libera/#devuan/ Monday, 2019-04-08

Jjp137I wouldn't say not to use us.deb; it is documented here:
Jjp137but it is easiest to start with deb.devuan.org00:00
xrogaanHypertables: could you give me the result from `host'?00:00 is an alias for has address
gnarfacethat is correct00:02
gnarfacethat is what i get here too00:03
gnarfacebut should be a round-robin of several mirrors00:03
gnarfacei see 13 here00:04
xrogaanyeah, so maybe something is crapping on your network as you receive the files. You might have a cache somewhere.00:04
Hypertablespretty sure I don't have an http cache or anything like that00:05
gnarfacewell, it looks like you only have one option to confirm whether it is the repo or not00:08
gnarfacein general it is a bad idea to use 3rd party repos or other distro's repos though00:08
gnarfacethat could really be the issue too00:09
gnarfacenot that you have the repo in there, but that you installed something from there00:09
gnarfaceif it was made for debian or ubuntu, for example, there are a number of highly eccentric failure cases00:09
gnarfacemost of them not immediately obvious on install00:10
xrogaanno, I don't get the warning but the InRelease file does list a different sha256sum than the one from the file I get00:10
xrogaana958a8acee49af960759f7533231b075d184fa8ee7d708764b022d33c1d29e8f   335185 main/Contents-amd64.gz00:10
xrogaanBut locally: 75acef3458d85396d38b730213b0fe801508a961f4d30495cfa585b8318ccf95  Contents-amd64.gz00:10
gnarfacesame if you use https?00:10
xrogaanIIRC there is no https00:11
xrogaannot on the round robin, it uses the wrong certificate00:12
Jjp137pkgmaster supports https, but you have to explicitly specify that mirror instead of using deb.devuan.org00:12
Jjp137the round robin doesn't support https00:12
gnarface75acef3458d85396d38b730213b0fe801508a961f4d30495cfa585b8318ccf95 for Contents-amd64.gz locally here too00:15
xrogaanis there a way for apt to not care about that value?00:20
gnarfaceprobably, but i don't know if it's a good idea to ignore it00:21
gnarfacecould be evidence of a MITM attack...00:21
xrogaangnarface: apt-config | grep AllowInsecure00:23
xrogaanI have this, somehow: Binary::apt-get::Acquire::AllowInsecureRepositories "1";00:24
gnarfacealso note that in that InRelease file, that line for main/Contents-amd64.gz is actually listed under the armhf/Packages.gz file00:24
gnarfaceso that's probably just a case of looking at the wrong InRelease file00:25
gnarfacebut i don't know how this works well enough to be sure00:25
gnarfacemight you have enabled that before installing the devuan-keyring package then forgot to turn it back off?00:26
gnarfacexrogaan: ?00:26
xrogaanhaven't touched that00:26
xrogaanmight not even be relevant00:26
gnarfacei see it actually set to Binary::apt-get::Acquire::AllowInsecureRepositories "1";00:27
gnarfaceon my rpi00:27
xrogaanso not relevant00:29
xrogaanhow do you see the package "armhf" thing?00:30
xrogaanoh, I don't think those are relevant00:31
xrogaanthe InRelease file is just a list of files without set order.00:31
gnarfacethere is indentation00:31
gnarfacelook on the previous line00:31
gnarfaceall the way at the left00:32
xrogaanAs I said, it's a list a files with associated hash.00:33
xrogaanand size00:33
xrogaanwhat concerns me is that apt doesn't raise an error with the mismatching hash.00:33
gnarfacei wonder if it has to do with the redirects00:34
gnarfaceand you're right, i was getting weird wrapping.  it's a linear list after all00:34
xrogaanHypertables: try to manually clean /var/lib/apt/lists/00:39
xrogaanjust in case00:39
Hypertablesno change00:41
xrogaanhow did you clean the folder?00:43
Hypertableswith rm -rf00:44
