Pulp deb incorrect Version in Release and InRelease

stephenc · February 20, 2022, 11:53pm

Problem:

Debian Release file is published with and incrementing Version rather than the Release Version as expected. Instead of “Version = 20.04” or “Version = 18.04” the Version field in pulp is “Version = 1”
which is incremented on change as below

Origin: Pulp 3
Label: bionic-26013252
Suite: bionic
Version: 2
Codename: bionic
Date: Mon, 17 Jan 2022 05:49:53 +0000
Architectures: amd64 all
Components: restricted multiverse universe main

Expected outcome:
Origin: Ubuntu
Label: Ubuntu
Suite: bionic
Version: 18.04
Codename: bionic
Date: Thu, 26 Apr 2018 23:37:48 UTC
Architectures: amd64 arm64 armhf i386 ppc64el s390x
Components: main restricted universe multiverse
Description: Ubuntu Bionic 18.04

The Version change is breaking new versions (greate than 1.5) of apt-get

Foreman and Proxy versions:
Foreman 3.1.1-1

Foreman and Proxy plugin versions:
katello 4.3.0-1
pulp-deb 2.16
pulp 3.16
Distribution and version:
centos 7.9
Other relevant data:

quba42 · February 21, 2022, 7:40am

On the published repo pulp_deb publishes the Pulp repo version as the version.
This is by design, though it may well be a bad design with unintended consequences, and no real benefits…

That being said, It would be helpful if you can describe the exact nature of the problematic APT behavior that results from the version. I am at least somewhat surprised, since APT generally accepts arbitrary non-distro repos, so why would the Release-file-version suddenly matter? I am wondering if this was prompted by some new configuration on Ubuntu as well as what the exact symptoms are?

stephenc · February 21, 2022, 8:10am

Yes Apt 1.5 and greater ( ubuntu 18 and 20 ) is now using a security system that includes Release and Version and each change must be manually approved as below
apt-get update --allow-releaseinfo-change
with close to 1000 ubuntu servers this is not ideal.

the symptom is apt-get cannot be used in any normal puppet module without changing it.

I’m home now I’ll post the results from a server tomorrow.

Plain apt works as it doesn’t use the security model.

quba42 · February 21, 2022, 8:15am

Does that mean the problem is not so much that the version in the Release file is not 18.04/20.04, but rather that the version is frequently changing?

If APT is going to cry every time certain values change in the Release file, that may well affect other fields as well as the version. This is definitely worth opening an issue for at https://github.com/pulp/pulp_deb/issues (I may do so myself as I get to it).

stephenc · February 21, 2022, 8:22am

yes - Doesn’t matter what the value is as long as it doesn’t change

quba42 · February 21, 2022, 8:56am

I have created a pulp_deb issue to track this: https://github.com/pulp/pulp_deb/issues/443

The only immediate work arounds are to always use the --allow-releaseinfo-change flag for APT actions, or else to patch pulp_deb to use a constant Release file version here: https://github.com/pulp/pulp_deb/blob/07efc73239212f31311c6f33fb7b0b2ae5afdf52/pulp_deb/app/tasks/publishing.py#L255 (I think that should do it).

rgp · February 22, 2022, 11:53pm

The Label is another such field. I found that out when recreating a repository with the exact same name. The new repository has a different label. I had to run apt-get update --allow-releaseinfo-change on all hosts pointing to the repository. I’ve now started to use content views, and will likely eventually hit this same issue when the version is incremented.

stephenc · February 22, 2022, 11:56pm

I’m removing Version from the fields - it is not needed - testing in our lab right now then rolling to prod

stephenc · February 23, 2022, 2:07am

tested and working
/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulp_deb/app/tasks/publishing.py
line 252 change to self.release[“Label”] = label.split(’-’)[0]
line 257 change to # self.release[“Version”] = version

stephenc · February 23, 2022, 10:22pm

a better solution for line 252 is self.release[“Label”] = label.rsplit(’-’,1)[0]

Allows for dashes in label.

quba42 · March 1, 2022, 8:48am

Small update: We will be working on this issue ASAP, since it is clearly a functionally critical issue.

quba42 · March 7, 2022, 12:52pm

Update

As a quick fix, I have a PR that disables publishing the release file version and label completely:

github.com/pulp/pulp_deb

Do not set the release file Label or Version during publish

pulp:main ← ATIX-AG:release_info_changes_workaround

opened 12:21PM - 07 Mar 22 UTC

quba42

+9 -2

Closes #443 This is a quick and dirty workaround to prevent apt-secure from …constantly requiering users to run the following: apt-get update --allow-releaseinfo-change This fix changes the pulp_deb publication behaviour. To mitigate, the old behaviour can be renabled by setting SET_RELEASE_FILE_LABEL and SET_RELEASE_FILE_VERSION to True. For a long term fix, additional new features and behaviour changes are now planned: https://github.com/pulp/pulp_deb/issues/449

The PR includes the possibility of using settings to fall back to the old behaviour.

In the long run, we plan to provide more fine grained user control over various Release file fields, along with a default behaviour that does not clash with apt-secure:

github.com/pulp/pulp_deb

Make various release file fields user configurable

opened 10:37AM - 07 Mar 22 UTC

closed 11:36AM - 06 Jun 23 UTC

quba42

.feature Triage-Needed

**Is your feature request related to a problem? Please describe.** This featu…re is intended to provide a long term solution for https://github.com/pulp/pulp_deb/issues/443 while also empowering users to use pulp_deb repos in combination with "APT pinning" and "unattended upgrade" workflows. **Describe the solution you'd like** - The upstream Origin, Label, and Version fields should be stored on the release content during sync (if present). - Users should be able to define their own Origin, Label, and Version values on repositories and/or publications. - User supplied values trump upstream repo values during publish If possible, consider the possibility of respecting arbitrary upstream and user supplied release file fields? **Additional context** #443 Should provide a backportable bugfix solution for the same problem, while this ticket provides a new design approach as a long term solution.