Bug #16883

Tails 3.15 apt config references tor-0.4.0.x-experimental packages, which are no longer available

Added by kogorman 2019-07-16 17:32:28 . Updated 2019-09-05 00:03:40 .

Status:
Resolved
Priority:
High
Assignee:
intrigeri
Category:
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
bugfix/16883-drop-tor-0.4.0.x-experimental+force-all-tests
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Additional Software Packages
Deliverable for:

Description

Tails 3.15 apt sources lists include a reference to tor-0.4.0-experimental components, which are no longer available on the Tor Project repos. This breaks `sudo apt-get update`, and automatic installation of packages from the Persistent volume.

Steps to Reproduce

Start Tails 3.15 with an admin password.
In a terminal, run sudo apt-get update

Expected Behavior

sudo apt-get update completes without error.

Actual Behavior

sudo apt-get update fails with error:


Fetched 30.1 MB in 5min 13s (96.0 kB/s)
Reading package lists… Done
W: The repository ‘tor+http://sdscoq7snqtznauu.onion/torproject.org tor-experimental-0.4.0.x-stretch Release’ does not have a Release file.
N: Data from such a repository can’t be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch tor+http://sdscoq7snqtznauu.onion/torproject.org/dists/tor-experimental-0.4.0.x-stretch/main/binary-amd64/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.
—-

This is similar to issue Bug #15978, which affected users of SecureDrop in particular but also anyone installing custom packages via apt.

:sajolida: is watching this.


Subtasks


Related issues

Related to Tails - Feature #16931: Automatic test: don't include any deb.torproject.org experimental APT source Resolved
Related to Tails - Bug #16790: Revert to installing tor from torproject's buster suite Resolved
Related to Tails - Bug #15978: Tails 3.9 apt config references tor-0.3.4.x-experimental packages, which are no longer available Resolved 2018-09-25
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

History

#1 Updated by eloquence 2019-07-16 19:54:58

As with the last time this happened, we’ll be issuing an advisory about this ASAP, similar to this one:
https://securedrop.org/news/advisory-installationworkstation-update-failure-tails-39/

It would be great to land a fix soon. Is there anything that can be done to prevent future regressions of this kind?

#2 Updated by eloquence 2019-07-17 23:25:05

Here’s the SecureDrop team’s advisory regarding this issue:
https://securedrop.org/news/advisory-installationworkstation-update-failure-tails-315/

#3 Updated by intrigeri 2019-07-18 14:04:52

  • Target version changed from Tails_3.15 to Tails_3.16

#4 Updated by sajolida 2019-07-19 16:23:57

  • Affected tool set to Additional Software Packages
  • Could we ask Tor to fix their repo to prevent this regression in Tails?
  • as @eloquence said: How can we prevent such regressions from happening in the future? Since apparently, it already happened twice in 10 months.

#5 Updated by sajolida 2019-07-20 09:16:00

  • Description updated

#6 Updated by intrigeri 2019-07-20 19:37:00

#7 Updated by intrigeri 2019-07-20 19:40:47

  • Status changed from New to Confirmed

sajolida wrote:
> * Could we ask Tor to fix their repo to prevent this regression in Tails?

Yes, I think this is the next thing to do: gently ask whoever maintains deb.tpo these days (Tor System Administrators? only weasel?) to bring back the dist we need for a few months, either as an alias to their “stretch” suite, or with the content that was in the suite before it was deleted, or even as an empty suite. Then we can ship 3.16 without the offending APT source and a few weeks later, Tor can remove the temporary workaround.

@segfault, can you take the lead here?

#8 Updated by segfault 2019-07-21 11:20:50

intrigeri wrote:
> sajolida wrote:
> > * Could we ask Tor to fix their repo to prevent this regression in Tails?
>
> Yes, I think this is the next thing to do: gently ask whoever maintains deb.tpo these days (Tor System Administrators? only weasel?) to bring back the dist we need for a few months, either as an alias to their “stretch” suite, or with the content that was in the suite before it was deleted, or even as an empty suite. Then we can ship 3.16 without the offending APT source and a few weeks later, Tor can remove the temporary workaround.
>
> @segfault, can you take the lead here?

