nexus-public
nexus-public copied to clipboard
sonatype
Nexus `apt` repository generates `Packages.bz2` rather than `Packages.xz`
Hi,
We are using Nexus OSS to host an internal repository for a .deb package we maintain. However, we also want this to be exposed in a publicly available https mirror. To this avail, we use https://packages.ubuntu.com/debmirror (maintained here: https://salsa.debian.org/debian/debmirror)
This works fine, with one problem: we occasionally get 404 Not Found errors trying to run apt-get update:
Err:18 https://deb.example.com/experimental experimental/main all Packages
404 Not Found [IP: 192.0.2.42 443]
We have debugged this and concluded that this is because of the way Nexus constructs the InRelease file:
$ curl -s https://deb.example.com/experimental/dists/experimental/InRelease
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Suite: experimental
Codename: experimental
Components: main
Date: Mon, 28 Aug 2023 05:59:53 GMT
Architectures: all
SHA256:
5d63d3ab93f94a1ca7403ca6c26cb51942c6fb7e45192a8fe4c7ae581b630c8a 48024 main/binary-all/Packages
f1d8080bb3cde969ea2f0aa3c6902c87f6e3060ae218779d21a681b9a44553a2 6003 main/binary-all/Packages.gz
314c36077972142db23b0d98e499576349a97af1b2b2a25b97d2cdf13d94098b 5574 main/binary-all/Packages.bz2
MD5Sum:
fc0d09512ba9bbf04e5f4b18201e25f2 48024 main/binary-all/Packages
65f64186d4dff9197affa5807de12598 6003 main/binary-all/Packages.gz
d22273443feceb35819f013004249351 5574 main/binary-all/Packages.bz2
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.71
iQG+BAEBCAAoBQJk7DfaIRxIaWJveCBTeXN0ZW1zIDxzdXBwb3J0QGhpYm94LnR2
PgAKCRD5/nVYo1VmpDEhDAC0Tw/WJGFAU28z8c/4yiuDT0u1lRioUDRp1ppESjA6
ldl2xZUos1cilHkQAR+WqCGg4vqyg8xqiyKdXrdGeug9ZTp7vpVhxwd51NjFXMIb
bBJ9xkxA04mDngpljCDH0HADps+AmatpNt4132I4aQwzrEjoaPvZuCeWyroOnQWs
W6LMwaMG2LsLBDCwde+s4Val9CAzFJtshsd8UaLCAtArL8DAroy2JI6fNVHEi+ZA
LBAX4xPxW2J55JETnh3mxjpF8UFclrfG/TpCDYDhsJaDtXrRiWNQ2y/egGOE9SwB
EaA+ZeVAFbh2gXrLURCIbJ4O0vMao5Dn9hbdAK9fgI4ga0WcXBoLysjRZeSVUMD+
QEWwNkSk0i7kudUb/DSXVZwDJmtDUHCV1rAfVORqfJzmgXCIegwvQkoebkNP9jNo
PbYd3B7pFDdvSdCgvCv7m2B6oMP06gAuRxaGRGXKY+PLE6ssxz1GWKqc4KAKaPeb
BxNupS0KHDcqrGs5oBarrdM=
=7eMX
-----END PGP SIGNATURE-----
Note how this InRelease file contains three files:
-
Packages(uncompressed form) -
Packages.gz -
Packages.bz2
The problem is that Packages.bz2 files are no longer supported by debmirror since 2015: https://salsa.debian.org/debian/debmirror/-/commit/417f28d5396839a5dbe6ea9c3dd00a14dcf12ef7. Because of this, what happens when we run debmmirror seems to be this:
- The
Packagesfile gets downloaded - Likewise with
Packages.gz -
Packages.bz2is ignored - The
.debfile(s) themselves are also downloaded
...which in turns causes the 404 Not Found error when apt-get is subsequently run towards the mirror.
Suggested resolution
It is honestly quite hard to say whether the problem is with Nexus or debmirror. I believe the problem is that apt-get (by default) prefers bzip2 over gzip => tries to download the bz2 file first, which gives the 404 Not Found error.
I believe it then also tries to download the Packages.gz (or Packages) file, since the package update eventually succeeds. :thinking: (the next time you run apt-get update, I believe)
Either way, since Packages.bz2 seems largely obsolete, I would suggest the following as the quick fix:
- Remove
Packages.bz2support in Nexus (or provide a way to disable it). TheInReleasefile would then no longer contain a reference to it.
The longer-term fix would then be:
- Add
Packages.xzsupport
More details about our setup
- Tell us about your Nexus Repository deployment: Nexus OSS 3.43.0-01, running on Ubuntu 20.04.
Hi @perlun , thanks for raising this to our awareness. We haven't had a chance to investigate further. I noticed you are running an older version of the Sonatype Nexus Repository Manager. Have you tried the latest version?
We updated to 3.61.0 some weeks ago, but the problem persists. We have not yet had the time to upgrade to 3.62.0 but no mentions of anything related to this in the release notes at least.
