I understand and agree the behavior doesn't quite make sense. While I know this code has not recently changed inside apt, I believe it must have recently started expressing itself when combined with some other change on the mirrors or in the release process.
I do think this is a regression in a practical sense compared to oldstable. I'm currently unable to create new containers for stable but am able to for oldstable: ➜ ~ docker run -it --rm debian:oldstable apt update Unable to find image 'debian:oldstable' locally oldstable: Pulling from library/debian 70705a13f194: Pull complete Digest: sha256:2053cf94aadec2cc167488183a928165313c281b954d042d45ba65cb84459fde Status: Downloaded newer image for debian:oldstable Get:1 http://deb.debian.org/debian oldstable InRelease [116 kB] Get:2 http://deb.debian.org/debian-security oldstable-security InRelease [48.4 kB] Get:3 http://deb.debian.org/debian oldstable-updates InRelease [44.1 kB] Get:4 http://deb.debian.org/debian oldstable/main amd64 Packages [8183 kB] Get:5 http://deb.debian.org/debian-security oldstable-security/main amd64 Packages [252 kB] Get:6 http://deb.debian.org/debian oldstable-updates/main amd64 Packages [14.8 kB] Fetched 8658 kB in 2s (3764 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. ➜ ~ docker run -it --rm debian:stable apt update Get:1 http://deb.debian.org/debian stable InRelease [151 kB] Get:2 http://deb.debian.org/debian stable-updates InRelease [52.1 kB] Get:3 http://deb.debian.org/debian-security stable-security InRelease [48.0 kB] Get:4 http://deb.debian.org/debian stable/main amd64 Packages [8906 kB] Get:5 http://deb.debian.org/debian stable-updates/main amd64 Packages [4732 B] Get:6 http://deb.debian.org/debian-security stable-security/main amd64 Packages [48.0 kB] Fetched 9210 kB in 2s (4051 kB/s) fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context Fatal error: requested algo not in md context I was able to reproduce this behavior on a fresh EC2 instance with AMI ID ami-0f2bfd15cb2cab7e0, so I don't think it should have anything to do with our particular environment. Is there any other information I can provide? On Wed, Jul 26, 2023 at 10:55 AM Julian Andres Klode <j...@debian.org> wrote: > > On Mon, Jul 24, 2023 at 10:35:35PM -0400, Dillon Amburgey wrote: > > I have seen this as well. This has recently started breaking apt > > update on bookworm docker images as well as images built off bookworm > > (e.g. python:3.8) > > > > This can be easily reproduced on FIPS-enabled hosts: > > docker run -it --rm debian:bookworm apt update > > Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB] > > Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB] > > Get:3 http://deb.debian.org/debian-security bookworm-security > > InRelease [48.0 kB] > > Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8906 kB] > > Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages > > [4732 B] > > Get:6 http://deb.debian.org/debian-security bookworm-security/main > > amd64 Packages [48.0 kB] > > Fetched 9210 kB in 2s (4169 kB/s) > > fatal error in libgcrypt, file ../../src/misc.c, line 92, function > > _gcry_fatal_error: requested algo not in md context > > > > Fatal error: requested algo not in md context > > > > I also was able to use snapshot.debian.org to isolate when the > > failures started. 20230722T085252Z was the last good snapshot with > > 20230722T110049Z being the first failing snapshot. > > docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt > > update > > Get:1 http://snapshot.debian.org/archive/debian/20230722T110049Z > > bookworm InRelease [151 kB] > > Get:2 http://snapshot.debian.org/archive/debian/20230722T110049Z > > bookworm-updates InRelease [52.1 kB] > > Get:3 http://snapshot.debian.org/archive/debian-security/20230722T110049Z > > bookworm-security InRelease [48.0 kB] > > Get:4 http://snapshot.debian.org/archive/debian/20230722T110049Z > > bookworm/main amd64 Packages [8906 kB] > > Get:5 http://snapshot.debian.org/archive/debian/20230722T110049Z > > bookworm-updates/main amd64 Packages [4732 B] > > Get:6 http://snapshot.debian.org/archive/debian-security/20230722T110049Z > > bookworm-security/main amd64 Packages [48.0 kB] > > Fetched 9210 kB in 1min 8s (136 kB/s) > > fatal error in libgcrypt, file ../../src/misc.c, line 92, function > > _gcry_fatal_error: requested algo not in md context > > > > Fatal error: requested algo not in md context > > > > docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt > > update > > Get:1 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm InRelease [147 kB] > > Get:2 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm-updates InRelease [52.1 kB] > > Get:3 http://snapshot.debian.org/archive/debian-security/20230722T085252Z > > bookworm-security InRelease [48.0 kB] > > Get:4 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z > > bookworm-debug InRelease [49.8 kB] > > Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm/main amd64 Packages [8904 kB] > > Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm/main amd64 Packages > > Get:6 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm-updates/main amd64 Packages [4732 B] > > Get:7 http://snapshot.debian.org/archive/debian-security/20230722T085252Z > > bookworm-security/main amd64 Packages [48.0 kB] > > Get:8 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z > > bookworm-debug/main amd64 Packages [3564 kB] > > Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm/main amd64 Packages [8904 kB] > > Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm/main amd64 Packages > > Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z > > bookworm/main amd64 Packages [8904 kB] > > Fetched 11.2 MB in 5min 13s (35.9 kB/s) > > Reading package lists... Done > > Building dependency tree... Done > > Reading state information... Done > > All packages are up to date. > > > > This doesn't make sense, let's be clear about this. MD5 is an integral > part of the archive, it doesn't suddenly pop up, and APT uses any MD5 > it can find as an additional (untrusted) hash. > > And APT itself has been using libgcrypt for hashing since 1.9.6; > oldstable is shipping 2.2.4. > > This is fixed in 2.7.2, fsvo of fixed. I do believe that this is > bullshit and libgcrypt's FIPS mode should be entirely disabled, > as in Ubuntu, as Debian's libgcrypt is not FIPS certified. > > As this is not a regression vs oldstable, and we realistically > may be preempting configuration of libgcrypt by applications using > the apt-pkg library, I do not think this is a change that should > be released to a stable update. > > I did pick it for unstable and testing, but ultimately we need > to replace libgcrypt with nettle. > > -- > debian developer - deb.li/jak | jak-linux.org - free software dev > ubuntu core developer i speak de, en -- Dillon Amburgey Managing Director, Zetier +1 (703) 635-3302
