[Aptitude-devel] Bug#878177: aptitude: Use of the word "invalid" in error msgs should be restored to meaning

Anonymous anonymous at hoi-polloi.org
Tue Oct 10 11:41:17 UTC 2017

Package: aptitude
Version: 0.6.11-1+b1
Severity: minor

Dear Maintainer,

Aptitude's error messages often create confusion, either due to
vagueness or improper use of English.  In particular, use of the word
/invalid/ in the following warning message needs to be re-examined:

    W: GPG error: tor+http://wertarbyte.de/apt ./ Release: The following signatures were invalid: CC49F74C816C499C899A42885145B9CD752C0197
    E: The repository 'tor+http://wertarbyte.de/apt ./ Release' is not signed.
    E: Failed to download some files

After a costly investigation involving multiple developers, it was
discovered that the apt team has taken an objective word
(valid/invalid) out of context and given it a new subjective meaning.
A signature is "valid" when whatever algorithm used determines it is
valid.  This is not subjective.  It is a matter of fact and is
mathematically provable.

In the above case, a valid signature was falsely reported as invalid
by aptitude because the algorithm (SHA1) was considered substandard in
the opinion of the apt team.  It's a reasonable opinion to have, but
please express it in a way that does not hi-jack a term that has a
different common understanding with a higher mathematical purpose.
There are many ways to express that warning in a non-misleading way:

 * The following signatures were valid but substandard
 * The following signatures do not meet apt team standards
 * The algorithm used by the signature is not worthy
 * The signature does not use a debian-accepted hash
 * No approval granted for the hash used in the following signature
 * The following signature does not conform to debian security standards

In the course of investigating, gpg confirmed that the SHA1 sig was
*valid*, and rightly so.  When aptitude debug output was enabled,
there was still no indication of what aptitude did, or why it did it.
There was no mention that SHA1 was insufficient, or even that SHA1 was
used, or whether it's a factor.  The man page also says nothing about
this.  So in addition to a false error msg, aptitude is not doing what
it's documented to do.

-- Package-specific info:
Terminal: screen
$DISPLAY is set.
which aptitude: /usr/bin/aptitude

aptitude version information:
aptitude 0.6.11 compiled at Nov  8 2014 13:34:39
Compiler: g++ 4.9.1
Compiled against:
  apt version 4.12.0
  NCurses version 5.9
  libsigc++ version: 2.4.0
  Gtk+ support disabled.
  Qt support disabled.

Current library versions:
  NCurses version: ncurses 5.9.20140913
  cwidget version: 0.5.17
  Apt version: 4.12.0

aptitude linkage:
	linux-vdso.so.1 (0x00007fffc5ff4000)
	/usr/lib/torsocks/libtorsocks.so (0x00007fc1d058b000)
	libapt-pkg.so.4.12 => /usr/lib/x86_64-linux-gnu/libapt-pkg.so.4.12 (0x00007fc1d021b000)
	libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 (0x00007fc1cffe5000)
	libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fc1cfdbb000)
	libsigc-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libsigc-2.0.so.0 (0x00007fc1cfbb5000)
	libcwidget.so.3 => /usr/lib/x86_64-linux-gnu/libcwidget.so.3 (0x00007fc1cf89f000)
	libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007fc1cf5d6000)
	libboost_iostreams.so.1.55.0 => /usr/lib/x86_64-linux-gnu/libboost_iostreams.so.1.55.0 (0x00007fc1cf3be000)
	libxapian.so.22 => /usr/lib/libxapian.so.22 (0x00007fc1cefad000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc1ced90000)
	libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fc1cea85000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fc1ce784000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fc1ce56e000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc1ce1c3000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc1cdfbf000)
	libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007fc1cddbc000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fc1cdba1000)
	libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007fc1cd991000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fc1cd76e000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fc1cd566000)
	libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007fc1cd361000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fc1d0df0000)

-- System Information:
Debian Release: 8.6
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages aptitude depends on:
ii  aptitude-common           0.6.11-1
ii  libapt-pkg4.12  
ii  libboost-iostreams1.55.0  1.55.0+dfsg-3
ii  libc6                     2.19-18+deb8u6
ii  libcwidget3               0.5.17-2
ii  libgcc1                   1:4.9.2-10
ii  libncursesw5              5.9+20140913-1+b1
ii  libsigc++-2.0-0c2a        2.4.0-1
ii  libsqlite3-0    
ii  libstdc++6                4.9.2-10
ii  libtinfo5                 5.9+20140913-1+b1
ii  libxapian22               1.2.19-1+deb8u1

Versions of packages aptitude recommends:
ii  aptitude-doc-en [aptitude-doc]  0.6.11-1
ii  libparse-debianchangelog-perl   1.2.0-1.1
ii  sensible-utils                  0.0.9

Versions of packages aptitude suggests:
ii  apt-xapian-index  0.47
pn  debtags           <none>
ii  tasksel           3.31+deb8u1

-- no debconf information

More information about the Aptitude-devel mailing list