Debian Bug report logs - #853739
apt: cannot download unauthenticated packages but can install -d them

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Thorsten Glaser <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: apt: cannot download unauthenticated packages but can install -d them

Date: Tue, 31 Jan 2017 14:40:20 +0100

Package: apt
Version: 1.4~beta4
Severity: normal

tglase@tglase:~ $ cd /tmp/
tglase@tglase:/tmp $ apt-get download elasticsearch
WARNING: The following packages cannot be authenticated!
  elasticsearch
E: Some packages could not be authenticated
100|tglase@tglase:/tmp $ apt-get download -y elasticsearch
WARNING: The following packages cannot be authenticated!
  elasticsearch
E: Some packages could not be authenticated
100|tglase@tglase:/tmp $ apt-get download -y --force-yes elasticsearch
WARNING: The following packages cannot be authenticated!
  elasticsearch
E: Some packages could not be authenticated
100|tglase@tglase:/tmp $ sudo apt-get install -d elasticsearch
Reading package lists... Done
Building dependency tree
Reading state information... Done
Starting pkgProblemResolver with broken count: 0
Starting 2 pkgProblemResolver with broken count: 0
Done
The following NEW packages will be installed:
  elasticsearch
0 upgraded, 1 newly installed, 0 to remove and 22 not upgraded.
Need to get 27.2 MB of archives.
After this operation, 30.5 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  elasticsearch
Install these packages without verification? [y/N] y
Get:1 https://packages.elastic.co/elasticsearch/2.x/debian stable/main amd64 elasticsearch all 2.4.4 [27.2 MB]
Fetched 27.2 MB in 58s (466 kB/s)
Download complete and in download only mode
tglase@tglase:/tmp $ sudo mv /var/cache/apt/archives/elasticsearch_2.4.4_all.deb .


Yes, I know it’s unauthenticated, but I can’t even get around
it with the bad --force-yes switch (why?). I just want to peek
at the .deb contents, and the idiots who run the repo disabled
browsing it with a webbrowser…

-- Package-specific info:

-- (/etc/apt/preferences present, but not submitted) --


-- (/etc/apt/preferences.d/dash-mksh.pref present, but not submitted) --


-- (/etc/apt/sources.list present, but not submitted) --


-- (/etc/apt/sources.list.d/local.list present, but not submitted) --


-- System Information:
Debian Release: 9.0
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages apt depends on:
ii  adduser                 3.115
ii  debian-archive-keyring  2014.3
ii  gpgv                    2.1.18-3
ii  init-system-helpers     1.47
ii  libapt-pkg5.0           1.4~beta4
ii  libc6                   2.24-9
ii  libgcc1                 1:6.3.0-5
ii  libstdc++6              6.3.0-5

Versions of packages apt recommends:
ii  gnupg   2.1.18-3
ii  gnupg1  1.4.21-2
ii  gnupg2  2.1.18-3

Versions of packages apt suggests:
pn  apt-doc                      <none>
pn  aptitude | synaptic | wajig  <none>
ii  dpkg-dev                     1.18.21
ii  powermgmt-base               1.31+nmu1
pn  python-apt                   <none>

-- no debconf information

Message #10 received at [email protected] (full text, mbox, reply):

From: Julian Andres Klode <[email protected]>

To: [email protected], [email protected]

Subject: Re: Bug#853739: apt: cannot download unauthenticated packages but can install -d them

Date: Tue, 31 Jan 2017 14:55:47 +0100

On 31 January 2017 at 14:40, Thorsten Glaser <[email protected]> wrote:
> 100|tglase@tglase:/tmp $ apt-get download -y --force-yes elasticsearch
> WARNING: The following packages cannot be authenticated!
>   elasticsearch
> E: Some packages could not be authenticated


--force-yes is deprecated, and enables 3 specific --allow switches
(downgrade,remove-essential,change-held-packages), but
--allow-unauthenticated is not one of them. Well, sort of: If it
prompts interactively, it also accepts --force-yes. For some reason
the download command asks the auth checking code to not prompt the
user, so the only way out is to use --allow-unauthenticated.


-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Message #18 received at [email protected] (full text, mbox, reply):

From: Thorsten Glaser <[email protected]>

To: Julian Andres Klode <[email protected]>

Cc: [email protected], [email protected]

Subject: Re: Bug#853739: apt: cannot download unauthenticated packages but can install -d them

Date: Tue, 31 Jan 2017 19:13:15 +0000 (UTC)

Julian Andres Klode dixit:

>--allow-unauthenticated is not one of them. Well, sort of: If it
>prompts interactively, it also accepts --force-yes. For some reason

Ah okay… then the question is why “apt-get download” does not prompt.

Thanks,
//mirabilos
-- 
Stéphane, I actually don’t block Googlemail, they’re just too utterly
stupid to successfully deliver to me (or anyone else using Greylisting
and not whitelisting their ranges). Same for a few other providers such
as Hotmail. Some spammers (Yahoo) I do block.

Send a report that this bug log contains spam.