Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1014517: apt - Fails in FIPS mode in libgcrypt
2,835 views
Skip to first unread message
Bastian Blank
Jul 7, 2022, 9:10:04 AM7/7/22
to
Package: apt
Version: 2.5.1
Severity: normal
"apt update" fails if the system runs in FIPS mode:
| # apt update
| Hit:2 http://deb.debian.org/debian-debug sid InRelease
| fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context
|
| Fatal error: requested algo not in md context
| Aborted
The backtrace is:
| #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
| #1 0x0000fffff78a630c in __GI_abort () at abort.c:79
| #2 0x0000fffff75ce110 in _gcry_fatal_error (rc=rc@entry=5, text=text@entry=0xfffff765cb80 "requested algo not in md context") at ../../src/misc.c:97
| #3 0x0000fffff75e65b0 in md_read (algo=<optimized out>, a=<optimized out>, a=<optimized out>) at ../../cipher/md.c:1095
| #4 0x0000fffff7e435ac in HexDigest (hd=<optimized out>, algo=<optimized out>) at ./apt-pkg/contrib/hashes.cc:429
| #5 0x0000fffff7e44a18 in Hashes::GetHashString (this=this@entry=0xffffffffe6d8, hash=hash@entry=Hashes::MD5SUM) at ./apt-pkg/contrib/hashes.cc:457
| #6 0x0000fffff7e5bfd4 in debListParser::Description_md5 (this=0xaaaaaad9cf10) at ./apt-pkg/deb/deblistparser.cc:295
| #7 0x0000fffff7ecc020 in pkgCacheGenerator::MergeListVersion (this=this@entry=0xaaaaaab31470, List=..., Pkg=..., Version=..., OutVer=@0xffffffffe8c8: 0x0) at ./apt-pkg/pkgcachegen.cc:490
| #8 0x0000fffff7ecdb0c in pkgCacheGenerator::MergeList (this=this@entry=0xaaaaaab31470, List=..., OutVer=<optimized out>, OutVer@entry=0x0) at ./apt-pkg/pkgcachegen.cc:286
| #9 0x0000fffff7eb030c in pkgDebianIndexFile::Merge (this=<optimized out>, Gen=..., Prog=<optimized out>) at ./apt-pkg/indexfile.cc:348
| #10 0x0000fffff7ec8ef4 in operator() (__closure=__closure@entry=0xffffffffebc0, I=0xaaaaaab0a340) at ./apt-pkg/pkgcachegen.cc:1557
| #11 0x0000fffff7ecedb4 in std::for_each<__gnu_cxx::__normal_iterator<pkgIndexFile**, std::vector<pkgIndexFile*> >, BuildCache(pkgCacheGenerator&, OpProgress*, map_filesize_t&, map_filesize_t, const pkgSourceList*, FileIterator, FileIterator)::<lambda(pkgIndexFile*)> > (__f=..., __last=0x0, __first=0xaaaaaab0a340) at /usr/include/c++/11/bits/stl_algo.h:3820
| #12 BuildCache (Gen=..., Progress=<optimized out>, Progress@entry=0xfffffffff280, CurrentSize=@0xffffffffecf0: 100043188, TotalSize=<optimized out>, TotalSize@entry=100043188,
| List=List@entry=0x0, Start=..., End=...) at ./apt-pkg/pkgcachegen.cc:1586
| #13 0x0000fffff7ed0994 in pkgCacheGenerator::MakeStatusCache (List=..., Progress=Progress@entry=0xfffffffff280, OutMap=OutMap@entry=0xffffffffef18, OutCache=OutCache@entry=0xffffffffef20)
| at /usr/include/c++/11/bits/stl_iterator.h:1026
| #14 0x0000fffff7e0b2dc in pkgCacheFile::BuildCaches (this=0xfffffffff0c0, Progress=0xfffffffff280, WithLock=<optimized out>) at ./apt-pkg/cachefile.cc:127
| #15 0x0000fffff7f9e6fc in DoUpdate(CommandLine&) () from /lib/aarch64-linux-gnu/libapt-private.so.0.0
| #16 0x0000fffff7e27d20 in CommandLine::DispatchArg (this=0xfffffffff448, Map=<optimized out>, NoMatch=true) at ./apt-pkg/contrib/cmndline.cc:369
| #17 0x0000fffff7f633f4 in DispatchCommandLine(CommandLine&, std::vector<CommandLine::Dispatch, std::allocator<CommandLine::Dispatch> > const&) ()
| from /lib/aarch64-linux-gnu/libapt-private.so.0.0
| #18 0x0000aaaaaaaa1898 in ?? ()
| #19 0x0000fffff78a6614 in __libc_start_main (main=0xaaaaaaaa17c0, argc=2, argv=0xfffffffff5d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
| stack_end=<optimized out>) at ../csu/libc-start.c:332
| #20 0x0000aaaaaaaa19b8 in ?? ()
In FIPS mode MD5 is not allowed, so every usage results in a fatal error.
