Debian Bug report logs - #778357
audit 'apt-get update' exit codes

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Patrick Schleizer <adrelanos@riseup.net>

To: submit@bugs.debian.org

Subject: audit 'apt-get update' exit codes

Date: Sat, 14 Feb 2015 00:40:43 +0000

Package: apt
Severity: important
X-Debbugs-CC: holger@layer-acht.org,pabs@debian.org

When "apt-get update" fails the program under some conditions exits with
a 0 status. It would be useful if it exited with a non-zero status in
that case (or if there were a switch to tell it to do so).

Since there is already...

- provide meaningful exit codes for network failures
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776152

and

- apt: Provide meaningful exit codes for gpg failures
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745735

That have been found more or less by trial and error... I am wondering,
if there are any other situations, where this could happen.

Perhaps while you're at #776152 and #745735, could you please check if
there are other cases, where apt-get exits with a 0 status, where it
should exit with a non-zero status?

Cheers,
Patrick

Message #10 received at 778357@bugs.debian.org (full text, mbox, reply):

From: Julian Andres Klode <jak@debian.org>

To: Patrick Schleizer <adrelanos@riseup.net>, 778357@bugs.debian.org

Subject: Re: Bug#778357: audit 'apt-get update' exit codes

Date: Sat, 14 Feb 2015 11:08:02 +0100

[Message part 1 (text/plain, inline)]

Am 14.02.2015 01:45 schrieb "Patrick Schleizer" <adrelanos@riseup.net>:
>
> Package: apt
> Severity: important
> X-Debbugs-CC: holger@layer-acht.org,pabs@debian.org
>
> When "apt-get update" fails the program under some conditions exits with
> a 0 status. It would be useful if it exited with a non-zero status in
> that case (or if there were a switch to tell it to do so).
>
> Since there is already...
>
> - provide meaningful exit codes for network failures
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776152
>
> and
>
> - apt: Provide meaningful exit codes for gpg failures
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745735
>
> That have been found more or less by trial and error... I am wondering,
> if there are any other situations, where this could happen.
>
> Perhaps while you're at #776152 and #745735, could you please check if
> there are other cases, where apt-get exits with a 0 status, where it
> should exit with a non-zero status?
>
> Cheers,
> Patrick

The results are meaningful. 0 indicates success or transient error, whereas
other values indicate a persistent error.

Stuff like gpg errors are transient, they are expected to happen during
mirror updates due to the repository format.

[Message part 2 (text/html, inline)]

Message #15 received at 778357@bugs.debian.org (full text, mbox, reply):

From: Patrick Schleizer <adrelanos@riseup.net>

To: Julian Andres Klode <jak@debian.org>, 778357@bugs.debian.org

Subject: Re: Bug#778357: audit 'apt-get update' exit codes

Date: Sun, 15 Feb 2015 02:43:15 +0000

Julian Andres Klode:
> The results are meaningful. 0 indicates success or transient error, whereas
> other values indicate a persistent error.
> 
> Stuff like gpg errors are transient, they are expected to happen during
> mirror updates due to the repository format.

If an adversary mounts a denial of service, indefinite freeze or
rollback attack, the error (network or gpg failure) would not be
transient, but persistent.

Message #20 received at 778357@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: Julian Andres Klode <jak@debian.org>, 778357@bugs.debian.org

Cc: Patrick Schleizer <adrelanos@riseup.net>

Subject: Re: Bug#778357: audit 'apt-get update' exit codes

Date: Wed, 9 May 2018 13:15:23 +0200

On Sat, Feb 14, 2015 at 11:08:02AM +0100, Julian Andres Klode wrote:
> Am 14.02.2015 01:45 schrieb "Patrick Schleizer" <adrelanos@riseup.net>:
> > When "apt-get update" fails the program under some conditions exits with
> > a 0 status. It would be useful if it exited with a non-zero status in
> > that case (or if there were a switch to tell it to do so).
> >
> > Since there is already...
> >
> > - provide meaningful exit codes for network failures
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776152
> >
> > and
> >
> > - apt: Provide meaningful exit codes for gpg failures
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745735
> >
> > That have been found more or less by trial and error... I am wondering,
> > if there are any other situations, where this could happen.
> >
> > Perhaps while you're at #776152 and #745735, could you please check if
> > there are other cases, where apt-get exits with a 0 status, where it
> > should exit with a non-zero status?
> The results are meaningful. 0 indicates success or transient error, whereas
> other values indicate a persistent error.
> 
> Stuff like gpg errors are transient, they are expected to happen during
> mirror updates due to the repository format.

So I really struggle with this assertion. Without any alternative mode
this behavior makes it hard to use "apt-get update" reliabily from
scripts. Sure, if you are doing an update run in the background, this
might be fine. But returning 0 on a failing update is bad: for one you
cannot just retry transient failures because you would need to check for
non-empty stderr. Also if you expect your script to fail rather than to
continue with bad input (because it's set -e), it does not. Something
else might fail or you just include the wrong output into your disk
image like in my case today.

So pretty please, could we get a mode that is less surprising, in case
you still don't want to change the default? :)

Kind regards and thanks
Philipp Kern

Send a report that this bug log contains spam.