search

sonatype / nexus-public

Sonatype Nexus Repository Open-source codebase mirror
https://www.sonatype.com/products/repository-oss-download
Eclipse Public License 1.0
1.96k stars 581 forks source link

Nexus `apt` repository generates `Packages.bz2` rather than `Packages.xz` #235

Open perlun opened 1 year ago

perlun commented 1 year ago

Hi,

We are using Nexus OSS to host an internal repository for a .deb package we maintain. However, we also want this to be exposed in a publicly available https mirror. To this avail, we use https://packages.ubuntu.com/debmirror (maintained here: https://salsa.debian.org/debian/debmirror)

This works fine, with one problem: we occasionally get 404 Not Found errors trying to run apt-get update:

Err:18 https://deb.example.com/experimental experimental/main all Packages                                                                                 
  404  Not Found [IP: 192.0.2.42 443]

We have debugged this and concluded that this is because of the way Nexus constructs the InRelease file:

$ curl -s https://deb.example.com/experimental/dists/experimental/InRelease
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Suite: experimental
Codename: experimental
Components: main
Date: Mon, 28 Aug 2023 05:59:53 GMT
Architectures: all
SHA256: 
 5d63d3ab93f94a1ca7403ca6c26cb51942c6fb7e45192a8fe4c7ae581b630c8a 48024 main/binary-all/Packages
 f1d8080bb3cde969ea2f0aa3c6902c87f6e3060ae218779d21a681b9a44553a2 6003 main/binary-all/Packages.gz
 314c36077972142db23b0d98e499576349a97af1b2b2a25b97d2cdf13d94098b 5574 main/binary-all/Packages.bz2
MD5Sum: 
 fc0d09512ba9bbf04e5f4b18201e25f2 48024 main/binary-all/Packages
 65f64186d4dff9197affa5807de12598 6003 main/binary-all/Packages.gz
 d22273443feceb35819f013004249351 5574 main/binary-all/Packages.bz2
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.71

iQG+BAEBCAAoBQJk7DfaIRxIaWJveCBTeXN0ZW1zIDxzdXBwb3J0QGhpYm94LnR2
PgAKCRD5/nVYo1VmpDEhDAC0Tw/WJGFAU28z8c/4yiuDT0u1lRioUDRp1ppESjA6
ldl2xZUos1cilHkQAR+WqCGg4vqyg8xqiyKdXrdGeug9ZTp7vpVhxwd51NjFXMIb
bBJ9xkxA04mDngpljCDH0HADps+AmatpNt4132I4aQwzrEjoaPvZuCeWyroOnQWs
W6LMwaMG2LsLBDCwde+s4Val9CAzFJtshsd8UaLCAtArL8DAroy2JI6fNVHEi+ZA
LBAX4xPxW2J55JETnh3mxjpF8UFclrfG/TpCDYDhsJaDtXrRiWNQ2y/egGOE9SwB
EaA+ZeVAFbh2gXrLURCIbJ4O0vMao5Dn9hbdAK9fgI4ga0WcXBoLysjRZeSVUMD+
QEWwNkSk0i7kudUb/DSXVZwDJmtDUHCV1rAfVORqfJzmgXCIegwvQkoebkNP9jNo
PbYd3B7pFDdvSdCgvCv7m2B6oMP06gAuRxaGRGXKY+PLE6ssxz1GWKqc4KAKaPeb
BxNupS0KHDcqrGs5oBarrdM=
=7eMX
-----END PGP SIGNATURE-----

Note how this InRelease file contains three files:

The problem is that Packages.bz2 files are no longer supported by debmirror since 2015: https://salsa.debian.org/debian/debmirror/-/commit/417f28d5396839a5dbe6ea9c3dd00a14dcf12ef7. Because of this, what happens when we run debmmirror seems to be this:

...which in turns causes the 404 Not Found error when apt-get is subsequently run towards the mirror.

Suggested resolution

It is honestly quite hard to say whether the problem is with Nexus or debmirror. I believe the problem is that apt-get (by default) prefers bzip2 over gzip => tries to download the bz2 file first, which gives the 404 Not Found error.

I believe it then also tries to download the Packages.gz (or Packages) file, since the package update eventually succeeds. :thinking: (the next time you run apt-get update, I believe)

Either way, since Packages.bz2 seems largely obsolete, I would suggest the following as the quick fix:

The longer-term fix would then be:

More details about our setup

perlun commented 1 year ago

Ping @gracecllee - any updates on this?

gracecllee commented 1 year ago

Hi @perlun , thanks for raising this to our awareness. We haven't had a chance to investigate further. I noticed you are running an older version of the Sonatype Nexus Repository Manager. Have you tried the latest version?

slovdahl commented 1 year ago

We updated to 3.61.0 some weeks ago, but the problem persists. We have not yet had the time to upgrade to 3.62.0 but no mentions of anything related to this in the release notes at least.