Bug#884881: apt-cacher-ng: Remap-... directives without TargetURLs are incompatible with ForceManaged

Wed, 20 Dec 2017 14:27:32 -0800 

Package: apt-cacher-ng
Version: 2-1~bpo8+1
Tags: security
It seems the conf line 'Remap-secdeb: security.debian.org' doesn't work with 'ForceManaged: 1'. It works without ForceManaged -- files are put in cache under secdeb. And it works with ForceManaged if you add 'security.debian.org' once more time as TargetURLs. 

Here is a test illustrating the problem:

----------------------------------------------------------------------
# apt-get purge apt-cacher-ng -y && rm -r /etc/apt-cacher-ng/ && apt-get install apt-cacher-ng 
[skip]
# echo 'Remap-secdeb: security.debian.org' > /etc/apt-cacher-ng/my.conf
# service apt-cacher-ng restart
# curl -I -x http://127.0.0.1:3142/ http://security.debian.org/dists/jessie/updates/InRelease 
HTTP/1.1 200 OK
Content-Length: 63113
Last-Modified: Wed, 20 Dec 2017 21:47:45 GMT
Content-Type: application/octet-stream
Date: Wed Dec 20 21:55:39 2017
Server: Debian Apt-Cacher NG/0.8.0
X-Original-Source: http://security.debian.org/dists/jessie/updates/InRelease
Connection: Keep-Alive

# ls /var/cache/apt-cacher-ng/
secdeb
# echo 'ForceManaged: 1' >> /etc/apt-cacher-ng/my.conf
# service apt-cacher-ng restart
# curl -I -x http://127.0.0.1:3142/ http://security.debian.org/dists/jessie/updates/InRelease HTTP/1.1 403 Forbidden file type or location: http://security.debian.org/dists/jessie/updates/InRelease 
Content-Length: 186
Content-Type: text/html
Date: Wed Dec 20 21:55:39 2017
Server: Debian Apt-Cacher NG/0.8.0
Connection: Keep-Alive
# echo 'Remap-secdeb: security.debian.org ; security.debian.org' > /etc/apt-cacher-ng/my.conf 
# echo 'ForceManaged: 1' >>  /etc/apt-cacher-ng/my.conf
# service apt-cacher-ng restart
# curl -I -x http://127.0.0.1:3142/ http://security.debian.org/dists/jessie/updates/InRelease 
HTTP/1.1 200 OK
Content-Length: 63113
Last-Modified: Wed, 20 Dec 2017 21:47:45 GMT
Content-Type: application/octet-stream
Date: Wed Dec 20 21:55:39 2017
Server: Debian Apt-Cacher NG/0.8.0
X-Original-Source: http://security.debian.org/dists/jessie/updates/InRelease
Connection: Keep-Alive

----------------------------------------------------------------------
Tested with apt-cacher-ng from jessie (0.8.0-3) and from jessie-backports (2-1~bpo8+1). 

AIUI it should work without TargetURLs. The doc at [1] seems to imply it:
"If the ForceManaged option is set, only requests to URL matched in some Remap-... config is allowed."
[1] https://www.unix-ag.uni-kl.de/~bloch/acng/html/config-serv.html#remap-trickz
And a comment in /etc/apt-cacher-ng/acng.conf for Remap-secdeb without TargetURLs directly talks about ForceManaged use case: 

# This is usually not needed for security.debian.org because it's always the
# same DNS hostname. However, it might be enabled in order to use hooks
# or ForceManaged mode or special flags in this context. Not set by default.
# Remap-secdeb: security.debian.org
I've put the 'security' tag on this bug as a straightforward and documented config will cause clients to miss security updates. A simple test from an admin of this setup would reveal the problem so the danger doesn't seem great:-) 

--
Alexander Cherepanov

Reply via email to