redirects to in Finland

Briefly describe your issue below:

Installing any package (sway-backgrounds in my case) using apt sometimes fails due to redirecting to unsecure

Apt sources in parrot.list:

deb rolling main contrib non-free
#deb-src rolling main contrib non-free
deb rolling-security main contrib non-free
#deb-src rolling-security main contrib non-free

Location: Finland

What version of Parrot are you running? (include version (e.g. 4.6), edition(e.g. Home//KDE/OVA, etc.), and architecture (currently we only support amd64)

Linux parrot 5.6.0-2parrot1-amd64 #1 SMP Debian 5.6.14-2parrot1 (2020-05-23) x86_64 GNU/Linux

Home edition.

What method did you use to install Parrot? (Debian Standard / Debian GTK / parrot-experimental)

Debian Standard.

Configured to multiboot with other systems? (yes / no)


If there are any similar issues or solutions, link to them below:

If there are any error messages or relevant logs, post them below:

Error from apt:

Failed to fetch  Redirection from https to '' is forbidden [IP: 443]

Example with wget (to prove that the issue is not with apt per se):

wget -v
--2020-07-16 21:25:14--
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving (,,, ...
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2020-07-16 21:25:14--
Resolving (,
Connecting to (||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4821032 (4.6M) [application/octet-stream]
Saving to: ‘sway-backgrounds_1.4-2_all.deb.3’

sway-backgrounds_1.4-2_all 100%[=====================================>]   4.60M  4.59MB/s    in 1.0s

2020-07-16 21:25:15 (4.59 MB/s) - ‘sway-backgrounds_1.4-2_all.deb.3’ saved [4821032/4821032]```

our mirror redirection platform redirects you t a pool of near mirrors to make sure the load is properly distributed across all the servers that serve our archive.

it is neither the result of an hijacking attack nor a misconfiguration of our infrastructure (we don’t have a mirror in finland. near cuntries are used instead).

when you download a deb via apt, the package manager will check the hashes of the file and compare them to the index you download every time you run apt update

this index is downloaded directly from our platform (no mirrors involved) and it is digitally signed with our GPG keys.

apt refuses to install packages with wrong hashes, and it refuses as well to accept new indexes with invalid signatures, so the whole update process is safe even if you don’t personally trust a mirror provider.

according to the debian engineers, apt is safe to use even via http because of the extra security provided by gpg signatures that are applied by the distro developers and not by the servers (in contrary to https certificates)

Thanks for the response,

Why doesn’t apt allow redirecting to http if it should be safe as long as the package lists are updated securely? Is there a way I can configure apt to allow installing packages over http?

I still consider this a bug at parrot’s end since is doing a forbidden redirect from apt’s point of view.

Also the mirror deb rolling main contrib non-free on the page doesn’t work: Could not connect to ( as doesn’t support https. Is it not a security risk to primarily use an http mirror in /etc/apt/sources.list.d/parrot.list?

we have a special patch to address this behavior, maybe we have to fix it (apt received a major upgrade recently)

if you want to bypass the mirror redirector and download the packages directly from our servers then use as repository (notice the /mirrors/parrot instead if the default /parrot)


thanks, Lorenzo!
This resolved my apt issue.
I was about to cut my veins :wink:

1 Like

i have fixed apt again, the updated apt version will be available on our stable channel in the next hours :slight_smile:

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.