Pulp deb incorrect Version in Release and InRelease


Debian Release file is published with and incrementing Version rather than the Release Version as expected. Instead of “Version = 20.04” or “Version = 18.04” the Version field in pulp is “Version = 1”
which is incremented on change as below

Origin: Pulp 3
Label: bionic-26013252
Suite: bionic
Version: 2
Codename: bionic
Date: Mon, 17 Jan 2022 05:49:53 +0000
Architectures: amd64 all
Components: restricted multiverse universe main

Expected outcome:
Origin: Ubuntu
Label: Ubuntu
Suite: bionic
Version: 18.04
Codename: bionic
Date: Thu, 26 Apr 2018 23:37:48 UTC
Architectures: amd64 arm64 armhf i386 ppc64el s390x
Components: main restricted universe multiverse
Description: Ubuntu Bionic 18.04

The Version change is breaking new versions (greate than 1.5) of apt-get

Foreman and Proxy versions:
Foreman 3.1.1-1

Foreman and Proxy plugin versions:
katello 4.3.0-1
pulp-deb 2.16
pulp 3.16
Distribution and version:
centos 7.9
Other relevant data:

On the published repo pulp_deb publishes the Pulp repo version as the version.
This is by design, though it may well be a bad design with unintended consequences, and no real benefits…

That being said, It would be helpful if you can describe the exact nature of the problematic APT behavior that results from the version. I am at least somewhat surprised, since APT generally accepts arbitrary non-distro repos, so why would the Release-file-version suddenly matter? I am wondering if this was prompted by some new configuration on Ubuntu as well as what the exact symptoms are?

Yes Apt 1.5 and greater ( ubuntu 18 and 20 ) is now using a security system that includes Release and Version and each change must be manually approved as below
apt-get update --allow-releaseinfo-change
with close to 1000 ubuntu servers this is not ideal.

the symptom is apt-get cannot be used in any normal puppet module without changing it.

I’m home now I’ll post the results from a server tomorrow.

Plain apt works as it doesn’t use the security model.

Does that mean the problem is not so much that the version in the Release file is not 18.04/20.04, but rather that the version is frequently changing?

If APT is going to cry every time certain values change in the Release file, that may well affect other fields as well as the version. This is definitely worth opening an issue for at https://github.com/pulp/pulp_deb/issues (I may do so myself as I get to it).

yes - Doesn’t matter what the value is as long as it doesn’t change

I have created a pulp_deb issue to track this: https://github.com/pulp/pulp_deb/issues/443

The only immediate work arounds are to always use the --allow-releaseinfo-change flag for APT actions, or else to patch pulp_deb to use a constant Release file version here: https://github.com/pulp/pulp_deb/blob/07efc73239212f31311c6f33fb7b0b2ae5afdf52/pulp_deb/app/tasks/publishing.py#L255 (I think that should do it).

The Label is another such field. I found that out when recreating a repository with the exact same name. The new repository has a different label. I had to run apt-get update --allow-releaseinfo-change on all hosts pointing to the repository. I’ve now started to use content views, and will likely eventually hit this same issue when the version is incremented.

I’m removing Version from the fields - it is not needed - testing in our lab right now then rolling to prod

tested and working
line 252 change to self.release[“Label”] = label.split(’-’)[0]
line 257 change to # self.release[“Version”] = version

a better solution for line 252 is self.release[“Label”] = label.rsplit(’-’,1)[0]

Allows for dashes in label.

Small update: We will be working on this issue ASAP, since it is clearly a functionally critical issue.


As a quick fix, I have a PR that disables publishing the release file version and label completely:

The PR includes the possibility of using settings to fall back to the old behaviour.

In the long run, we plan to provide more fine grained user control over various Release file fields, along with a default behaviour that does not clash with apt-secure: