APT errors - ...sometimes not as smooth as usual...

mail

apt search : E: The value 'bullseye-backports' is invalid for APT::Default-Release as such a release is not available in the sources

Situation

I'm trying to configure backports and install packages using this procedure, but I get :
apt -t bullseye-backports search somePackage
E: The value 'bullseye-backports' is invalid for APT::Default-Release as such a release is not available in the sources

Solution

That's an easy-to-fix bug (caused by a PEBKAC error ) : the line added to /etc/apt/sources.list is :
deb-src https://ftp.debian.org/debian/ bullseye-backports main
while it should be :
deb https://ftp.debian.org/debian/ bullseye-backports main
mail

apt-key : Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Situation

Some installation procedures may instruct to run commands such as :
curl [options] https:// | apt-key add -
Which outputs :
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Details

This is pretty well explained in this answer.

Solution

The technical details linked above may look complex, and the simpler is to
  1. search the website of the software provider for an updated install procedure
  2. update your bookmarks
mail

apt update error : Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg),

Situation

apt update

Fetched 2,070 kB in 7s (304 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Details

  1. DON'T PANIC : this is _just_ a warning, not an error
  2. This is caused by the usage of the deprecated /etc/apt/trusted.gpg file.
  3. There are 2 methods to fix this :

Solution

The quick-n-dirty method

As root :
mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/
No deprecated keyring == no problem ('told you it was dirty )

The clean method

Export each key from the deprecated keyring into one or more dedicated keyrings. To do so :
  1. apt-key list
    /etc/apt/trusted.gpg											the deprecated keyring
    --------------------
    pub	rsa4096 2019-07-30 [SC]
    	A2BD 99B1 CD4F B9B9 17ED  53C2 E7CE 2877 F94C 473B						a key found in this deprecated keyring
    uid		[ unknown] Gestionnaire du dépôt (Gestionnaire du dépôt) <repository@acme.com>
    sub	rsa4096 2019-07-30 [E]
    
    pub	rsa4096 2015-10-07 [SCEA]
    	3E7F 2A56 D279 2B59 DCC5  6586 B15A 9E2B 0E01 8B5F
    uid		[ unknown] Bot key (with stupid passphrase) <linux-echanges@list.acme.com>
    sub	elg4096 2015-10-07 [E]
    
    pub	rsa4096 2018-09-17 [SC]
    	F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
    uid		[ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>
    
    /etc/apt/trusted.gpg.d/jaap_karssenberg-ubuntu-zim.gpg							another keyring
    --------------------
    pub	rsa1024 2011-02-19 [SC]
    		DC4A C0EE 92BC 64ED 020C  1C63 7588 B93F 8F7D F243
    uid		[ unknown] Launchpad PPA for Jaap Karssenberg
    
    /etc/apt/trusted.gpg.d/kelleyk_ubuntu_emacs.gpg								and it goes on...
    --------------------
    
  2. export ACME keys :
    apt-key export F94C473B | gpg --dearmour -o /etc/apt/trusted.gpg.d/acme.gpg
    apt-key export 0E018B5F | gpg --dearmour -o /etc/apt/trusted.gpg.d/acme.gpg
    the --dearmour option converts the key from base64 to binary
  3. export the Ubuntu key :
    apt-key export 991BC93C | gpg --dearmour -o /etc/apt/trusted.gpg.d/ubuntu_archive_2018.gpg
  4. check by running again :
    apt update
  5. rm /etc/apt/trusted.gpg
mail

apt update error : Release file for http://deb.debian.org//InRelease is not valid yet Updates for this repository will not be applied.

Situation

Full error message :
E: Release file for http://deb.debian.org/debian/dists/buster/InRelease is not valid yet (invalid for another 589d 23h 37min 20s). Updates for this repository will not be applied.
E: Release file for http://deb.debian.org/debian-security/dists/buster/updates/InRelease is not valid yet (invalid for another 649d 21h 37min 46s). Updates for this repository will not be applied.
E: Release file for http://deb.debian.org/debian/dists/unstable/InRelease is not valid yet (invalid for another 650d 4h 8min 51s). Updates for this repository will not be applied.

