deb.parrot.sh redirects to mirror.truenetwork.ru in Finland

niklash · July 17, 2020, 9:25pm

Briefly describe your issue below:

Installing any package (sway-backgrounds in my case) using apt sometimes fails due to https://deb.parrot.sh/ redirecting to unsecure http://mirror.truenetwork.ru/.

Apt sources in parrot.list:

deb https://deb.parrot.sh/parrot/ rolling main contrib non-free
#deb-src https://deb.parrot.sh/parrot/ rolling main contrib non-free
deb https://deb.parrot.sh/parrot/ rolling-security main contrib non-free
#deb-src https://deb.parrot.sh/parrot/ rolling-security main contrib non-free

Location: Finland

What version of Parrot are you running? (include version (e.g. 4.6), edition(e.g. Home//KDE/OVA, etc.), and architecture (currently we only support amd64)

Linux parrot 5.6.0-2parrot1-amd64 #1 SMP Debian 5.6.14-2parrot1 (2020-05-23) x86_64 GNU/Linux

Home edition.

What method did you use to install Parrot? (Debian Standard / Debian GTK / parrot-experimental)

Debian Standard.

Configured to multiboot with other systems? (yes / no)

No.

If there are any similar issues or solutions, link to them below:

If there are any error messages or relevant logs, post them below:

Error from apt:

Failed to fetch https://deb.parrot.sh/parrot/pool/main/s/sway/sway-backgrounds_1.4-2_all.deb  Redirection from https to 'http://mirror.truenetwork.ru/parrot/pool/main/s/sway/sway-backgrounds_1.4-2_all.deb' is forbidden [IP: 104.27.130.193 443]

Example with wget (to prove that the issue is not with apt per se):

wget -v https://deb.parrot.sh/parrot/pool/main/s/sway/sway-backgrounds_1.4-2_all.deb
--2020-07-16 21:25:14--  https://deb.parrot.sh/parrot/pool/main/s/sway/sway-backgrounds_1.4-2_all.deb
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving deb.parrot.sh (deb.parrot.sh)... 104.27.131.193, 172.67.174.196, 104.27.130.193, ...
Connecting to deb.parrot.sh (deb.parrot.sh)|104.27.131.193|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://mirror.truenetwork.ru/parrot/pool/main/s/sway/sway-backgrounds_1.4-2_all.deb [following]
--2020-07-16 21:25:14--  http://mirror.truenetwork.ru/parrot/pool/main/s/sway/sway-backgrounds_1.4-2_all.deb
Resolving mirror.truenetwork.ru (mirror.truenetwork.ru)... 94.247.111.11, 94.247.111.12
Connecting to mirror.truenetwork.ru (mirror.truenetwork.ru)|94.247.111.11|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4821032 (4.6M) [application/octet-stream]
Saving to: ‘sway-backgrounds_1.4-2_all.deb.3’

sway-backgrounds_1.4-2_all 100%[=====================================>]   4.60M  4.59MB/s    in 1.0s

2020-07-16 21:25:15 (4.59 MB/s) - ‘sway-backgrounds_1.4-2_all.deb.3’ saved [4821032/4821032]```

palinuro · July 18, 2020, 12:10am

our mirror redirection platform redirects you t a pool of near mirrors to make sure the load is properly distributed across all the servers that serve our archive.

it is neither the result of an hijacking attack nor a misconfiguration of our infrastructure (we don’t have a mirror in finland. near cuntries are used instead).

when you download a deb via apt, the package manager will check the hashes of the file and compare them to the index you download every time you run apt update

this index is downloaded directly from our platform (no mirrors involved) and it is digitally signed with our GPG keys.

apt refuses to install packages with wrong hashes, and it refuses as well to accept new indexes with invalid signatures, so the whole update process is safe even if you don’t personally trust a mirror provider.

according to the debian engineers, apt is safe to use even via http because of the extra security provided by gpg signatures that are applied by the distro developers and not by the servers (in contrary to https certificates)

niklash · July 18, 2020, 11:53am

Thanks for the response,

Why doesn’t apt allow redirecting to http if it should be safe as long as the package lists are updated securely? Is there a way I can configure apt to allow installing packages over http?

I still consider this a bug at parrot’s end since deb.parrot.sh is doing a forbidden redirect from apt’s point of view.

Also the mirror deb https://mirror.truenetwork.ru/parrot/ rolling main contrib non-free on the page https://docs.parrotlinux.org/mirror-list/ doesn’t work: Could not connect to mirror.truenetwork.ru:443 (94.247.111.12). as mirror.truenetwork.ru doesn’t support https. Is it not a security risk to primarily use an http mirror in /etc/apt/sources.list.d/parrot.list?

palinuro · July 18, 2020, 1:55pm

we have a special patch to address this behavior, maybe we have to fix it (apt received a major upgrade recently)

if you want to bypass the mirror redirector and download the packages directly from our servers then use https://mirror.parrot.sh/mirrors/parrot as repository (notice the /mirrors/parrot instead if the default /parrot)

rc403 · July 18, 2020, 7:05pm

thanks, Lorenzo!
This resolved my apt issue.
I was about to cut my veins

palinuro · July 18, 2020, 10:10pm

i have fixed apt again, the updated apt version will be available on our stable channel in the next hours

system · November 15, 2020, 10:10pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.