Apt Security - Ubuntu MATE 16.04 action required

Wimpy · 19 March 2016 10:19

Debian and Ubuntu apt requirements are in the middle of a significant update. If you’re running Ubuntu MATE 16.04 you may need to take action!

apt in Debian Unstable and Ubuntu 16.04 now requires that repositories be signed with RSA keys using SHA256 or higher. Some 3rd party repositories don’t meet these requirements.

Currently the Google Music Manager, Google Talk Plugin, and SpiderOakONE repositories are affected and will cause graphical package and update managers to fail out right. So subscribe to Welcomes updates to ensure the applications above are no longer listed. Also it is recommended that if you’ve installed Google Music Manager, Google Talk Plugin or SpiderOakONE you uninstall them using Ubuntu MATE Welcome or disable their repositories in Software and Updates.

I spent last evening working with the Debian team to determine the extent of the issue and which 3rd party repositories are affected and what they need to do to become compliant. Thankfully the Google Chrome repository was updated yesterday. We’ll be contacting affected maintainers of the non-compliant repositories over the weekend.

Google Music Manager, Google Talk Plugin and SpiderOakONE are the only 3rd party repositories used by Ubuntu MATE Welcome that are not compliant with the new apt security requirements.

Wimpy · 19 March 2016 10:20

DaveB · 20 March 2016 15:18

In case helpful, for those having trouble installing Tvheadend due apt update and Bintray sha1 signing, Bintray Support mention this should be fixed by the end of the week.

Tristan_VILLERS · 19 April 2016 10:18

Ubuntu MAte 16.04, I do have the issue with SpideroakOne, how strange it is to see back “Hardy” in repositories !

E: Failed to fetch http://APT.spideroak.com/ubuntu-spideroak-hardy/dists/release/Release No Hash entry in Release file /var/lib/apt/lists/partial/APT.spideroak.com_ubuntu-spideroak-hardy_dists_release_Release which is considered strong enough for security purpose

I can do the update anyway, install software or this kind of admin things without trouble or issue.
Spideroak team could help ? Should we contact them ?
Thanks ! Ans sorry for my english …

anon42388993 · 19 April 2016 12:17

I do not know where you found that link, but its dead. Here’s my findings…

https://spideroak.com/opendownload

Tristan_VILLERS · 19 April 2016 12:35

Hi v3xx,

That where the strange things start. I always download on that link, on official website of Spideroak to install and activate my account.
Hi did installed the 6.1.3 version, has your link mention it.
So, i don’t get why i do have that particular mistake then, with “hardy” repositorie (if i get it well)

anon42388993 · 19 April 2016 13:27

Lets see what you have going on

Code:
tail -v -n +1 /etc/apt/sources.list.d/*

Tristan_VILLERS · 19 April 2016 14:12

Thanks v3xx
here :
==> /etc/apt/sources.list.d/appgrid-stable-xenial.list <==
deb http://ppa.launchpad.net/appgrid/stable/ubuntu xenial main

==> /etc/apt/sources.list.d/appgrid-stable-xenial.list.save <==
deb http://ppa.launchpad.net/appgrid/stable/ubuntu xenial main

==> /etc/apt/sources.list.d/audio-recorder-ubuntu-ppa-xenial.list <==
deb http://ppa.launchpad.net/audio-recorder/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/audio-recorder/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/audio-recorder-ubuntu-ppa-xenial.list.save <==
deb http://ppa.launchpad.net/audio-recorder/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/audio-recorder/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/costales-ubuntu-anoise-xenial.list <==
deb http://ppa.launchpad.net/costales/anoise/ubuntu xenial main
deb-src http://ppa.launchpad.net/costales/anoise/ubuntu xenial main

==> /etc/apt/sources.list.d/costales-ubuntu-anoise-xenial.list.save <==
deb http://ppa.launchpad.net/costales/anoise/ubuntu xenial main
deb-src http://ppa.launchpad.net/costales/anoise/ubuntu xenial main

==> /etc/apt/sources.list.d/heyarje-ubuntu-makemkv-beta-xenial.list <==
deb http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial main
deb-src http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial main

==> /etc/apt/sources.list.d/heyarje-ubuntu-makemkv-beta-xenial.list.save <==
deb http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial main
deb-src http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial main

==> /etc/apt/sources.list.d/insync.list <==
deb http://apt.insynchq.com/ubuntu trusty non-free contrib

==> /etc/apt/sources.list.d/insync.list.save <==
deb http://apt.insynchq.com/ubuntu trusty non-free contrib

==> /etc/apt/sources.list.d/libdvdcss2.list <==
deb http://download.videolan.org/pub/debian/stable/ /
deb-src http://download.videolan.org/pub/debian/stable/ /

==> /etc/apt/sources.list.d/libdvdcss2.list.save <==
deb http://download.videolan.org/pub/debian/stable/ /
deb-src http://download.videolan.org/pub/debian/stable/ /

