On 07/12/2025 02:24, Alexander V. Makartsev wrote:
in addition to
HTTPS protocol to access "deb.debian.org" and other sites.
So, no, I don't think my ISP is capable to do the impossible. :)
If you use https: in your .sources or .list files then I agree that you
should be immune to intermediate proxies. (Usually "http:" is enough
since apt checks gpg signatures, so attempts to inject something
malicious should be detected.)
On 06.12.2025 09:14, Max Nikulin wrote:
By the way, you may specify deb.debian.org in addition to the selected
mirror, so if one mirror is not updated, files may be fetched from
another source.
I don't think that will be a good idea. How can I be sure that Fastly
won't serve me files again from their outdated CDN cache?
Apt will use more fresh package lists from another mirror.
If it was an issue with Fastly then I expect that more people should be
affected. It is possible that you were unlucky to run "apt update"
between sync of release and proposed updates. However some evidences of
wrong sync order are required. That is why I posted a curl command
reporting last-modified.
I would expect something like below, but with actual IP addresses and
timestamps when files were fetched, comparing
<http://deb.debian.org/debian/dists/trixie/Release>,
<http://deb.debian.org/debian/dists/trixie-updates/Release>, and
<http://deb.debian.org/debian/dists/trixie-proposed-updates/Release>.
E.g. on snapshot.debian.org I do not see that files from proposed
updates disappeared before adding them to the point release.
Last shapshot before release
curl -sL
https://snapshot.debian.org/archive/debian/20251115T082656Z/dists/trixie/Release
| grep Date
Date: Sat, 06 Sep 2025 09:42:55 UTC
curl -sL
https://snapshot.debian.org/archive/debian/20251115T082656Z/dists/trixie-proposed-updates/Release
| grep Date
Date: Sat, 15 Nov 2025 08:10:31 UTC
with curl in proposed-updates
<https://snapshot.debian.org/archive/debian/20251115T082656Z/dists/trixie-proposed-updates/main/binary-amd64/Packages.xz>
Next snapshot is the new release including new curl
curl -sL
https://snapshot.debian.org/archive/debian/20251115T105528Z/dists/trixie/Release
| grep Date
Date: Sat, 15 Nov 2025 10:36:56 UTC
Interesting.
I wonder if apt can somehow check if repository was updated, being in
the process of updating, or outdated for a few days. Maybe by checking
some flag-file and warn user about inconsistency...
I would consider a kind of apt source that is checked for "Release", but
is not used to fetch "Packages". Comparing "Release" from 2 or 3 mirrors
should be enough to warn users (maybe postponing unattended upgrades). I
believe, it is responsibility of mirror maintainers to serve consistent
set of files.
For now, if apt will be acting up again, I will be checking manually if
the Release file of "proposed-updates" repository is recent enough.
Notice that you issue is stale metadata for point release (dists/trixie)
in combination with updated dists/trixie-proposed-updates.
I am unsure if versions are removed from security repositories at the
moment of point release.
