On Sat, Jan 24, 2015 at 04:50:04PM +0000, Patrick Schleizer wrote: > Package: apt > Severity: important > > When "apt-get update" fails the program exits with a 0 status. > It would be useful if it exited with a non-zero status in that case > (or if there were a switch to tell it to do so).
I disagree that it should do that. We just redefined successful update (for the success hook) to mean "not all sources failed". In case we fetch anything, that's still a success, as we update the cache with the new data. The question what a successful update is is complicated and depends on the expections of the person using APT. > This is similar to bug 41053 [1] from 1999, that says it's fixed, but it > doesn't say how it was fixed and it's apparently unfixed. > > See output (shortened that a little). > > > sudo apt-get update > > Could not resolve 'ecurity.debian.org' > > Hit http://ftp.us.debian.org wheezy Release > > > Reading package lists... Done > > W: Failed to fetch > http://ecurity.debian.org/dists/wheezy/updates/Release.gpg Could not > resolve 'ecurity.debian.org' > > > > W: Some index files failed to download. They have been ignored, or old > ones used instead. > > ~ $ echo $? > > 0 > > (For demonstration purposes, I just added a defunct deb line > deb http://ecurity.debian.org wheezy/updates main contrib non-free) > > Detecting such situations in scripts is important. At least if you > really care if some extra repository gets used during a build script or > if you care an image to be build as verifiable / reproducible as possible. > > Otherwise and adversary could just prevent one from connecting to a > repository one cares to received upgrades from (such as > security.debian.org), which would effectively render apt-get's security > check for expired release files (valid-until field) [2] [3] ineffective. Maybe we should do some apt-cache check-expiry command that people can run from their script to check if their downloaded lists are still considered "safe"? And possibly check gpg sigs as well? > > There is also another issue related to exit codes. [4] > > Cheers, > Patrick > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=41053 > [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897 > [3] > http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html > [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745735 -- Debian Developer - deb.li/jak | jak-linux.org - free software dev When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to (`inline'). Thank you.