Project

General

Profile

Bug #16883

Tails 3.15 apt config references tor-0.4.0.x-experimental packages, which are no longer available

Added by kogorman about 1 month ago. Updated 19 days ago.

Status:
Fix committed
Priority:
High
Assignee:
Category:
-
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
bugfix/16883-drop-tor-0.4.0.x-experimental+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Additional Software Packages

Description

Tails 3.15 apt sources lists include a reference to tor-0.4.0-experimental components, which are no longer available on the Tor Project repos. This breaks `sudo apt-get update`, and automatic installation of packages from the Persistent volume.

Steps to Reproduce

Start Tails 3.15 with an admin password.
In a terminal, run sudo apt-get update

Expected Behavior

sudo apt-get update completes without error.

Actual Behavior

sudo apt-get update fails with error:

---
Fetched 30.1 MB in 5min 13s (96.0 kB/s)
Reading package lists... Done
W: The repository 'tor+http://sdscoq7snqtznauu.onion/torproject.org tor-experimental-0.4.0.x-stretch Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch tor+http://sdscoq7snqtznauu.onion/torproject.org/dists/tor-experimental-0.4.0.x-stretch/main/binary-amd64/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.
---

This is similar to issue #15978, which affected users of SecureDrop in particular but also anyone installing custom packages via apt.

:sajolida: is watching this.


Related issues

Related to Tails - Feature #16931: Automatic test: don't include any deb.torproject.org experimental APT source Confirmed
Related to Tails - Bug #16790: Revert to installing tor from torproject's buster suite Resolved
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed 03/22/2019

Associated revisions

Revision 430a973a (diff)
Added by segfault 30 days ago

Drop tor-experimental-0.4.0.x-stretch (refs: #16883)

This partly reverts commit 585ca1efd1d6e4c1398d6d4b81016716ac11ad7d.

Revision 134907f5 (diff)
Added by segfault 19 days ago

Bump APT snapshot of the torproject archive to 2019073103 (refs: #16883)

Revision f9ac536d
Added by intrigeri 19 days ago

Merge remote-tracking branch 'origin/bugfix/16883-drop-tor-0.4.0.x-experimental+force-all-tests' into stable (Fix-committed: #16883)

History

#1 Updated by eloquence about 1 month ago

As with the last time this happened, we'll be issuing an advisory about this ASAP, similar to this one:
https://securedrop.org/news/advisory-installationworkstation-update-failure-tails-39/

It would be great to land a fix soon. Is there anything that can be done to prevent future regressions of this kind?

#2 Updated by eloquence about 1 month ago

Here's the SecureDrop team's advisory regarding this issue:
https://securedrop.org/news/advisory-installationworkstation-update-failure-tails-315/

#3 Updated by intrigeri about 1 month ago

  • Target version changed from Tails_3.15 to Tails_3.16

#4 Updated by sajolida about 1 month ago

  • Affected tool set to Additional Software Packages
  • Could we ask Tor to fix their repo to prevent this regression in Tails?
  • as @eloquence said: How can we prevent such regressions from happening in the future? Since apparently, it already happened twice in 10 months.

#5 Updated by sajolida about 1 month ago

  • Description updated (diff)

#6 Updated by intrigeri about 1 month ago

#7 Updated by intrigeri about 1 month ago

  • Status changed from New to Confirmed

sajolida wrote:

  • Could we ask Tor to fix their repo to prevent this regression in Tails?

Yes, I think this is the next thing to do: gently ask whoever maintains deb.tpo these days (Tor System Administrators? only weasel?) to bring back the dist we need for a few months, either as an alias to their "stretch" suite, or with the content that was in the suite before it was deleted, or even as an empty suite. Then we can ship 3.16 without the offending APT source and a few weeks later, Tor can remove the temporary workaround.

@segfault, can you take the lead here?

#8 Updated by segfault 30 days ago

intrigeri wrote:

sajolida wrote:

  • Could we ask Tor to fix their repo to prevent this regression in Tails?

