heroku/base-images

Duplicate APT sources warning when using APT on Heroku-24

Closed this issue · 3 comments

edmorley commented

Upstream Ubuntu has recently (since we merged #245) switched to a new way of defining sources in the image:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2048129
https://discourse.ubuntu.com/t/spec-apt-deb822-sources-by-default/29333

Which results in:

$ docker pull -q heroku/heroku:24-build && docker run --rm -it --user root heroku/heroku:24-build apt-get update
docker.io/heroku/heroku:24-build
Get:1 http://ports.ubuntu.com/ubuntu-ports noble InRelease [255 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports noble-security InRelease [90.7 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports noble-updates InRelease [90.7 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports noble-backports InRelease [90.8 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports noble/main arm64 Packages [1825 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports noble/universe arm64 Packages [19.2 MB]
Get:7 http://archive.ubuntu.com/ubuntu noble InRelease [255 kB]
Get:8 http://apt.postgresql.org/pub/repos/apt noble-pgdg InRelease [123 kB]
Get:9 http://ports.ubuntu.com/ubuntu-ports noble/multiverse arm64 Packages [240 kB]
Get:10 http://ports.ubuntu.com/ubuntu-ports noble/restricted arm64 Packages [97.4 kB]
Get:11 http://archive.ubuntu.com/ubuntu noble-security InRelease [90.7 kB]
Get:12 http://archive.ubuntu.com/ubuntu noble-updates InRelease [90.7 kB]
Get:13 http://apt.postgresql.org/pub/repos/apt noble-pgdg/main arm64 Packages [402 kB]
Get:14 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [19.5 MB]
Get:15 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages [1854 kB]
Fetched 44.3 MB in 2s (20.6 MB/s)
Reading package lists... Done
W: Target Packages (main/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (universe/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (universe/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (main/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:5 and /etc/apt/sources.list.d/ubuntu.sources:2
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:5 and /etc/apt/sources.list.d/ubuntu.sources:2
W: Target Packages (universe/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:5 and /etc/apt/sources.list.d/ubuntu.sources:2
W: Target Packages (universe/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:5 and /etc/apt/sources.list.d/ubuntu.sources:2
W: Target Packages (main/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (universe/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (universe/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list.d/ubuntu.sources:1
W: http://apt.postgresql.org/pub/repos/apt/dists/noble-pgdg/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: Target Packages (main/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (universe/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (universe/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (main/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:5 and /etc/apt/sources.list.d/ubuntu.sources:2
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:5 and /etc/apt/sources.list.d/ubuntu.sources:2
W: Target Packages (universe/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:5 and /etc/apt/sources.list.d/ubuntu.sources:2
W: Target Packages (universe/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:5 and /etc/apt/sources.list.d/ubuntu.sources:2
W: Target Packages (main/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (universe/binary-arm64/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list.d/ubuntu.sources:1
W: Target Packages (universe/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list.d/ubuntu.sources:1

cc @joshwlewis

GUS-W-15213103.

edmorley commented

In the latest version of the upstream ubuntu:24.04 image, the default contents of /etc/apt/sources.list is now:

# Ubuntu sources have moved to the /etc/apt/sources.list.d/ubuntu.sources
# file, which uses the deb822 format. Use deb822-formatted .sources files
# to manage package sources in the /etc/apt/sources.list.d/ directory.
# See the sources.list(5) manual page for details.

The mentioned /etc/apt/sources.list.d/ directory only contains a single file, /etc/apt/sources.list.d/ubuntu.sources, and it's contents (on ARM64) is:

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.

## Ubuntu distribution repository
##
## The following settings can be adjusted to configure which packages to use from Ubuntu.
## Mirror your choices (except for URIs and Suites) in the security section below to
## ensure timely security updates.
##
## Types: Append deb-src to enable the fetching of source package.
## URIs: A URL to the repository (you may add multiple URLs)
## Suites: The following additional suites can be configured
##   <name>-updates   - Major bug fix updates produced after the final release of the
##                      distribution.
##   <name>-backports - software from this repository may not have been tested as
##                      extensively as that contained in the main release, although it includes
##                      newer versions of some applications which may provide useful features.
##                      Also, please note that software in backports WILL NOT receive any review
##                      or updates from the Ubuntu security team.
## Components: Aside from main, the following components can be added to the list
##   restricted  - Software that may not be under a free license, or protected by patents.
##   universe    - Community maintained packages.
##                 Software from this repository is only maintained and supported by Canonical
##                 for machines with Ubuntu Pro subscriptions. Without Ubuntu Pro, the Ubuntu
##                 community provides best-effort security maintenance.
##   multiverse  - Community maintained of restricted. Software from this repository is
##                 ENTIRELY UNSUPPORTED by the Ubuntu team, and may not be under a free
##                 licence. Please satisfy yourself as to your rights to use the software.
##                 Also, please note that software in multiverse WILL NOT receive any
##                 review or updates from the Ubuntu security team.
##
## See the sources.list(5) manual page for further settings.
Types: deb
URIs: http://ports.ubuntu.com/ubuntu-ports/
Suites: noble noble-updates noble-backports
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

## Ubuntu security updates. Aside from URIs and Suites,
## this should mirror your choices in the previous section.
Types: deb
URIs: http://ports.ubuntu.com/ubuntu-ports/
Suites: noble-security
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

And on AMD64 the relevant parts of its contents, are:

Types: deb
URIs: http://archive.ubuntu.com/ubuntu/
Suites: noble noble-updates noble-backports
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

## Ubuntu security updates. Aside from URIs and Suites,
## this should mirror your choices in the previous section.
Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: noble-security
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
edmorley commented

We'll also need to update how the classic APT buildpack works (given it copies the sources list over), unless we delete the new file and continue using the old file instead. (I'm open to either approach, but would lean towards trying to use the new file unless we find a reason otherwise.)

edmorley commented

We'll also need to update how the classic APT buildpack works (given it copies the sources list over)

Filed heroku/heroku-buildpack-apt#114 / GUS-W-14674577.