Project

General

Profile

Bug #16883

Tails 3.15 apt config references tor-0.4.0.x-experimental packages, which are no longer available

Added by kogorman 3 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
bugfix/16883-drop-tor-0.4.0.x-experimental+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Additional Software Packages

Description

Tails 3.15 apt sources lists include a reference to tor-0.4.0-experimental components, which are no longer available on the Tor Project repos. This breaks `sudo apt-get update`, and automatic installation of packages from the Persistent volume.

Steps to Reproduce

Start Tails 3.15 with an admin password.
In a terminal, run sudo apt-get update

Expected Behavior

sudo apt-get update completes without error.

Actual Behavior

sudo apt-get update fails with error:

---
Fetched 30.1 MB in 5min 13s (96.0 kB/s)
Reading package lists... Done
W: The repository 'tor+http://sdscoq7snqtznauu.onion/torproject.org tor-experimental-0.4.0.x-stretch Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch tor+http://sdscoq7snqtznauu.onion/torproject.org/dists/tor-experimental-0.4.0.x-stretch/main/binary-amd64/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.
---

This is similar to issue #15978, which affected users of SecureDrop in particular but also anyone installing custom packages via apt.

:sajolida: is watching this.


Related issues

Related to Tails - Feature #16931: Automatic test: don't include any deb.torproject.org experimental APT source Resolved
Related to Tails - Bug #16790: Revert to installing tor from torproject's buster suite Resolved
Related to Tails - Bug #15978: Tails 3.9 apt config references tor-0.3.4.x-experimental packages, which are no longer available Resolved 09/25/2018
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

Associated revisions

Revision 430a973a (diff)
Added by segfault 3 months ago

Drop tor-experimental-0.4.0.x-stretch (refs: #16883)

This partly reverts commit 585ca1efd1d6e4c1398d6d4b81016716ac11ad7d.

Revision 134907f5 (diff)
Added by segfault 3 months ago

Bump APT snapshot of the torproject archive to 2019073103 (refs: #16883)

Revision f9ac536d
Added by intrigeri 3 months ago

Merge remote-tracking branch 'origin/bugfix/16883-drop-tor-0.4.0.x-experimental+force-all-tests' into stable (Fix-committed: #16883)

History

#1 Updated by eloquence 3 months ago

As with the last time this happened, we'll be issuing an advisory about this ASAP, similar to this one:
https://securedrop.org/news/advisory-installationworkstation-update-failure-tails-39/

It would be great to land a fix soon. Is there anything that can be done to prevent future regressions of this kind?

#2 Updated by eloquence 3 months ago

Here's the SecureDrop team's advisory regarding this issue:
https://securedrop.org/news/advisory-installationworkstation-update-failure-tails-315/

#3 Updated by intrigeri 3 months ago

  • Target version changed from Tails_3.15 to Tails_3.16

#4 Updated by sajolida 3 months ago

  • Affected tool set to Additional Software Packages
  • Could we ask Tor to fix their repo to prevent this regression in Tails?
  • as @eloquence said: How can we prevent such regressions from happening in the future? Since apparently, it already happened twice in 10 months.

#5 Updated by sajolida 3 months ago

  • Description updated (diff)

#6 Updated by intrigeri 3 months ago

#7 Updated by intrigeri 3 months ago

  • Status changed from New to Confirmed

sajolida wrote:

  • Could we ask Tor to fix their repo to prevent this regression in Tails?

Yes, I think this is the next thing to do: gently ask whoever maintains deb.tpo these days (Tor System Administrators? only weasel?) to bring back the dist we need for a few months, either as an alias to their "stretch" suite, or with the content that was in the suite before it was deleted, or even as an empty suite. Then we can ship 3.16 without the offending APT source and a few weeks later, Tor can remove the temporary workaround.

@segfault, can you take the lead here?

#8 Updated by segfault 3 months ago

intrigeri wrote:

sajolida wrote:

  • Could we ask Tor to fix their repo to prevent this regression in Tails?

Yes, I think this is the next thing to do: gently ask whoever maintains deb.tpo these days (Tor System Administrators? only weasel?) to bring back the dist we need for a few months, either as an alias to their "stretch" suite, or with the content that was in the suite before it was deleted, or even as an empty suite. Then we can ship 3.16 without the offending APT source and a few weeks later, Tor can remove the temporary workaround.

