[CPR-417] http://apt.puppetlabs.com/pool/wheezy/main/p/puppetlabs-release/puppetlabs-release_1.0.orig.tar.gz: size check mismatch 7619 != 4152 Created: 2017/04/25  Updated: 2017/12/28  Resolved: 2017/04/28

Status: Closed
Project: Community Package Repository
Component/s: Packaging
Affects Version/s: None
Fix Version/s: 2017/08/02

Type: Bug Priority: Blocker
Reporter: Stuart Cianos Assignee: Morgan Rhodes
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Team: Release Engineering
Sprint: RE 2017-05-03
QA Risk Assessment: Needs Assessment

 Description   

When attempting to download and verify files from the PuppetLabs community repository, we note the following mismatches which prevent the repository from validating properly:

{'return': 1, 'stderr': 'gpgv: Signature made Thu 20 Apr 2017 12:06:11 PM PST using RSA key ID EF8D349F
gpgv: Good signature from "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>"
ERROR: unable to update: download errors:
  http://apt.puppetlabs.com/pool/wheezy/main/p/puppetlabs-release/puppetlabs-release_1.0.orig.tar.gz: size check mismatch 7619 != 4152
', 'stdout': 'Downloading http://apt.puppetlabs.com/dists/wheezy/InRelease...
Downloading http://apt.puppetlabs.com/dists/wheezy/Release...
Downloading http://apt.puppetlabs.com/dists/wheezy/Release.gpg...
Downloading & parsing package files...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-all/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-amd64/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-arm64/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-armel/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-armhf/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-i386/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-mips/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-mipsel/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-powerpc/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/binary-sparc/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/wheezy/main/source/Sources.gz...
Building download queue...
Download queue: 1 items (4.05 KiB)
Downloading http://apt.puppetlabs.com/pool/wheezy/main/p/puppetlabs-release/puppetlabs-release_1.0.orig.tar.gz...
'}



 Comments   
Comment by Morgan Rhodes [ 2017/04/26 ]

Hey Stuart Cianos,

Can you give me more information about what environment you're running in and what command you're running to generate these errors? The output looked similar to output from aptly so I set up a mirror to try to replicate this but I was unable to.

Thanks.

Comment by Stuart Cianos [ 2017/04/26 ]

Sure! This is indeed our attempt to update the repo in Aptly. The specific configuration is:

aptly mirror list | grep puppet
 * [puppetlabs_jessie_dependencies_stable]: http://apt.puppetlabs.com/ jessie [src]
 * [puppetlabs_jessie_stable]: http://apt.puppetlabs.com/ jessie [src]
 * [puppetlabs_wheezy_dependencies_stable]: http://apt.puppetlabs.com/ wheezy [src]
 * [puppetlabs_wheezy_stable]: http://apt.puppetlabs.com/ wheezy [src]
 
---
 
aptly mirror show puppetlabs_wheezy_stable
Name: puppetlabs_wheezy_stable
Archive Root URL: http://apt.puppetlabs.com/
Distribution: wheezy
Components: main
Architectures: all, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, sparc
Download Sources: yes
Download .udebs: no
Last update: never
 
Information from release file:
Architectures: i386 amd64 arm64 armel armhf powerpc sparc mips mipsel all
Codename: wheezy
Components: dependencies devel main PC1
Date: Thu, 20 Apr 2017 20:02:25 UTC
Label: Puppetlabs
Origin: Puppetlabs
Suite: wheezy
Valid-Until: Tue, 30 Nov 2038 00:00:00 UTC

The issue is that the sources index is providing out of date or incorrect information. To wit, from: http://apt.puppetlabs.com/dists/wheezy/main/source/Sources.gz

Format: 1.0
Package: puppetlabs-release
Binary: puppetlabs-release
Architecture: all
Version: 1.0-2
Maintainer: Puppet Labs <info@puppetlabs.com>
Uploaders: Moses Mendoza <moses@puppetlabs.com>
Homepage: http://apt.puppetlabs.com
Standards-Version: 3.9.2
Vcs-Browser: http://git.debian.org/?p=pkg-puppet/puppet.git
Vcs-Git: git://git.debian.org/git/pkg-puppet/puppet.git
Build-Depends: debhelper (>= 7.0.0)
Directory: pool/wheezy/main/p/puppetlabs-release
Files:
 5bd252a46c64991e7b646b255af87d59 965 puppetlabs-release_1.0-2.dsc
 c77cc868ba78f7362f72dcf81dee9b9f 4152 puppetlabs-release_1.0.orig.tar.gz
 92b604ea6b9e7aa3475441d2741eac4a 327 puppetlabs-release_1.0-2.diff.gz
Checksums-Sha1:
 5330942fe7d59bcc10c93909d5c410ef28df3dad 965 puppetlabs-release_1.0-2.dsc
 9c3b2a62e5670b77ebf9f4c8e0df87daf57a6c83 4152 puppetlabs-release_1.0.orig.tar.gz
 dc3e09ce8b8f369d2ecc6ce79a1926dfd751d0a2 327 puppetlabs-release_1.0-2.diff.gz
Checksums-Sha256:
 02c2918d69dab78b2b3c5392959bb7f8f9ec71ed236abebcf01149edc7c63a0b 965 puppetlabs-release_1.0-2.dsc
 a6d88a98905e6a790504e9ea385020007dc0304f33b69a36457d45547dd82b0f 4152 puppetlabs-release_1.0.orig.tar.gz
 bc0c55882488d84dcb4b29456780523a0d0c789a9cffd59bbd078431b403b779 327 puppetlabs-release_1.0-2.diff.gz

