group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1562733] Re: apt signature requierements prevent updates from some repositories

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Julian Andres Klode <juliank@xxxxxxxxxx>
Date: Sun, 15 May 2016 16:24:45 -0000
Reply-to: Bug 1562733 <1562733@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Dropping the AppStream task, as that's more of an APT bug. With the SRU
and change in yakkety, appstream data is now generated even if some
updates failed.

Note that I chose not to close this bug report with those uploads, as
this bug report sort of keeps track of the larger problem of these error
class, and not the appstream-related aspect in particular.

With this most important problem gone, I consider marking this bug as
wontfix for xenial - Long term we will have a reworked handling of
untrusted repositories, but I think this is probably going to be to
invasive for xenial to backport.

** No longer affects: appstream (Ubuntu)

** No longer affects: appstream (Ubuntu Xenial)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1562733

Title:
  apt signature requierements prevent updates from some repositories

Status in apt package in Ubuntu:
  In Progress
Status in apt source package in Xenial:
  Confirmed

Bug description:
  Since xenial updated the requirements for the strength of PGP
  signatures of packages, packages from some repositories are no longer
  updated. Apt-get update reports these errors:

  E: Failed to fetch http://[...]/Release  No Hash entry in Release file /var/lib/apt/lists/partial/[...] which is considered strong enough for security purposes
  E: Some index files failed to download. They have been ignored, or old ones used instead.

  While the motivation for the change is valid, the result is a
  potential security problem, as the new versions of the packages that
  may fix recently discovered vulnerabilities are not automatically
  installed.

  One less important but unfortunate effect is a scary message that is
  displayed to the user, without clear explanation that the problem
  needs to be addressed by the repository owner.

  Related: Bug #1558331

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1562733/+subscriptions