APT Acquire::By-Hash Option – Troubleshooting Issues

apt

I'm trying to make apt-get use Acquire::By-Hash option, so it will download packages identifying them by cryptographic hash, not by package version. This should prevent race conditions and "Hash Sum Mismatch" errors happening sometimes while trying to apt-get install something.

I can't make apt-get use this method. I tried

Putting Acquire::By-Hash "force"; to /etc/apt/apt.conf.d/51acquire_by_hash
Changing sources.list:
deb [by-hash=force] http://ftp.us.debian.org/debian/ buster main contrib non-free
Using -o Acquire::by-hash=force apt-get option
Neither works. apt-get still uses the old method (see the URLs it's requesting)

# apt-get -o Acquire::by-hash=force -o Debug::Acquire::http=true install fortunes
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  fortunes
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,117 kB of archives.
After this operation, 2,611 kB of additional disk space will be used.
0% [Working]GET /debian/pool/main/f/fortune-mod/fortunes_1.99.1-7_all.deb HTTP/1.1
Host: ftp.us.debian.org
User-Agent: Debian APT-HTTP/1.3 (1.8.2.1)


0% [Waiting for headers]Answer for: http://ftp.us.debian.org/debian/pool/main/f/fortune-mod/fortunes_1.99.1-7_all.deb
HTTP/1.1 200 OK
Date: Sun, 09 Aug 2020 05:28:00 GMT
Server: Apache
Last-Modified: Thu, 15 Aug 2013 03:54:21 GMT
ETag: "110cf4-4e3f46de0807d"
Accept-Ranges: bytes
Content-Length: 1117428

Get:1 http://ftp.us.debian.org/debian buster/main amd64 fortunes all 1:1.99.1-7 [1,117 kB]
Fetched 1,117 kB in 18s (60.6 kB/s)                                                                                                              
Selecting previously unselected package fortunes.
(Reading database ... 159825 files and directories currently installed.)
Preparing to unpack .../fortunes_1%3a1.99.1-7_all.deb ...
Unpacking fortunes (1:1.99.1-7) ...
Setting up fortunes (1:1.99.1-7) ...

The mirror supports By-Hash:

$ wget http://ftp.us.debian.org/debian/dists/buster/InRelease 2>/dev/null -O - | grep By-Hash
Acquire-By-Hash: yes

Any ideas how to make apt-get use that options? Thank you.

Best Answer

The manual for apt.conf(5) says, for Acquire::By-Hash:

Try to download indexes via an URI constructed from a hashsum of the expected file

(my emphasis)

In my testing the following worked as expected (after cleaning out /var/lib/apt/lists, which apt clean didn't seem to do a good job of). Since I have a local mirror I could verify the requested indexes from its log too:

apt{,-get} update -o Acquire::By-Hash="force" -o Debug::Acquire::http=true

so the manual is correct and accurate. Acquiring the packages themselves by hash is not supported, only the indexes.

Related Solutions

Debian – Understanding Apt Pinning Priority Restrictions

I don't understand why you are doing here. Why do you have a preferences setting for stable at all if you are running a stable system? As far I know, no preferences setting is necessary for stable in that case.

You don't explicitly say whether you are running a stable system (you really should say so), but if you are not, then I really have no idea what you are doing.

And if the release is on stable, then the usual thing to do for testing and unstable is to set their preferences to less than 100. I usually use 50.

And if you want to downgrade to stable, just do the following (assuming sane settings like the ones above) to downgrade pkgname1 and pkgname2:

apt-get install pkgname1/stable pkgname2/stable

This sets the specified packages to the target release stable.

Incidentally, mixing testing and/or unstable packages with an unstable system is generally a bad idea unless you know what you are doing. Some of the time it is Ok, but most of the time you need to use backports, either from Debian, or self-made.

Debian Linux – Fix `apt update` Failed Issues

First of all, despite the last line start with E: (which indicates an error), apt didn't fail entirely; it's downloaded most of the updated package lists, it only skipped those for Opera and the Google Talk plugin. So apt upgrade should still offer to upgrade all the other packages.

The warnings give you some indication of what went wrong:

W: gpgv:/var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
W: gpgv:/var/lib/apt/lists/deb.opera.com_opera_dists_stable_InRelease: The repository is insufficiently signed by key 419D0ACF314E8E993F7F92E563F7D4AFF6D61D45 (weak digest)
W: Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release, which is considered strong enough for security purposes

The first two mean that the repository descriptors were signed with an old digest algorithm, which apt now complains about. The third is caused by apt's recent switch to SHA-256 or SHA-512 hashes only; the Talk plugin repository only provides MD5 and SHA-1 hashes, which are now ignored by apt.

To fix this, you can either remove the repositories for the time being, or wait for Opera and Google to fix them...

Best Answer

Related Solutions

Debian – Understanding Apt Pinning Priority Restrictions

Debian Linux – Fix `apt update` Failed Issues

Related Question