I talked to weasel on #tor-dev. He was not amused, but will bring back the tor-experimental-0.4.0.x-stretch dist until a week after our 3.16 release (2019-09-04). He said that we should have never shipped something which uses the experimental dist. And that he doesn’t want to have a “tor-experimental-latest” dist, which would prevent this of happening in the future (I didn’t really understand his arguments for this, @intrigeri, I can give you the chat log if you want it).

#9 Updated by segfault 2019-07-21 11:39:44

  • Status changed from Confirmed to In Progress

Applied in changeset commit:tails|430a973a12b67f9a69dfd1ba12bbcc8021fdedaf.

#10 Updated by segfault 2019-07-21 11:40:26

  • Status changed from In Progress to Needs Validation
  • Feature Branch set to bugfix/16883-drop-tor-0.4.0.x-experimental

I dropped tor-0.4.0.x-experimental in the feature branch.

#11 Updated by segfault 2019-07-21 11:41:13

  • Feature Branch changed from bugfix/16883-drop-tor-0.4.0.x-experimental to bugfix/16883-drop-tor-0.4.0.x-experimental+force-all-tests

#12 Updated by segfault 2019-07-21 11:55:40

kogorman, eloquence: `apt update` should work again now.

#13 Updated by eloquence 2019-07-22 22:34:45

So it does! Thanks very much for the fast coordination and follow-up. :)

#14 Updated by intrigeri 2019-07-30 21:33:52

  • Status changed from Needs Validation to In Progress
  • Assignee set to segfault

This branch reverts to tor 0.3.5.8-1~d90.stretch+1, while we shipped 0.4.0.5-1~d90.stretch+1 in 3.15. To avoid that, I think it also needs to bump the torproject APT snapshot it uses, so we get 0.4.0.x from the “stretch” dist.

@segfault, what do you think?

#15 Updated by intrigeri 2019-07-30 21:34:01

> I talked to weasel on #tor-dev. He was not amused, but will bring back the tor-experimental-0.4.0.x-stretch dist until a week after our 3.16 release (2019-09-04).

Awesome, thanks!

> He said that we should have never shipped something which uses the experimental dist.

Makes sense. I would file a ticket to add an automated test about it. It’ll fail on branches where we temporarily need such an experimental suite, but this should serve as a reminder that we can’t merge such branches as-in into stable/devel/etc. @segfault, what do you think?

#16 Updated by segfault 2019-07-31 20:06:48

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (segfault)

intrigeri wrote:
> This branch reverts to tor 0.3.5.8-1~d90.stretch+1, while we shipped 0.4.0.5-1~d90.stretch+1 in 3.15. To avoid that, I think it also needs to bump the torproject APT snapshot it uses, so we get 0.4.0.x from the “stretch” dist.

Ah crap, I forgot that we pin the repo that we use during build. I bumped the snapshot now.

> Makes sense. I would file a ticket to add an automated test about it. It’ll fail on branches where we temporarily need such an experimental suite, but this should serve as a reminder that we can’t merge such branches as-in into stable/devel/etc. @segfault, what do you think?

Sounds good to me.

#17 Updated by intrigeri 2019-07-31 22:02:19

  • Assignee set to intrigeri

#18 Updated by intrigeri 2019-08-01 10:29:35

  • Status changed from Needs Validation to Fix committed
  • % Done changed from 0 to 100

Applied in changeset commit:tails|f9ac536d01e08445377f1989274ab4d6dc69306d.

#19 Updated by intrigeri 2019-08-01 10:32:02

  • related to Feature #16931: Automatic test: don't include any deb.torproject.org experimental APT source added

#20 Updated by intrigeri 2019-08-01 10:33:08

> Ah crap, I forgot that we pin the repo that we use during build. I bumped the snapshot now.

Merged and bumped the expiration date of that new snapshot.

>> Makes sense. I would file a ticket to add an automated test about it. It’ll fail on branches where we temporarily need such an experimental suite, but this should serve as a reminder that we can’t merge such branches as-in into stable/devel/etc. @segfault, what do you think?

> Sounds good to me.

Feature #16931 :)

#21 Updated by intrigeri 2019-08-05 08:25:44

  • related to Bug #16790: Revert to installing tor from torproject's buster suite added

#22 Updated by sajolida 2019-08-28 08:48:21

  • related to Bug #15978: Tails 3.9 apt config references tor-0.3.4.x-experimental packages, which are no longer available added

#23 Updated by CyrilBrulebois 2019-09-05 00:03:40

  • Status changed from Fix committed to Resolved