One workarounds would be:
Check for FIPS mode with gcry_fips_mode_active and don't try to use it
then.
Bastian
-- Package-specific info:
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.18.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
-- no debconf information
Version: 2.5.1
Severity: normal
"apt update" fails if the system runs in FIPS mode:
| # apt update
| Hit:2 http://deb.debian.org/debian-debug sid InRelease
| fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context
|
| Fatal error: requested algo not in md context
| Aborted
The backtrace is:
| #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
| #1 0x0000fffff78a630c in __GI_abort () at abort.c:79
| #2 0x0000fffff75ce110 in _gcry_fatal_error (rc=rc@entry=5, text=text@entry=0xfffff765cb80 "requested algo not in md context") at ../../src/misc.c:97
| #3 0x0000fffff75e65b0 in md_read (algo=<optimized out>, a=<optimized out>, a=<optimized out>) at ../../cipher/md.c:1095
| #4 0x0000fffff7e435ac in HexDigest (hd=<optimized out>, algo=<optimized out>) at ./apt-pkg/contrib/hashes.cc:429
| #5 0x0000fffff7e44a18 in Hashes::GetHashString (this=this@entry=0xffffffffe6d8, hash=hash@entry=Hashes::MD5SUM) at ./apt-pkg/contrib/hashes.cc:457
| #6 0x0000fffff7e5bfd4 in debListParser::Description_md5 (this=0xaaaaaad9cf10) at ./apt-pkg/deb/deblistparser.cc:295
| #7 0x0000fffff7ecc020 in pkgCacheGenerator::MergeListVersion (this=this@entry=0xaaaaaab31470, List=..., Pkg=..., Version=..., OutVer=@0xffffffffe8c8: 0x0) at ./apt-pkg/pkgcachegen.cc:490
| #8 0x0000fffff7ecdb0c in pkgCacheGenerator::MergeList (this=this@entry=0xaaaaaab31470, List=..., OutVer=<optimized out>, OutVer@entry=0x0) at ./apt-pkg/pkgcachegen.cc:286
| #9 0x0000fffff7eb030c in pkgDebianIndexFile::Merge (this=<optimized out>, Gen=..., Prog=<optimized out>) at ./apt-pkg/indexfile.cc:348
| #10 0x0000fffff7ec8ef4 in operator() (__closure=__closure@entry=0xffffffffebc0, I=0xaaaaaab0a340) at ./apt-pkg/pkgcachegen.cc:1557
| #11 0x0000fffff7ecedb4 in std::for_each<__gnu_cxx::__normal_iterator<pkgIndexFile**, std::vector<pkgIndexFile*> >, BuildCache(pkgCacheGenerator&, OpProgress*, map_filesize_t&, map_filesize_t, const pkgSourceList*, FileIterator, FileIterator)::<lambda(pkgIndexFile*)> > (__f=..., __last=0x0, __first=0xaaaaaab0a340) at /usr/include/c++/11/bits/stl_algo.h:3820
| #12 BuildCache (Gen=..., Progress=<optimized out>, Progress@entry=0xfffffffff280, CurrentSize=@0xffffffffecf0: 100043188, TotalSize=<optimized out>, TotalSize@entry=100043188,
| List=List@entry=0x0, Start=..., End=...) at ./apt-pkg/pkgcachegen.cc:1586
| #13 0x0000fffff7ed0994 in pkgCacheGenerator::MakeStatusCache (List=..., Progress=Progress@entry=0xfffffffff280, OutMap=OutMap@entry=0xffffffffef18, OutCache=OutCache@entry=0xffffffffef20)
| at /usr/include/c++/11/bits/stl_iterator.h:1026
| #14 0x0000fffff7e0b2dc in pkgCacheFile::BuildCaches (this=0xfffffffff0c0, Progress=0xfffffffff280, WithLock=<optimized out>) at ./apt-pkg/cachefile.cc:127
| #15 0x0000fffff7f9e6fc in DoUpdate(CommandLine&) () from /lib/aarch64-linux-gnu/libapt-private.so.0.0
| #16 0x0000fffff7e27d20 in CommandLine::DispatchArg (this=0xfffffffff448, Map=<optimized out>, NoMatch=true) at ./apt-pkg/contrib/cmndline.cc:369
| #17 0x0000fffff7f633f4 in DispatchCommandLine(CommandLine&, std::vector<CommandLine::Dispatch, std::allocator<CommandLine::Dispatch> > const&) ()
| from /lib/aarch64-linux-gnu/libapt-private.so.0.0
| #18 0x0000aaaaaaaa1898 in ?? ()
| #19 0x0000fffff78a6614 in __libc_start_main (main=0xaaaaaaaa17c0, argc=2, argv=0xfffffffff5d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
| stack_end=<optimized out>) at ../csu/libc-start.c:332
| #20 0x0000aaaaaaaa19b8 in ?? ()
In FIPS mode MD5 is not allowed, so every usage results in a fatal error.
One workarounds would be:
Check for FIPS mode with gcry_fips_mode_active and don't try to use it
then.
Bastian
-- Package-specific info:
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.18.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
-- no debconf information
A. Maitland Bottoms
May 28, 2023, 4:50:04 PM5/28/23
to
So I see in the changes to libgcrypt since bullseye that there have
been some changes in the initialization on systems where FIPS is
enabled.
The attached patch has "works for me" status, and I feel that it is the
correct way to continue to have apt function as expected on a FIPS
enabled system.
I added a GCRYCTL_NO_FIPS_MODE setting in maybeInit() in
apt-pkg/contrib/hashes.cc
And, since the value of the enum GCRYCTL_NO_FIPS_MODE appeared just
before the release of libgcrypt 1.10.0, I added that version dependency
to the debian/control file.
Control: tag -1 patch
-Maitland
enc:
0001-Do-not-fail-on-systems-running-in-FIPSmode.patch
been some changes in the initialization on systems where FIPS is
enabled.
The attached patch has "works for me" status, and I feel that it is the
correct way to continue to have apt function as expected on a FIPS
enabled system.
I added a GCRYCTL_NO_FIPS_MODE setting in maybeInit() in
apt-pkg/contrib/hashes.cc
And, since the value of the enum GCRYCTL_NO_FIPS_MODE appeared just
before the release of libgcrypt 1.10.0, I added that version dependency
to the debian/control file.
Control: tag -1 patch
-Maitland
enc:
0001-Do-not-fail-on-systems-running-in-FIPSmode.patch
Dillon Amburgey
Jul 24, 2023, 10:40:05 PM7/24/23
to
I have seen this as well. This has recently started breaking apt
update on bookworm docker images as well as images built off bookworm
(e.g. python:3.8)
This can be easily reproduced on FIPS-enabled hosts:
docker run -it --rm debian:bookworm apt update
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security
InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8906 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [4732 B]
Get:6 http://deb.debian.org/debian-security bookworm-security/main
amd64 Packages [48.0 kB]
Fetched 9210 kB in 2s (4169 kB/s)
failures started. 20230722T085252Z was the last good snapshot with
20230722T110049Z being the first failing snapshot.
docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt update
Get:1 http://snapshot.debian.org/archive/debian/20230722T110049Z
bookworm InRelease [151 kB]
Get:2 http://snapshot.debian.org/archive/debian/20230722T110049Z
bookworm-updates InRelease [52.1 kB]
Get:3 http://snapshot.debian.org/archive/debian-security/20230722T110049Z
bookworm-security InRelease [48.0 kB]
Get:4 http://snapshot.debian.org/archive/debian/20230722T110049Z
bookworm/main amd64 Packages [8906 kB]
Get:5 http://snapshot.debian.org/archive/debian/20230722T110049Z
bookworm-updates/main amd64 Packages [4732 B]
Get:6 http://snapshot.debian.org/archive/debian-security/20230722T110049Z
bookworm-security/main amd64 Packages [48.0 kB]
Fetched 9210 kB in 1min 8s (136 kB/s)
Get:1 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm InRelease [147 kB]
Get:2 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm-updates InRelease [52.1 kB]
Get:3 http://snapshot.debian.org/archive/debian-security/20230722T085252Z
bookworm-security InRelease [48.0 kB]
Get:4 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z
bookworm-debug InRelease [49.8 kB]
Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages [8904 kB]
Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages
Get:6 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm-updates/main amd64 Packages [4732 B]
Get:7 http://snapshot.debian.org/archive/debian-security/20230722T085252Z
bookworm-security/main amd64 Packages [48.0 kB]
Get:8 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z
bookworm-debug/main amd64 Packages [3564 kB]
Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages [8904 kB]
Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages
Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages [8904 kB]
Fetched 11.2 MB in 5min 13s (35.9 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
update on bookworm docker images as well as images built off bookworm
(e.g. python:3.8)
This can be easily reproduced on FIPS-enabled hosts:
docker run -it --rm debian:bookworm apt update
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security
InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8906 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [4732 B]
Get:6 http://deb.debian.org/debian-security bookworm-security/main
amd64 Packages [48.0 kB]
Fetched 9210 kB in 2s (4169 kB/s)
fatal error in libgcrypt, file ../../src/misc.c, line 92, function
_gcry_fatal_error: requested algo not in md context
Fatal error: requested algo not in md context
I also was able to use snapshot.debian.org to isolate when the
_gcry_fatal_error: requested algo not in md context
Fatal error: requested algo not in md context
failures started. 20230722T085252Z was the last good snapshot with
20230722T110049Z being the first failing snapshot.
docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt update
Get:1 http://snapshot.debian.org/archive/debian/20230722T110049Z
bookworm InRelease [151 kB]
Get:2 http://snapshot.debian.org/archive/debian/20230722T110049Z
bookworm-updates InRelease [52.1 kB]
Get:3 http://snapshot.debian.org/archive/debian-security/20230722T110049Z
bookworm-security InRelease [48.0 kB]
Get:4 http://snapshot.debian.org/archive/debian/20230722T110049Z
bookworm/main amd64 Packages [8906 kB]
Get:5 http://snapshot.debian.org/archive/debian/20230722T110049Z
bookworm-updates/main amd64 Packages [4732 B]
Get:6 http://snapshot.debian.org/archive/debian-security/20230722T110049Z
bookworm-security/main amd64 Packages [48.0 kB]
Fetched 9210 kB in 1min 8s (136 kB/s)
fatal error in libgcrypt, file ../../src/misc.c, line 92, function
_gcry_fatal_error: requested algo not in md context
Fatal error: requested algo not in md context
docker run -v .:/etc/apt/sources.list.d/:ro -it --rm debian:bookworm apt update
_gcry_fatal_error: requested algo not in md context
Fatal error: requested algo not in md context
Get:1 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm InRelease [147 kB]
Get:2 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm-updates InRelease [52.1 kB]
Get:3 http://snapshot.debian.org/archive/debian-security/20230722T085252Z
bookworm-security InRelease [48.0 kB]
Get:4 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z
bookworm-debug InRelease [49.8 kB]
Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages [8904 kB]
Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages
Get:6 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm-updates/main amd64 Packages [4732 B]
Get:7 http://snapshot.debian.org/archive/debian-security/20230722T085252Z
bookworm-security/main amd64 Packages [48.0 kB]
Get:8 http://snapshot.debian.org/archive/debian-debug/20230722T085252Z
bookworm-debug/main amd64 Packages [3564 kB]
Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages [8904 kB]
Ign:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages
Get:5 http://snapshot.debian.org/archive/debian/20230722T085252Z
bookworm/main amd64 Packages [8904 kB]
Fetched 11.2 MB in 5min 13s (35.9 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Julian Andres Klode
Jul 26, 2023, 11:00:06 AM7/26/23
to
part of the archive, it doesn't suddenly pop up, and APT uses any MD5
it can find as an additional (untrusted) hash.
And APT itself has been using libgcrypt for hashing since 1.9.6;
oldstable is shipping 2.2.4.
This is fixed in 2.7.2, fsvo of fixed. I do believe that this is
bullshit and libgcrypt's FIPS mode should be entirely disabled,
as in Ubuntu, as Debian's libgcrypt is not FIPS certified.
As this is not a regression vs oldstable, and we realistically
may be preempting configuration of libgcrypt by applications using
the apt-pkg library, I do not think this is a change that should
be released to a stable update.
I did pick it for unstable and testing, but ultimately we need
to replace libgcrypt with nettle.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Dillon Amburgey
Jul 26, 2023, 1:30:05 PM7/26/23
to
I understand and agree the behavior doesn't quite make sense.
While I know this code has not recently changed inside apt, I believe
it must have recently started expressing itself when combined with
some other change on the mirrors or in the release process.
