD5. However, the "case of the missing MD5Sum field" must be accounted for. ** UPDATED to provide source code links. |
@smira any pointers on how the test fixtures could be changed, or added to, to cover the case where MD5Sum isn't present in |
Is there a workaround for this? |
@jsilverman-blispay not yet, working on huge refactoring which would address that, but looks like it hits a lot of code in aptly unfortunately |
Progress in #539 |
Thanks for getting to this! I know it's a lot of work. Let me know if I can help test implementations. For those wondering, the current workaround is to ...
An example of step #2:
... roughly. |
@linuxluser right now implementation seems to be fairly stable in #539. There are a lot of changes all across the core of aptly, but good thing that aptly can handle packages even without checksums at all or with any combination of missing checksums. Packages published from aptly though should now be coming with full checksum set always. |
Aptly fails to update the google-cloud mirror with error: `ERROR: unable to update: unable to compute pool location for filename ... MD5 is missing` It looks like this has been fixed in version 1.1: https://github.com/smira/aptly/issues/228 We need to update Aptly, until then create a local repository and upload the files manually.
The MD5sum field is a non-required field in the Binary Package Index.
Aplty however cannot mirror packages where this field is abscent. It gives the following error message: "unable to compute pool location for filename 'test.deb', MD5 is missing".
This situation appears for example when you want to mirror a debian repository hosted on bintray.
The text was updated successfully, but these errors were encountered: