Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Debian url whitelist
-
Hi,
We are trying to setup a Debian feed, as described here: https://docs.inedo.com/docs/proget-feeds-debian
After executing these commands on a client ubuntu (20.04) machine:wget -qO - https://{proget-server}/debian-feeds/{feed-name}.pub | sudo apt-key add -and
echo "deb http://{proget-server}/ debian main" | sudo tee /etc/apt/sources.list.d/debian.listwe get
user@proget-server:$ sudo apt update Ign:1 https://{proget-server} debian InRelease Get:2 https://{proget-server} debian Release [69 B] Get:3 https://{proget-server} debian Release.gpg [819 B] Reading package lists... Done W: No Hash entry in Release file /var/lib/apt/lists/partial/{proget-server}_dists_debian_Release W: Invalid 'Date' entry in Release file /var/lib/apt/lists/partial/{proget-server}_dists_debian_Release E: The repository 'https://{proget-server} debian Release' provides only weak security information. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.We suspect that we have not yet whitelisted the correct URL('s) in our proxy (to connect from our proget-server to the Internet). But we can't find the URL('s) that should be whitelisted, as there is no connector for this feed that could give a clue.
What URLs should ProGet be able to reach?Or is the error "E: The repository 'https://{proget-server} debian Release' provides only weak security information" caused by something else?
Thanks in advance!
-
I'm not totally certain, but I believe this is the result of the
InReleaseendpoint (i.e. the clear-signed index) is not being implemented by ProGet.You can ignore the "weak security information" message, and configure apt to use this repository. If you're using HTTPS, the clear-signed index adds no additional security; it's a vestigial feature these days, and is was designed for when HTTPS wasn't available. You can ignore/override those warnings.
We may implement the InRelease endpoint, but there are some problems/bugs with the way BouncyCastle (the encryption library we use) generates "armored output streams". It's a lot of effort for no real value (other than just not having those outdated errors by default).
Cheers,
Alana
-
Hi Alana,
Thanks for your reply. But I'm afraid I don't really understand how to fix the problem you describe (nor what an 'InRelease' endpoint is). We have tied both http and https as proget server endpoint, but neither seems to work:
"deb http://{proget-server}/ debian main" and
"deb https://{proget-server}/ debian main".But why, when I have (as shown above) 'debian' as feed-name and 'main' as component-name, does the error message say 'debian InRelease'? Is this something we should tell apt not to do?
And still my other question remains; what URL(s) should be whitelisted to download the apt packages from the Internet?
Thanks again!
-
Hi @js-enthoven_2797 ,
This issue is unrelated to internet access or whitelisted URLS.
This is the error message you will get from apt if a private repository does not support the
InReleaseAPI endpoint. ProGet does not support this endoint, so you will get this error.Here is some information about how to bypass this warning in apt:
https://www.linuxfordevices.com/tutorials/linux/fix-updating-from-such-a-repository-cant-be-done-securely-errorBasically you have to explicitly trust the PRoGet repository.
Please let us know if that works,
Alana
-
Hi @atripp ,
Thanks again.Changing the source list to:
deb [trusted=yes] https://{our-proget-server}/ debian mainat least gets rid of the error message regarding 'InRelease'.
However, we get now
Fetched 888 B in 31s (28 B/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. W: No Hash entry in Release file /var/lib/apt/lists/partial/repository-t.cbsp.nl_dists_debian_Release W: Invalid 'Date' entry in Release file /var/lib/apt/lists/partial/repository-t.cbsp.nl_dists_debian_Release W: Failed to fetch https://{our-proget-server}/dists/debian/main/binary-amd64/Packages Connection timed out [IP: ##.##.##.## 443] W: Some index files failed to download. They have been ignored, or old ones used instead.So a connection timed out. The network connection should be possible (from the source machine port 443 to the proget-server IP is reachable).
However, https://{our-proget-server}/dists/debian/main/binary-amd64/Packages gives an empty page.Do you know how to proceed from here?
-
Unfortunately I'm not very familiar with debugging apt :(
The only one I was familiar with was the InRelease-related error, which you worked around.
Otherwise, I haven't seen these before, but they seem to be warnings, so maybe it's okay and is working? It does say "All packages are up to date".
I don't really know what they mean, or if it's related to ProGet, apt configuration, or the package I searched for the text of these errors ("No Hash entry in Release file"), and there are a lot of suggestions on what to do... they are all different, and I have no idea what might work.
The "Connection timed out" is really strange too. Maybe it's related to proxy, or something? A blank page is to be expected if you have no packages in that scope; otherwise you will see a number of "Paragraphs", one for each package.
Cheers,
Alana