Hypertablesincl removal of the "lists" directory00:44
xrogaanyou might be behind a proxy without knowing it.00:45
Hypertablesdoubtful. I'm behind a residential cable internet connection and I manage the gateway box myself. it does iptables-based nat but no proxying00:46
xrogaando you trust your ISP?00:48
obarunhi, what's the devuan policies about elogind? Do you use it? Do you use consolekit2 or any other alternatives?00:48
gnarfaceobarun: it's mentioned in the release notes
Hypertablesthis looks very much like a bug in devuan to me ... has anyone managed to pull a copy of this file with the "correct" checksum e0e8ec7baba6bc2d4c26918b14aa8e27b95939d9f7440cb98fb087191e8de019 ?00:51
obarungnarface: many thanks00:52
gnarfaceobarun: no problem00:53
xrogaanHypertables: is that the correct checksum?00:55
Hypertableswell that's what's in
Hypertableshas anyone pulled a different content of the InRelease file?00:55
gnarfacenot here, i don't think00:56
xrogaanI have not00:58
xrogaanHypertables: why does my apt not warn me of those mismatches?01:04
gnarfacedidn't we go over this once and it turns out because they're auto-generated with combined contents on the fly?01:05
xrogaanno, gnarface, you seem to be confused.01:06
xrogaanor I am01:06
gnarfacei'm sure i'm confused01:06
xrogaanI don't know why the file listed above "main/Contents-amd64.gz" should be relevant to "main/Contents-amd64.gz".01:07
gnarfaceignore that, i was hallucinating01:09
gnarfacei note that the main/Contents-amd64.gz for ceres does seem to match the InRelease file01:09
gnarfaceso it's something different about ascii01:10
gnarfacecould it just be not yet updated?01:10
xrogaanbut why isn't my apt yelling?01:11
gnarfaceit could be this setting in apt-config perhaps? Binary::apt-get::Acquire::AllowInsecureRepositories "1";01:14
gnarfacecheck to see if you have it01:15
xrogaanthat's related to the gpg key01:19
xrogaanyou're not getting the error either01:19
gnarfacethat is true01:19
gnarfacehmm. i'm still thinking it might have something to do with how amprolla works.  that's what my memory is nagging at anyway01:23
gnarfacethere might be http 302 redirects confusing something here01:23
xrogaanah no, you were right01:26
xrogaansudo apt -o Acquire::AllowInsecureRepositories=false update < this fails everything01:27
xrogaanwelp, it's all broken now01:37
obarunjust for information for people interested to run s6 and s6-rc as init and service manager, i created a convenient tools to easily implement s6 and s6-rc on every linux system ->
HypertablesI still get errors if I do `apt-get -o Acquire::AllowInsecureRepositories=true update` ... are there any flags I can set that will bypass the hash sum errors?04:58
gnarfaceHypertables: i really think you need to figure out what non-devuan package is sabotaging the check, and then uninstall it.  that's my best guess05:13
gnarfaceif you had used backports before, you could have one of them blocking an important upgrade, too05:20
gnarface(there may be a way to actually override the hash sum errors, but i don't know it off the top of my head and i suspect it would just make this situation worse anyway)05:22
Jjp137hm I actually installed apt-file to check it out and I'm getting a ton of hash sum errors too05:33
Jjp137but if you don't use apt-file, then I guess the Contents.gz files don't mean much, and you should still be able to install packages, I think?05:34
Jjp137okay after experimenting some more, you're fetching the Contents files b/c apt-file is installed, which uses them05:38
Jjp137however, for some reason, the hashes don't match05:39
Jjp137a workaround if you don't use apt-file is to purge it (you can't just remove it, b/c apt-file comes with a config file that tells apt to fetch Contents files)05:39