==> /etc/apt/sources.list.d/maarten-baert-ubuntu-simplescreenrecorder-xenial.list <==
deb http://ppa.launchpad.net/maarten-baert/simplescreenrecorder/ubuntu xenial main
deb-src http://ppa.launchpad.net/maarten-baert/simplescreenrecorder/ubuntu xenial main

==> /etc/apt/sources.list.d/maarten-baert-ubuntu-simplescreenrecorder-xenial.list.save <==
deb http://ppa.launchpad.net/maarten-baert/simplescreenrecorder/ubuntu xenial main
deb-src http://ppa.launchpad.net/maarten-baert/simplescreenrecorder/ubuntu xenial main

==> /etc/apt/sources.list.d/ravefinity-project-ubuntu-ppa-xenial.list <==
deb http://ppa.launchpad.net/ravefinity-project/ppa/ubuntu xenial main
# deb-src http://ppa.launchpad.net/ravefinity-project/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/ravefinity-project-ubuntu-ppa-xenial.list.save <==
deb http://ppa.launchpad.net/ravefinity-project/ppa/ubuntu xenial main
# deb-src http://ppa.launchpad.net/ravefinity-project/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/spideroakone.list <==
deb http://APT.spideroak.com/ubuntu-spideroak-hardy/ release restricted


==> /etc/apt/sources.list.d/spideroakone.list.save <==
deb http://APT.spideroak.com/ubuntu-spideroak-hardy/ release restricted


==> /etc/apt/sources.list.d/spotify.list <==
deb http://repository.spotify.com stable non-free

==> /etc/apt/sources.list.d/spotify.list.save <==
deb http://repository.spotify.com stable non-free

==> /etc/apt/sources.list.d/team-xbmc-ubuntu-ppa-xenial.list <==
deb http://ppa.launchpad.net/team-xbmc/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/team-xbmc/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/team-xbmc-ubuntu-ppa-xenial.list.save <==
deb http://ppa.launchpad.net/team-xbmc/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/team-xbmc/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntuhandbook1-ubuntu-corebird-xenial.list <==
deb http://ppa.launchpad.net/ubuntuhandbook1/corebird/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntuhandbook1/corebird/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntuhandbook1-ubuntu-corebird-xenial.list.save <==
deb http://ppa.launchpad.net/ubuntuhandbook1/corebird/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntuhandbook1/corebird/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntu-mate-dev-ubuntu-welcome-xenial.list <==
deb http://ppa.launchpad.net/ubuntu-mate-dev/welcome/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntu-mate-dev/welcome/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntu-mate-dev-ubuntu-welcome-xenial.list.save <==
deb http://ppa.launchpad.net/ubuntu-mate-dev/welcome/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntu-mate-dev/welcome/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntu-wine-ubuntu-ppa-xenial.list <==
deb http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu xenial main

==> /etc/apt/sources.list.d/ubuntu-wine-ubuntu-ppa-xenial.list.save <==
deb http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu xenial main
deb-src http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu xenial main

anon42388993 · 19 April 2016 15:15

==> /etc/apt/sources.list.d/spideroakone.list <== deb http://APT.spideroak.com/ubuntu-spideroak-hardy/ release restricted ==> /etc/apt/sources.list.d/spideroakone.list.save <== deb http://APT.spideroak.com/ubuntu-spideroak-hardy/ release restricted

Ok, need to remove this. Should be good to go after that.

Tristan_VILLERS · 19 April 2016 15:17

working, i’lle try out and let u know about. Thanks

Tristan_VILLERS · 19 April 2016 15:57

Ok it solved the problem with spideroak source list, but still geu this in terminal

/usr/share/appgrid/appdata/helpers.py:9: PyGIWarning: Soup was imported without specifying a version first. Use gi.require_version('Soup', '2.4') before import to ensure that the right version gets loaded.
  from gi.repository import GLib, GObject, Soup
Lecture des listes de paquets... Fait
W: http://download.videolan.org/pub/debian/stable/Release.gpg: Signature by key 8F0845FE77B16294429A79346BCA5E4DB84288D9 uses weak digest algorithm (SHA1)

i did nothing wrong with appgrid, don’t get what’s this about
usr/share/appgrid/appdata/helpers
Is Ubuntu MAte using any ppa for VLC ?
By the way, by disable spideroak repo, i don’t get any update, if so …
Thanks !!!

anon42388993 · 19 April 2016 16:58

Talking about this?

https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1558331

Tristan_VILLERS · 19 April 2016 21:05

looks the same, so seems to be a bug reported …
thanks anyway

Tristan_VILLERS · 19 April 2016 21:22

just have to read this !!
https://www.debian-administration.org/users/dkg/weblog/48
Bug is still there if saw well, even with last update. I’ll see.
Thanks

lah7 · 20 April 2016 23:00

This topic was automatically closed after 15 days. New replies are no longer allowed.