[Bug 1157943] Re: apt-get update fails hash checks on https repositories when file size changes

Philipp Kern pkern at google.com
Thu Sep 12 09:32:32 UTC 2013 

I'm also unconvinced of this patch. It drops the If-Range logic
altogether which means that it requests a range without specifying what
the mtime of the partial file was. It also does not use If-Modified-
Since in this case. So you'd still end up with a file that's partially
corrupted if the file changed underneath.

Curl does not seem to have logic to do If-Range properly. So in this
case the return code of the HTTP request will indicate if we got the
entire file (200 OK) or a partial snippet (206 Partial Content)[1]. 206
will include the range and last-modified date of the current file, which
we can check against what we expect. 200 OK should replace the whole
file.

(No, I'm not volunteering.)

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1157943

Title:
  apt-get update fails hash checks on https repositories when file size
  changes

Status in “apt” package in Ubuntu:
  New
Status in “apt” source package in Precise:
  New

Bug description:
  apt uses its own strategy for sending Range: requests on https,
  instead of the libcurl handling. Here's is a scenario where it gets it
  wrong:

  1) apt downloads the file but doesn't put the file in place yet (perhaps it got interrupted or something)
  2) the file on the server gets replaced by a smaller file
  3) the next update run wants to download the file, sees a partial read, and asks for Range: (len(file)-1)-
  4) the server sees a Range: request for a byte-range past the end of (the current version of) the file, considers it invalid, and streams the entire file. (This is correct behavior.)
  5) apt assumes the response is the range it expected, and appends it to the local staging copy (minus one byte).

  Instead of rolling apt's own attempt to handle ranges in the https
  method, it should just use libcurl's. Attached is a patch which solves
  the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1157943/+subscriptions

More information about the foundations-bugs mailing list