Jjp137if you do use apt-file, then uh...I don't know then05:40
Jjp137although the InRelease file seems to have updated and I don't get hash sum errors anymore05:55
gnarfacehmm. i do remember there being a problem with apt-file that appeared quite some time ago that i never checked back on06:37
gnarfacethat might be a very old issue06:37
gnarfaceor related to it06:37
Jjp137it's just odd that the hashes didn't match at some point06:54
jellythat points to broken mirror08:54
jellyQ: (how) does devuan track jessie-lts, and how is security managed for customized software?08:55
jellyand by customized I mean "changed compared to Debian"09:25
xrogaanHypertables: no, I get the errors too11:25
xrogaanit's as you said, something's borked with the repo11:25
* xrogaan summons KatolaZ 11:26
xrogaanHypertables: or was broken11:26
xrogaanseems fine now11:26
* xrogaan unsummon KatolaZ 11:27
KatolaZxrogaan: ?11:30
KatolaZwhich errors?11:30
xrogaanEarlier in this channel (before I went to sleep) we talked about it. Basically hashsum mismatch between what's in the in InRelease file and the listed files.11:31
xrogaanSeems to be resolved now.11:31
KatolaZxrogaan: you must have hit the exact time when the InRelease files were synced11:32
xrogaanwell, I didn't find the error, Hypertables did.11:33
xrogaanThen we tried to resolve the issue for a while, downloaded the Content file and verified the hash didn't match.11:33
xrogaanThen after purging my /var/lib/apt/lists, it went:
xrogaanbut now it's fine.11:34
KatolaZxrogaan: you should be careful with hashes11:34
KatolaZthere are both md5 and sha25611:34
KatolaZand there are a lot of Contents files in the repo11:34
KatolaZlet apt do the job :)11:34
xrogaanexpected: SHA256:a958a8acee49af960759f7533231b075d184fa8ee7d708764b022d33c1d29e8f; received: SHA256:75acef3458d85396d38b730213b0fe801508a961f4d30495cfa585b8318ccf9511:34
xrogaanKatolaZ: just saying, there was an issue _with the repo_ and now there isn't.11:35
KatolaZxrogaan: is there a pastebin of the apt error somewhere?11:35
xrogaanI just linked it11:36
xrogaanyou might also try the irc logs and look for Hypertables's11:36
KatolaZok xrogaan11:37
KatolaZthat's just Contents files getting updated11:37
KatolaZthey are updated once a week, on the night between Sunday and Monday11:37
KatolaZcan't remember the exact time11:37
xrogaandoes it take long for them to get synced?11:37
KatolaZthey are quite large11:38
xrogaanbetween Hypertables reporting the error and me clearing my apt cache, there's been a good hour.11:38
KatolaZhad they tried again in the meanwhile?11:39
KatolaZi.e., issuing `apt-get update`?11:39
xrogaanseems so:
xrogaanvery slow sync, or the sync failed somehow.11:40
xrogaanand then got restarted?11:41
* KatolaZ shrugs11:41
xrogaanamazon's cdn got very slow maybe?11:42
xrogaansorry, I looked at the wrong terminal11:43
KatolaZxrogaan: we are not using any amazon CDN...11:43
xrogaan*not* amazon, devuan11:43
KatolaZwe are not using any external CDN11:43
KatolaZit's a bunch of mirrors behind a DNS round-robin11:43
xrogaanIsn't the round robin world wide? That's kind of what a CDN is, right?11:44
xrogaanIf you remove all the marketing BS from the existing powerhouses.11:44
xrogaanAnyhow, the InRelease file got updated roughly a day after: Date: Mon, 08 Apr 2019 03:26:56 UTC11:45
xrogaanWhile files with this date had issue: Release file created at: Sun, 07 Apr 2019 21:05:34 +000011:46
dethaxrogaan: in a proper CDN, DNS is only used sparingly for steering, and node selection is done by anycast12:31
EvilhamExactly :-)16:42

Generated by 2.17.0 by Marius Gedminas - find it at!