@segfault, can you take the lead here?

I talked to weasel on #tor-dev. He was not amused, but will bring back the tor-experimental-0.4.0.x-stretch dist until a week after our 3.16 release (2019-09-04). He said that we should have never shipped something which uses the experimental dist. And that he doesn't want to have a "tor-experimental-latest" dist, which would prevent this of happening in the future (I didn't really understand his arguments for this, @intrigeri, I can give you the chat log if you want it).

#9 Updated by segfault 3 months ago

  • Status changed from Confirmed to In Progress

#10 Updated by segfault 3 months ago

  • Status changed from In Progress to Needs Validation
  • Feature Branch set to bugfix/16883-drop-tor-0.4.0.x-experimental

I dropped tor-0.4.0.x-experimental in the feature branch.

#11 Updated by segfault 3 months ago

  • Feature Branch changed from bugfix/16883-drop-tor-0.4.0.x-experimental to bugfix/16883-drop-tor-0.4.0.x-experimental+force-all-tests

#12 Updated by segfault 3 months ago

@kogorman, @eloquence: `apt update` should work again now.

#13 Updated by eloquence 3 months ago

So it does! Thanks very much for the fast coordination and follow-up. :)

#14 Updated by intrigeri 3 months ago

  • Status changed from Needs Validation to In Progress
  • Assignee set to segfault

This branch reverts to tor 0.3.5.8-1~d90.stretch+1, while we shipped 0.4.0.5-1~d90.stretch+1 in 3.15. To avoid that, I think it also needs to bump the torproject APT snapshot it uses, so we get 0.4.0.x from the "stretch" dist.

@segfault, what do you think?

#15 Updated by intrigeri 3 months ago

I talked to weasel on #tor-dev. He was not amused, but will bring back the tor-experimental-0.4.0.x-stretch dist until a week after our 3.16 release (2019-09-04).

Awesome, thanks!

He said that we should have never shipped something which uses the experimental dist.

Makes sense. I would file a ticket to add an automated test about it. It'll fail on branches where we temporarily need such an experimental suite, but this should serve as a reminder that we can't merge such branches as-in into stable/devel/etc. @segfault, what do you think?

#16 Updated by segfault 3 months ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (segfault)

intrigeri wrote:

This branch reverts to tor 0.3.5.8-1~d90.stretch+1, while we shipped 0.4.0.5-1~d90.stretch+1 in 3.15. To avoid that, I think it also needs to bump the torproject APT snapshot it uses, so we get 0.4.0.x from the "stretch" dist.

Ah crap, I forgot that we pin the repo that we use during build. I bumped the snapshot now.

Makes sense. I would file a ticket to add an automated test about it. It'll fail on branches where we temporarily need such an experimental suite, but this should serve as a reminder that we can't merge such branches as-in into stable/devel/etc. @segfault, what do you think?

Sounds good to me.

#17 Updated by intrigeri 3 months ago

  • Assignee set to intrigeri

#18 Updated by intrigeri 3 months ago

  • Status changed from Needs Validation to Fix committed
  • % Done changed from 0 to 100

#19 Updated by intrigeri 3 months ago

  • Related to Feature #16931: Automatic test: don't include any deb.torproject.org experimental APT source added

#20 Updated by intrigeri 3 months ago

Ah crap, I forgot that we pin the repo that we use during build. I bumped the snapshot now.

Merged and bumped the expiration date of that new snapshot.

Makes sense. I would file a ticket to add an automated test about it. It'll fail on branches where we temporarily need such an experimental suite, but this should serve as a reminder that we can't merge such branches as-in into stable/devel/etc. @segfault, what do you think?

Sounds good to me.

#16931 :)

#21 Updated by intrigeri 2 months ago

  • Related to Bug #16790: Revert to installing tor from torproject's buster suite added

#22 Updated by sajolida about 2 months ago

  • Related to Bug #15978: Tails 3.9 apt config references tor-0.3.4.x-experimental packages, which are no longer available added

#23 Updated by CyrilBrulebois about 1 month ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF