Hi,
Apologies for the long report, but I've tried to be rather precise.
I've run into what I believe is this bug, although there's a
possibility of my case being slight different (more on that later).
To test and reproduce the issue, I've set up a couple of simple
repositories on a (xubuntu, but it shouldn't matter) laptop, which are
served over HTTP via the python SimpleHTTPServer module. This is the
directory structure:
gera@gera-tp:/tmp/repos$ tree
.
├── debian-squeeze
│ └── squeeze
│ ├── InRelease
│ ├── Packages
│ ├── Packages.bz2
│ ├── Packages.gz
│ ├── Release
│ ├── Release.gpg
│ ├── Sources
│ ├── Sources.bz2
│ └── Sources.gz
└── debian-wheezy
└── wheezy
├── InRelease
├── Packages
├── Packages.bz2
├── Packages.gz
├── Release
├── Release.gpg
├── Sources
├── Sources.bz2
└── Sources.gz
4 directories, 18 files
gera@gera-tp:/tmp/repos$
This is served over HTTP via:
gera@gera-tp:/tmp/repos$ sudo python -mSimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
And over HTTPS via:
gera@gera-tp:/tmp/repos$ sudo socat
OPENSSL-LISTEN:443,reuseaddr,fork,certificate=/etc/ssl/certs/ssl-cert-snakeoil.pem,key=/etc/ssl/private/ssl-cersnakeoil.key,verify=0
TCP4:localhost:80
[ Note that I'm using the snakeoil certs that come with xubuntu and
have the CN set to 'xubuntu' ]
A freshly installed, updated VM is set to consume from these
repositories. To narrow down on a minimal test case, I've removed all
other repositories. The 'apt', 'apt-transport-https' and 'apt-utils'
packages seem up-to-date:
root@vm-dgera:~# apt-cache policy apt apt-transport-https apt-utils
apt:
Installed: 0.9.7.9
Candidate: 0.9.7.9
Version table:
*** 0.9.7.9 0
100 /var/lib/dpkg/status
apt-transport-https:
Installed: 0.9.7.9
Candidate: 0.9.7.9
Version table:
*** 0.9.7.9 0
100 /var/lib/dpkg/status
apt-utils:
Installed: 0.9.7.9
Candidate: 0.9.7.9
Version table:
*** 0.9.7.9 0
100 /var/lib/dpkg/status
The VM is set up to trust the snakeoil certificate and has an entry in
/etc/hosts for the name 'xubuntu', to match the CN in the cert.
root@vm-dgera:~# wget -nv 'https://xubuntu/'
2013-10-09 03:56:27 URL:https://xubuntu/ [276/276] - index.html [1]
root@vm-dgera:~# wget -nv 'https://192.168.122.1/'
The certificate's owner does not match hostname `192.168.122.1'
root@vm-dgera:~#
Now, here are a couple of scenarios:
SCENARIO I.
-
The repositories are set up via https. That is,
root@vm-dgera:~# apt-cache policy
Package files:
100 /var/lib/dpkg/status
release a=now
900 https://xubuntu/debian-wheezy/ wheezy/ Packages
release o=deviantART,a=wheezy,n=wheezy,l=deviantART wheezy,c=
origin xubuntu
500 https://xubuntu/debian-squeeze/ squeeze/ Packages
release o=deviantART,a=squeeze,n=squeeze,l=deviantART squeeze,c=
origin xubuntu
Pinned packages:
root@vm-dgera:~#
An apt-get update works fine:
root@vm-dgera:~# apt-get -o Acquire::Languages=none update
Get:1 https://xubuntu squeeze/ Release.gpg [287 B]
Hit https://xubuntu squeeze/ Release.gpg [287 B]
Get:2 https://xubuntu wheezy/ Release.gpg [287 B]
Hit https://xubuntu wheezy/ Release.gpg [287 B]
Get:3 https://xubuntu squeeze/ Release [1,544 B]
Hit https://xubuntu squeeze/ Release [1,544 B]
Get:4 https://xubuntu wheezy/ Release [1,540 B]
Hit https://xubuntu wheezy/ Release [1,540 B]
Get:5 https://xubuntu squeeze/ Packages [31.2 kB]
Hit https://xubuntu squeeze/ Packages [31.2 kB]
Get:6 https://xubuntu wheezy/ Packages [38.0 kB]
Hit https://xubuntu wheezy/ Packages [38.0 kB]
Reading package lists... Done
root@vm-dgera:~#
It still works fine, if I delete all the repository files from
/var/lib/apt/lists/:
root@vm-dgera:~# rm /var/lib/apt/lists/xubuntu_debian-*
root@vm-dgera:~# apt-get -o Acquire::Languages=none update
Get:1 https://xubuntu squeeze/ Release.gpg [287 B]
Get:2 https://xubuntu wheezy/ Release.gpg [287 B]
Get:3 https://xubuntu squeeze/ Release [1,544 B]
Get:4 https://xubuntu wheezy/ Release [1,540 B]
Get:5 https://xubuntu squeeze/ Packages [31.2 kB]
Get:6 https://xubuntu wheezy/ Packages [38.0 kB]
Fetched 72.8 kB in 0s (103 kB/s)
Reading package lists... Done
root@vm-dgera:~#
HOWEVER - if I delete only a single repository's files (squeeze here,
but it doesn't matter), it fails:
root@vm-dgera:~# rm /var/lib/apt/lists/xubuntu_debian-squeeze_squeeze_*
root@vm-dgera:~# ls /var/lib/apt/lists/
lock partial xubuntu_debian-wheezy_wheezy_Packages
xubuntu_debian-wheezy_wheezy_Release
xubuntu_debian-wheezy_wheezy_Release.gpg
root@vm-dgera:~# apt-get -o Acquire::Languages=none update
Get:1 https://xubuntu squeeze/ Release.gpg [287 B]
Get:2 https://xubuntu wheezy/ Release.gpg [287 B]
Hit https://xubuntu wheezy/ Release.gpg [287 B]
Get:3 https://xubuntu squeeze/ Release [1,544 B]
Hit https://xubuntu squeeze/ Release [1,544 B]
Ign https://xubuntu squeeze/ Release
Get:4