Yes, I think this is the next thing to do: gently ask whoever maintains deb.tpo these days (Tor System Administrators? only weasel?) to bring back the dist we need for a few months, either as an alias to their "stretch" suite, or with the content that was in the suite before it was deleted, or even as an empty suite. Then we can ship 3.16 without the offending APT source and a few weeks later, Tor can remove the temporary workaround.

@segfault, can you take the lead here?

I talked to weasel on #tor-dev. He was not amused, but will bring back the tor-experimental-0.4.0.x-stretch dist until a week after our 3.16 release (2019-09-04). He said that we should have never shipped something which uses the experimental dist. And that he doesn't want to have a "tor-experimental-latest" dist, which would prevent this of happening in the future (I didn't really understand his arguments for this, @intrigeri, I can give you the chat log if you want it).

#9 Updated by segfault 30 days ago

  • Status changed from Confirmed to In Progress

#10 Updated by segfault 30 days ago

  • Status changed from In Progress to Needs Validation
  • Feature Branch set to bugfix/16883-drop-tor-0.4.0.x-experimental

I dropped tor-0.4.0.x-experimental in the feature branch.

#11 Updated by segfault 30 days ago

  • Feature Branch changed from bugfix/16883-drop-tor-0.4.0.x-experimental to bugfix/16883-drop-tor-0.4.0.x-experimental+force-all-tests

#12 Updated by segfault 30 days ago

@kogorman, @eloquence: `apt update` should work again now.

#13 Updated by eloquence 28 days ago

So it does! Thanks very much for the fast coordination and follow-up. :)

#14 Updated by intrigeri 20 days ago

  • Status changed from Needs Validation to In Progress
  • Assignee set to segfault

This branch reverts to tor 0.3.5.8-1~d90.stretch+1, while we shipped 0.4.0.5-1~d90.stretch+1 in 3.15. To avoid that, I think it also needs to bump the torproject APT snapshot it uses, so we get 0.4.0.x from the "stretch" dist.

@segfault, what do you think?

#15 Updated by intrigeri 20 days ago

I talked to weasel on #tor-dev. He was not amused, but will bring back the tor-experimental-0.4.0.x-stretch dist until a week after our 3.16 release (2019-09-04).

Awesome, thanks!

He said that we should have never shipped something which uses the experimental dist.

Makes sense. I would file a ticket to add an automated test about it. It'll fail on branches where we temporarily need such an experimental suite, but this should serve as a reminder that we can't merge such branches as-in into stable/devel/etc. @segfault, what do you think?

#16 Updated by segfault 19 days ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (segfault)

intrigeri wrote:

This branch reverts to tor 0.3.5.8-1~d90.stretch+1, while we shipped 0.4.0.5-1~d90.stretch+1 in 3.15. To avoid that, I think it also needs to bump the torproject APT snapshot it uses, so we get 0.4.0.x from the "stretch" dist.

Ah crap, I forgot that we pin the repo that we use during build. I bumped the snapshot now.

Makes sense. I would file a ticket to add an automated test about it. It'll fail on branches where we temporarily need such an experimental suite, but this should serve as a reminder that we can't merge such branches as-in into stable/devel/etc. @segfault, what do you think?

Sounds good to me.

#17 Updated by intrigeri 19 days ago

  • Assignee set to intrigeri

#18 Updated by intrigeri 19 days ago

  • Status changed from Needs Validation to Fix committed
  • % Done changed from 0 to 100

#19 Updated by intrigeri 19 days ago

  • Related to Feature #16931: Automatic test: don't include any deb.torproject.org experimental APT source added

#20 Updated by intrigeri 19 days ago

Ah crap, I forgot that we pin the repo that we use during build. I bumped the snapshot now.

Merged and bumped the expiration date of that new snapshot.

Makes sense. I would file a ticket to add an automated test about it. It'll fail on branches where we temporarily need such an experimental suite, but this should serve as a reminder that we can't merge such branches as-in into stable/devel/etc. @segfault, what do you think?

Sounds good to me.

#16931 :)

#21 Updated by intrigeri 15 days ago

  • Related to Bug #16790: Revert to installing tor from torproject's buster suite added

Also available in: Atom PDF