Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[SOLVED]Stretch upgrade 9.0.0 to 9.1.0 fails from update DVD

Ask for help with issues regarding the Installations of the Debian O/S.
Message
Author
User avatar
gurfle
Posts: 367
Joined: 2009-06-04 02:08
Location: Seattle, Washington, US

Re: Stretch upgrade 9.0.0 to 9.1.0 fails from update DVD

#16 Post by gurfle »

Looks like a real bug. The response to the bug report from Steve McIntyre says:
Apologies - you've found a real bug here. I need to update the
update-cd script to use better hashes than just md5sum for the update
images. This setup has worked for a very long time, but newer versions
of apt won't accept it any more. Looking into a fix now...

luvr
Posts: 85
Joined: 2016-07-21 19:39
Location: Boom - The Home Town of Tomorrowland, Belgium

Re: Stretch upgrade 9.0.0 to 9.1.0 fails from update DVD

#17 Post by luvr »

I need to update the update-cd script to use better hashes than just md5sum for the update images. This setup has worked for a very long time, but newer versions of apt won't accept it any more.
Ah! I get it now... The Packages files (e.g., ‘dists/stretch/main/binary-amd64/Packages') on the update DVD include only MD5 checksums, which are no longer considered safe.

User avatar
gurfle
Posts: 367
Joined: 2009-06-04 02:08
Location: Seattle, Washington, US

Re: Stretch upgrade 9.0.0 to 9.1.0 fails from update DVD

#18 Post by gurfle »

Not sure when the official repositories will have them. but you can get the fixed update jigdos at this link (posted in the bug report):
https://get.debian.org/images/unofficial/test-update-9.1.1/

luvr
Posts: 85
Joined: 2016-07-21 19:39
Location: Boom - The Home Town of Tomorrowland, Belgium

Re: [SOLVED]Stretch upgrade 9.0.0 to 9.1.0 fails from update

#19 Post by luvr »

Out of curiosity, I have just downloaded the ‘debian-update-9.1.1-amd64-DVD-1.iso’ image—which went blazingly fast with the “jigdo-lite” command, since it found all of its required files on the ‘debian-update-9.1.0-amd64-DVD-1.iso’ image (which I had loop-mounted read-only on ‘/mnt/tmp’):

Code: Select all

If you already have a previous version of the CD you are
downloading, jigdo can re-use files on the old CD that are also
present in the new image, and you do not need to download them
again. Mount the old CD ROM and enter the path it is mounted under
(e.g. `/mnt/cdrom').
Alternatively, just press enter if you want to start downloading
the remaining files.

You can also enter a single digit from the list below to
select the respective entry for scanning:
  1: /mnt/tmp
Files to scan: 1

Downloading .template file
--2017-08-09 11:23:22--  http://get.debian.org/images/unofficial/test-update-9.1.1/amd64/jigdo-dvd/debian-update-9.1.1-amd64-DVD-1.template
Resolving get.debian.org (get.debian.org)... 2001:6b0:19::165, 2001:6b0:19::173, 194.71.11.165, ...
Connecting to get.debian.org (get.debian.org)|2001:6b0:19::165|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 292351 (285K)
Saving to: ‘debian-update-9.1.1-amd64-DVD-1.template’

debian-update-9.1.1-amd64-DVD-1.template                 100%[================================================================================================================================>] 285.50K  1.02MB/s    in 0.3s    

2017-08-09 11:23:22 (1.02 MB/s) - ‘debian-update-9.1.1-amd64-DVD-1.template’ saved [292351/292351]

Found 443 of the 443 files required by the template                                                                                              
Successfully created `debian-update-9.1.1-amd64-DVD-1.iso'
The ‘Packages’ files now include not only the MD5, but also the SHA256 checksums of the packages.

The missing digital signatures (causing warnings about the Release files) are not critical to the current version of the APT system, but there are apparently efforts going on to harden the package management software, with the goal to drop support for unsigned repositories in future APT versions. One example of this gradual hardening is that MD5 checksums are no longer accepted.