Details

Investigations led me to the root cause : a wrong local date (experienced this on 2020-11-25):
date
Thu Feb 14 11:17:12 CET 2019

Solution

Articles dealing with time synchronization on Debian Buster list 2 methods :

Let's focus on systemd-timesyncd :

  1. What's up ?
    systemctl status systemd-timesyncd
    Warning: The unit file, source configuration file or drop-ins of systemd-timesyncd.service changed on disk. Run 'systemctl daemon-reload'
    ● systemd-timesyncd.service - Network Time Synchronization
       Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
      Drop-In: /usr/lib/systemd/system/systemd-timesyncd.service.d
       └─disable-with-time-daemon.conf				???
       Active: inactive (dead)
  2. As instructed :
    systemctl daemon-reload
    This made no change and systemd-timesyncd refused to start afterwards
  3. Let's have a look at this disable-with-time-daemon.conf :
    less /usr/lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf
    [Unit]
    # don't run timesyncd if we have another NTP daemon installed
    ConditionFileIsExecutable=!/usr/sbin/ntpd
    ConditionFileIsExecutable=!/usr/sbin/openntpd
    ConditionFileIsExecutable=!/usr/sbin/chronyd
    ConditionFileIsExecutable=!/usr/sbin/VBoxService
  4. Is any of these files present on the system ?
    for binFile in $(awk -F '!' '/ConditionFileIsExecutable/ { print $2 }' /usr/lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf); do [ -x "$binFile" ] && echo "FOUND : '$binFile'"; done
    FOUND : '/usr/sbin/ntpd'
    FOUND : '/usr/sbin/openntpd'
  5. Which packages do these files come from ?
    dpkg -S /usr/sbin/ntpd /usr/sbin/openntpd
    openntpd: /usr/sbin/ntpd
    openntpd: /usr/sbin/openntpd
  6. Let's uninstall the useless openntpd package :
    apt purge openntpd
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following packages will be REMOVED:
      openntpd*
    
  7. Will I be able to start systemd-timesyncd, now ?
    systemctl start systemd-timesyncd
    systemctl status systemd-timesyncd
     systemd-timesyncd.service - Network Time Synchronization
       Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
       Active: active (running) since Thu 2020-10-08 21:32:17 CEST; 1 months 17 days ago
     Docs: man:systemd-timesyncd.service(8)
     Main PID: 2217 (systemd-timesyn)
       Status: "Synchronized to time server for the first time 188.165.236.162:123 (0.debian.pool.ntp.org)."
    Tasks: 2 (limit: 4915)
       Memory: 1.5M
       CGroup: /system.slice/systemd-timesyncd.service
       └─2217 /lib/systemd/systemd-timesyncd
    Looks good !
  8. Check :
    date
    Wed Nov 25 18:36:24 CET 2020
mail

apt update error : Release file for http://ftp.fr.debian.org//InRelease is expired. Updates for this repository will not be applied.

Situation

Full error message :
apt update
Hit:1 http://ftp.fr.debian.org/debian buster InRelease
Hit:2 http://ftp.fr.debian.org/debian-security buster/updates InRelease
Hit:3 http://ftp.fr.debian.org/debian buster-updates InRelease
Get:4 http://security.debian.org buster/updates InRelease [65.4 kB]

Reading package lists... Done
E: Release file for http://ftp.fr.debian.org/debian-security/dists/buster/updates/InRelease is expired (invalid since 3d 17h 1min 44s). Updates for this repository will not be applied.

Details

Release files have a Valid-Until parameter :
Valid-Until: Sat, 28 Mar 2020 23:31:40 UTC
I've experienced this error at :
date
Wed 01 Apr 2020 06:51:01 PM CEST
The Valid-Until value is clearly in the past, making the release file obsolete. There's nothing wrong on your side (except that you're referring to a resource that should be up-to-date).

Solution

Available solutions :

Alternate solution

Here is a quick-n-dirty workaround (not a solution), that deactivates the check which verifies expired digital signatures, so apt will accept old and expired release keys :
apt update -o Acquire::Check-Valid-Until=false
mail

apt upgrade displays The following packages have been kept back:

Situation

Full message :
apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
	default-jre default-jre-headless icedtea-netx
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

Details

Different circumstances may cause this output message :
cause solution
  • apt upgrade only upgrades what can be upgraded. It doesn't install new packages or remove old ones.
  • Packages that require, to be upgraded, either to install a new package or to remove an installed one, are not upgraded. Such packages will be listed after : The following packages have been kept back:.
read below
Packages have been put on hold to prevent their update. You probably forgot you did this yourself : just grab a coffee, everything is going extremely well
This is due to Phased updates.
Confirmed by apt-mark showhold returning nothing.
This is an expected behavior, not an error. Just relax : everything is going extremely well (AGAIN !)