I do think this is a regression in a practical sense compared to
oldstable. I'm currently unable to create new containers for stable
but am able to for oldstable:
➜ ~ docker run -it --rm debian:oldstable apt update
Unable to find image 'debian:oldstable' locally
oldstable: Pulling from library/debian
70705a13f194: Pull complete
Digest: sha256:2053cf94aadec2cc167488183a928165313c281b954d042d45ba65cb84459fde
Status: Downloaded newer image for debian:oldstable
Get:1 http://deb.debian.org/debian oldstable InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security oldstable-security
InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian oldstable-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian oldstable/main amd64 Packages [8183 kB]
Get:5 http://deb.debian.org/debian-security oldstable-security/main
amd64 Packages [252 kB]
Get:6 http://deb.debian.org/debian oldstable-updates/main amd64
Packages [14.8 kB]
Fetched 8658 kB in 2s (3764 kB/s)
Get:1 http://deb.debian.org/debian stable InRelease [151 kB]
Get:2 http://deb.debian.org/debian stable-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security stable-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian stable/main amd64 Packages [8906 kB]
Get:5 http://deb.debian.org/debian stable-updates/main amd64 Packages [4732 B]
Get:6 http://deb.debian.org/debian-security stable-security/main amd64
Packages [48.0 kB]
Fetched 9210 kB in 2s (4051 kB/s)
ID ami-0f2bfd15cb2cab7e0, so I don't think it should have anything to
do with our particular environment.
Is there any other information I can provide?
--
Dillon Amburgey
Managing Director, Zetier
+1 (703) 635-3302
While I know this code has not recently changed inside apt, I believe
it must have recently started expressing itself when combined with
some other change on the mirrors or in the release process.
I do think this is a regression in a practical sense compared to
oldstable. I'm currently unable to create new containers for stable
but am able to for oldstable:
➜ ~ docker run -it --rm debian:oldstable apt update
Unable to find image 'debian:oldstable' locally
oldstable: Pulling from library/debian
70705a13f194: Pull complete
Digest: sha256:2053cf94aadec2cc167488183a928165313c281b954d042d45ba65cb84459fde
Status: Downloaded newer image for debian:oldstable
Get:1 http://deb.debian.org/debian oldstable InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security oldstable-security
InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian oldstable-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian oldstable/main amd64 Packages [8183 kB]
Get:5 http://deb.debian.org/debian-security oldstable-security/main
amd64 Packages [252 kB]
Get:6 http://deb.debian.org/debian oldstable-updates/main amd64
Packages [14.8 kB]
Fetched 8658 kB in 2s (3764 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
➜ ~ docker run -it --rm debian:stable apt update
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Get:1 http://deb.debian.org/debian stable InRelease [151 kB]
Get:2 http://deb.debian.org/debian stable-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security stable-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian stable/main amd64 Packages [8906 kB]
Get:5 http://deb.debian.org/debian stable-updates/main amd64 Packages [4732 B]
Get:6 http://deb.debian.org/debian-security stable-security/main amd64
Packages [48.0 kB]
Fetched 9210 kB in 2s (4051 kB/s)
fatal error in libgcrypt, file ../../src/misc.c, line 92, function
_gcry_fatal_error: requested algo not in md context
Fatal error: requested algo not in md context
I was able to reproduce this behavior on a fresh EC2 instance with AMI
_gcry_fatal_error: requested algo not in md context
Fatal error: requested algo not in md context
ID ami-0f2bfd15cb2cab7e0, so I don't think it should have anything to
do with our particular environment.
Is there any other information I can provide?
Dillon Amburgey
Managing Director, Zetier
+1 (703) 635-3302
Julian Andres Klode
Jul 27, 2023, 5:40:05 AM7/27/23
to
On Wed, Jul 26, 2023 at 01:21:58PM -0400, Dillon Amburgey wrote:
> I understand and agree the behavior doesn't quite make sense.
> While I know this code has not recently changed inside apt, I believe
> it must have recently started expressing itself when combined with
> some other change on the mirrors or in the release process.
>
> I do think this is a regression in a practical sense compared to
> oldstable. I'm currently unable to create new containers for stable
> but am able to for oldstable:
Debian is not a FIPS certified platform, nor has it been tested
> I understand and agree the behavior doesn't quite make sense.
> While I know this code has not recently changed inside apt, I believe
> it must have recently started expressing itself when combined with
> some other change on the mirrors or in the release process.
>
> I do think this is a regression in a practical sense compared to
> oldstable. I'm currently unable to create new containers for stable
> but am able to for oldstable:
on kernels with the FIPS flag enabled. As such, there will be
plenty of bugs like that in a stable release.
If you want to work on a Debian that runs on FIPS kernels, by
all means, you are free to work on that for future versions. I
do not think however that people will be very agreeable to NSA
cryptoscams.
0 new messages