User avatar
gurfle
Posts: 367
Joined: 2009-06-04 02:08
Location: Seattle, Washington, US

Re: [SOLVED]Stretch upgrade 9.0.0 to 9.1.0 fails from update

#20 Post by gurfle »

Not understanding all this security business enough, can you confirm that the iso file created by your fast jigdo method actually can be used to install packages from? Given my ignorance on the issue, I took the time to download the entire thing before testing, but it certainly would be great to know for sure that is not necessary.

Cheers, Nick

luvr
Posts: 85
Joined: 2016-07-21 19:39
Location: Boom - The Home Town of Tomorrowland, Belgium

Re: [SOLVED]Stretch upgrade 9.0.0 to 9.1.0 fails from update

#21 Post by luvr »

gurfle wrote:Not understanding all this security business enough, can you confirm that the iso file created by your fast jigdo method actually can be used to install packages from? Given my ignorance on the issue, I took the time to download the entire thing before testing, but it certainly would be great to know for sure that is not necessary.
I’m pretty confident that the ISO file that I created is completely identical to yours, but if you want to double-check, then I suggest you verify its SHA512 checksum. Assuming that your copy of the ‘debian-update-9.1.1-amd64-DVD-1.iso’ file is in the current directory, just run the following command:

Code: Select all

sha512sum -c <<//*EOF
8bad9bee3afa49953a99955a18575829b093cc6d24c235071c4f27be6e4326f6025543a768d1cd282aff1d16568ab717b41476f509be6459606a327ecd8ef9cc *debian-update-9.1.1-amd64-DVD-1.iso
//*EOF
The first line runs the ‘sha512sum’ command in “check” mode—i.e., it expects one or more text lines as input, from which it will read the expected checksum value (a string of 128 hexadecimal digits, representing a 512-bit binary value, at four bits per character position) and the name of the file to which the checksum value applies. The command will obtain its input from the standard input stream, until it encounters the string “//*EOF” on a line by itself. The second line of the above code is the input to the program: the checksum value, a space, an asterisk for binary file input mode (I could have used a space here, but I wanted to avoid having two spaces in a row), and finally the name of the file to check. The third line marks the end of the input to the program.

I generated the checksum on my own copy of the file, so if your copy passes the validation, then you can rest assured that the two copies are identical.

User avatar
gurfle
Posts: 367
Joined: 2009-06-04 02:08
Location: Seattle, Washington, US

Re: [SOLVED]Stretch upgrade 9.0.0 to 9.1.0 fails from update

#22 Post by gurfle »

Neat!:

Code: Select all

nick@oldlaptop:/media/nick/DebianRepositori$ sha512sum -c <<//*EOF
> 8bad9bee3afa49953a99955a18575829b093cc6d24c235071c4f27be6e4326f6025543a768d1cd282aff1d16568ab717b41476f509be6459606a327ecd8ef9cc *debian-update-9.1.1-amd64-DVD-1.iso
> //*EOF
debian-update-9.1.1-amd64-DVD-1.iso: OK
nick@oldlaptop:/media/nick/DebianRepositori$ 
This confirms that everyone who has a non-working 9.1.0 update DVD and wishes to make a working 9.1.1 update DVD can create it in jigdo using your "fast" way.

And thanks for the detailed "education" via this example on how to use such codes!

Cheers, Nick

pbrunnen
Posts: 5
Joined: 2015-06-28 03:59

Re: [SOLVED]Stretch upgrade 9.0.0 to 9.1.0 fails from update

#23 Post by pbrunnen »

Hello everyone,
In case anyone else stumbles upon here when trying to use an apt-move repository... Since stretch, the original version won't work because SHA1 is depreciated. You need to merge the SHA256 sum fixes from Mario Koppensteiner and the fifo sync/mawk fix from Михаил
https://bugs.debian.org/cgi-bin/bugrepo ... bug=639770
https://www.mail-archive.com/debian-bug ... 49403.html

Please see my git repo for a modified version that I use for convenience sake.
https://github.com/pbrunnen/apt-move

-Cheers, Peter.

Post Reply