Solution

apt dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
	icedtea-netx icedtea-netx-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
	default-java-plugin icedtea-8-plugin
The following packages will be upgraded:
	default-jre default-jre-headless icedtea-netx
3 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
Need to get 45.9 kB of archives.
After this operation, 655 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://ftp.fr.debian.org/debian stretch/main amd64 default-jre amd64 2:1.8-58+deb9u1 [930 B]
Get:2 http://ftp.fr.debian.org/debian stretch/main amd64 default-jre-headless amd64 2:1.8-58+deb9u1 [10.1 kB]
Get:3 http://ftp.fr.debian.org/debian stretch/main amd64 icedtea-netx amd64 1.6.2-3.1+deb9u1 [34.9 kB]
Fetched 45.9 kB in 0s (157 kB/s)
Reading changelogs... Done
(Reading database ... 268071 files and directories currently installed.)
Removing default-java-plugin (2:1.8-58) ...
Removing icedtea-8-plugin:amd64 (1.6.2-3.1) ...
(Reading database ... 268066 files and directories currently installed.)
Preparing to unpack .../default-jre_2%3a1.8-58+deb9u1_amd64.deb ...
Unpacking default-jre (2:1.8-58+deb9u1) over (2:1.8-58) ...
Preparing to unpack .../default-jre-headless_2%3a1.8-58+deb9u1_amd64.deb ...
Unpacking default-jre-headless (2:1.8-58+deb9u1) over (2:1.8-58) ...
Preparing to unpack .../icedtea-netx_1.6.2-3.1+deb9u1_amd64.deb ...
Unpacking icedtea-netx:amd64 (1.6.2-3.1+deb9u1) over (1.6.2-3.1) ...
Setting up icedtea-netx:amd64 (1.6.2-3.1+deb9u1) ...
Setting up default-jre-headless (2:1.8-58+deb9u1) ...
Setting up default-jre (2:1.8-58+deb9u1) ...
apt autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
	icedtea-netx icedtea-netx-common
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 1,668 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 268066 files and directories currently installed.)
Removing icedtea-netx:amd64 (1.6.2-3.1+deb9u1) ...
update-alternatives: removing manually selected alternative - switching javaws to auto mode
update-alternatives: removing manually selected alternative - switching itweb-settings to auto mode
update-alternatives: removing manually selected alternative - switching policyeditor to auto mode
Removing icedtea-netx-common (1.6.2-3.1+deb9u1) ...
Processing triggers for mime-support (3.60) ...
Processing triggers for desktop-file-utils (0.23-1) ...
Processing triggers for hicolor-icon-theme (0.15-1) ...
mail

apt update error : 407 Proxy Authentication Required

Situation

When I run apt-get update, I get messages like :

Hit:6 http://ftp.fr.debian.org/debian jessie Release
Err:7 http://security.debian.org jessie/updates Release
	407	Proxy Authentication Required [IP: IP of my company's web proxy 3128]
Err:8 http://security.debian.org testing/updates Release
	407	Proxy Authentication Required [IP: IP of my company's web proxy 3128]

Details

Solution

Several causes, several solutions :

Case 1 :

Missing / obsolete proxy settings :
  1. grep http_proxy ~/.bashrc* /etc/{profile,environment}; echo -e "\nCURRENT VALUE : $http_proxy"
  2. edit file having wrong settings
  3. source theFileYouJustEdited

Case 2 :

The apt configuration has a wrong / obsolete value for http_proxy / https_proxy / login / password, hence the error. Just review your apt proxy settings.

Case 3 :

For any good / weird reason, Squid is running on localhost.
  1. set / update the proxy credentials in /etc/squid/squid.conf :
    cache_peer proxy01.acmecorp.com parent 3128 0 no-query round-robin weight=1 login=kevin:proxyPassword proxy-only
    cache_peer proxy02.acmecorp.com parent 3128 0 no-query round-robin weight=2 login=kevin:proxyPassword proxy-only
  2. systemctl restart squid