Unable to download Icinga2 package sources from packages.icinga.com

Question

Unable to download Icinga2 package sources from packages.icinga.com

Opened this issue 3 months ago · 3 comments

Describe the bug

I'm trying to download Icinga2 sources using apt-get source icinga2 on a Ubuntu 22.04 machine. It seems that something broke during upload when latest version was being synced to packages.icinga.com:

$ apt-get source icinga2
Reading package lists... Done
NOTICE: 'icinga2' packaging is maintained in the 'Git' version control system at:
https://git.icinga.com/packaging/deb-icinga2.git
Please use:
git clone https://git.icinga.com/packaging/deb-icinga2.git
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 7925 kB of source archives.
Get:1 https://packages.icinga.com/ubuntu icinga-jammy/main icinga2 2.14.2-1+ubuntu22.04 (diff) [20.6 kB]
Get:2 https://packages.icinga.com/ubuntu icinga-jammy/main icinga2 2.14.2-1+ubuntu22.04 (dsc) [2620 B]
Get:3 https://packages.icinga.com/ubuntu icinga-jammy/main icinga2 2.14.2-1+ubuntu22.04 (tar) [7901 kB]
Err:3 https://packages.icinga.com/ubuntu icinga-jammy/main icinga2 2.14.2-1+ubuntu22.04 (tar)
  File has unexpected size (7903667 != 7901494). Mirror sync in progress? [IP: 185.233.189.126 443]
  Hashes of expected file:
   - SHA512:8c7bf917394ece8b79b1be3c32cf70d917cc282fa496ddb6a5ba9fee0af8e35d90c21a71954fc2d539148cd350b3167931e77a7ea3b762428927fb6713366626
   - Filesize:7901494 [weak]
   - SHA256:97536e1487e72f690acd0df2576c9a38435fb5481d5aa7a292c94abaf9c6e033
   - SHA1:8a033140149bdb843f2c63e15fd28a924b4df98d [weak]
   - MD5Sum:3f7350695b9b224b92ef2c83ae46e7f5 [weak]
Fetched 23.2 kB in 0s (67.0 kB/s)
E: Failed to fetch https://packages.icinga.com/ubuntu/pool/main/i/icinga2/icinga2_2.14.2.orig.tar.gz  File has unexpected size (7903667 != 7901494). Mirror sync in progress? [IP: 185.233.189.126 443]
   Hashes of expected file:
    - SHA512:8c7bf917394ece8b79b1be3c32cf70d917cc282fa496ddb6a5ba9fee0af8e35d90c21a71954fc2d539148cd350b3167931e77a7ea3b762428927fb6713366626
    - Filesize:7901494 [weak]
    - SHA256:97536e1487e72f690acd0df2576c9a38435fb5481d5aa7a292c94abaf9c6e033
    - SHA1:8a033140149bdb843f2c63e15fd28a924b4df98d [weak]
    - MD5Sum:3f7350695b9b224b92ef2c83ae46e7f5 [weak]
E: Failed to fetch some archives.

To Reproduce

Start a machine with Ubuntu 22.04
Add the official Icinga2 apt repository
Run apt-get source icinga2

Expected behavior

Icinga2 package sources should be downloaded and extracted to current working directory.

Answer 1 · 2024-04-02T10:04:41.000Z

Hi @pjakuszew-rtbh, thanks for reporting!

How does your deb-src entry in the /etc/apt/sources.list.d directory look like?

Answer 2 · 2024-04-02T11:55:02.000Z

Never mind! I was able to reproduce it!

root@ubuntu-jammy:~# apt source icinga2
Reading package lists... Done
NOTICE: 'icinga2' packaging is maintained in the 'Git' version control system at:
https://git.icinga.com/packaging/deb-icinga2.git
Please use:
git clone https://git.icinga.com/packaging/deb-icinga2.git
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 7925 kB of source archives.
Get:1 https://packages.icinga.com/ubuntu icinga-jammy/main icinga2 2.14.2-1+ubuntu22.04 (diff) [20.6 kB]
Get:2 https://packages.icinga.com/ubuntu icinga-jammy/main icinga2 2.14.2-1+ubuntu22.04 (dsc) [2620 B]
Get:3 https://packages.icinga.com/ubuntu icinga-jammy/main icinga2 2.14.2-1+ubuntu22.04 (tar) [7901 kB]
Err:3 https://packages.icinga.com/ubuntu icinga-jammy/main icinga2 2.14.2-1+ubuntu22.04 (tar)
  File has unexpected size (7903667 != 7901494). Mirror sync in progress? [IP: 185.233.189.126 443]
  Hashes of expected file:
   - SHA512:8c7bf917394ece8b79b1be3c32cf70d917cc282fa496ddb6a5ba9fee0af8e35d90c21a71954fc2d539148cd350b3167931e77a7ea3b762428927fb6713366626
   - Filesize:7901494 [weak]
   - SHA256:97536e1487e72f690acd0df2576c9a38435fb5481d5aa7a292c94abaf9c6e033
   - SHA1:8a033140149bdb843f2c63e15fd28a924b4df98d [weak]
   - MD5Sum:3f7350695b9b224b92ef2c83ae46e7f5 [weak]
Fetched 23.2 kB in 0s (385 kB/s)
E: Failed to fetch https://packages.icinga.com/ubuntu/pool/main/i/icinga2/icinga2_2.14.2.orig.tar.gz  File has unexpected size (7903667 != 7901494). Mirror sync in progress? [IP: 185.233.189.126 443]
   Hashes of expected file:
    - SHA512:8c7bf917394ece8b79b1be3c32cf70d917cc282fa496ddb6a5ba9fee0af8e35d90c21a71954fc2d539148cd350b3167931e77a7ea3b762428927fb6713366626
    - Filesize:7901494 [weak]
    - SHA256:97536e1487e72f690acd0df2576c9a38435fb5481d5aa7a292c94abaf9c6e033
    - SHA1:8a033140149bdb843f2c63e15fd28a924b4df98d [weak]
    - MD5Sum:3f7350695b9b224b92ef2c83ae46e7f5 [weak]
E: Failed to fetch some archives.

Answer 3 · 2024-04-02T12:11:44.000Z

There seems to be a problem with our package tooling in respect to source packages when we retroactively build an existing release for new distribution releases. So when Icinga 2.14.2 was built for Ubuntu 23.04, a new orig.tar was generated than unintentionally replaced the other one on packages.icinga.com.

I've attached both versions of the orig.tar, the first one matches the expected hash. So that you can at least verify that there was no tampering (greetings to everyone affected by the xz mess), they only differ in metadata, i.e. timestamps and order of the files in the archive:

icinga2_2.14.2.orig.a.tar.gz
icinga2_2.14.2.orig.b.tar.gz

We'll see what we can do about the repo, it's somewhat unfortunate that the same version was built from different orig.tars for different distributions, so I don't know if this can be properly represented in the repo metadata.