But upon receiving the file:

# wget http://apt.puppetlabs.com/pool/wheezy/main/p/puppetlabs-release/puppetlabs-release_1.0.orig.tar.gz
--2017-04-26 12:30:21--  http://apt.puppetlabs.com/pool/wheezy/main/p/puppetlabs-release/puppetlabs-release_1.0.orig.tar.gz
Resolving apt.puppetlabs.com (apt.puppetlabs.com)... 52.84.239.223, 52.84.239.227, 52.84.239.235, ...
Connecting to apt.puppetlabs.com (apt.puppetlabs.com)|52.84.239.223|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7619 (7.4K) [application/x-gzip]
Saving to: ‘puppetlabs-release_1.0.orig.tar.gz.1’
 
puppetlabs-release_1.0.orig.tar.gz.1            100%[======================================================================================================>]   7.44K  --.-KB/s   in 0s
 
2017-04-26 12:30:21 (555 MB/s) - ‘puppetlabs-release_1.0.orig.tar.gz.1’ saved [7619/7619]
 
# stat puppetlabs-release_1.0.orig.tar.gz
  File: ‘puppetlabs-release_1.0.orig.tar.gz’
  Size: 7619      	Blocks: 16         IO Block: 4096   regular file
Device: 805h/2053d	Inode: 15          Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-04-25 15:34:22.369994725 -0800
Modify: 2016-04-18 17:03:32.000000000 -0800
Change: 2017-04-25 15:34:12.373658632 -0800
 Birth: -
 
# shasum puppetlabs-release_1.0.orig.tar.gz
859674840e8d2cce26b8332f596a337ed208eee9  puppetlabs-release_1.0.orig.tar.gz

Comment by Stuart Cianos [ 2017/04/26 ]

(note that this prevents anyone from being able to verify the authenticity of the downloaded file, as the checksums and file size do not match the values reported in the signed release files - apt will also fail this out if trying to pull the source package)

Comment by Morgan Rhodes [ 2017/04/26 ]

Thanks for the update Stuart Cianos. I can confirm that the file matches what you're downloading but I'm not sure why our metadata is being incorrectly generated. I'll keep digging into this tomorrow.

Comment by Stuart Cianos [ 2017/04/26 ]

Sure thing any time! I'm so glad I could help; let me know if there is anything else y'all need from me and I will do my best to provide.

Thanks so much for the super quick reply!

Comment by Morgan Rhodes [ 2017/04/27 ]

Stuart Cianos This should be resolved now, let me know if you have any issues!

Comment by Stuart Cianos [ 2017/04/27 ]

Wonderful; thank you so much! Both Wheezy and Jessie mirrors are validating correctly.

Comment by Stuart Cianos [ 2017/04/27 ]

My apologies; it looks like Wheezy is coming down but Jessie currently suffers from the same issue as the Wheezy repos:

# aptly mirror update puppetlabs_jessie_stable
Downloading http://apt.puppetlabs.com/dists/jessie/InRelease...
Downloading http://apt.puppetlabs.com/dists/jessie/Release...
Downloading http://apt.puppetlabs.com/dists/jessie/Release.gpg...
gpgv: Signature made Wed 26 Apr 2017 11:40:59 AM PST using RSA key ID EF8D349F
gpgv: Good signature from "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>"
Downloading & parsing package files...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-all/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-amd64/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-arm64/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-armel/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-armhf/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-i386/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-mips/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-mipsel/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-powerpc/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/binary-sparc/Packages.gz...
Downloading http://apt.puppetlabs.com/dists/jessie/main/source/Sources.gz...
Building download queue...
Download queue: 1 items (5.28 KiB)
Downloading http://apt.puppetlabs.com/pool/jessie/main/p/puppetlabs-release/puppetlabs-release_1.0.orig.tar.gz...
ERROR: unable to update: download errors:
  http://apt.puppetlabs.com/pool/jessie/main/p/puppetlabs-release/puppetlabs-release_1.0.orig.tar.gz: size check mismatch 7618 != 5403

Comment by Morgan Rhodes [ 2017/04/27 ]

Stuart Cianos ok, thanks. I only validated wheezy yesterday, I'm guessing whatever corrupted metadata/metadata generation there affected more platforms. Will work on getting it fixed for jessie and will test other platforms. Thanks.

Comment by Morgan Rhodes [ 2017/04/27 ]

Stuart Cianos Everything should be updated now. Let me know if you're still having any issues.

Comment by Stuart Cianos [ 2017/04/28 ]

Thanks so much again; looks like Jessie repos are fixed!

  • Stu
Generated at Sun Jan 19 18:43:06 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.