Login/Register
Repository 'http://security.debian.org/debian-security buster/updates InRelease' changed its 'Suite' value from 'stable' to 'oldstable'
Asked Answered
Solved shellselenium-chromedriverdebiangithub-actionsdebian-buster
P

3

144

Some of my GitHub Actions workflows started recently to return this error when installing Chromedriver:

Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://deb.debian.org/debian buster InRelease [122 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Reading package lists...
E: Repository 'http://security.debian.org/debian-security buster/updates InRelease' changed its 'Suite' value from 'stable' to 'oldstable'
E: Repository 'http://deb.debian.org/debian buster InRelease' changed its 'Suite' value from 'stable' to 'oldstable'
E: Repository 'http://deb.debian.org/debian buster-updates InRelease' changed its 'Suite' value from 'stable-updates' to 'oldstable-updates'
Error: Process completed with exit code 100.

Here is my step implementation:

jobs:
  build:
    runs-on: ubuntu-latest
    container:
        image: docker://guillaumefalourd/ritchiecli:py-3.8
    steps:
      - name: Install Chrome Driver
        run: |
            sudo apt-get update
            sudo apt-get install -y unzip xvfb libxi6 libgconf-2-4 gnupg2
            sudo curl -sS -o - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add
            sudo echo "deb https://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list
            sudo apt-get -y update
            sudo apt-get -y install google-chrome-stable
            wget -N https://chromedriver.storage.googleapis.com/89.0.4389.23/chromedriver_linux64.zip -P ~/
            unzip ~/chromedriver_linux64.zip -d ~/
            rm ~/chromedriver_linux64.zip
            sudo mv -f ~/chromedriver /usr/local/bin/chromedriver
            sudo chown root:root /usr/local/bin/chromedriver
            sudo chmod 0755 /usr/local/bin/chromedriver

Docker Image Implementation: docker://guillaumefalourd/ritchiecli:py-3.8

What I tried

  1. I read from here and here that adding sudo apt-get --allow-releaseinfo-change update or sudo apt-get dist-upgrade could resolve the problem, but even adding those to my workflow didn't resolve it.

  2. I tried using this action setup-chromedriver but it returned the same error when following the documentation:

    steps:
- uses: actions/checkout@v2
- uses: nanasess/setup-chromedriver@master
  with:
    # Optional: do not specify to match Chrome's version
    chromedriver-version: '88.0.4324.96'
- run: |
    export DISPLAY=:99
    chromedriver --url-base=/wd/hub &
    sudo Xvfb -ac :99 -screen 0 1280x1024x24 > /dev/null 2>&1 & # optional

  3. As it seems to be related to Debian 10 (Buster) (?) I also tried to use another Ubuntu runner version as a runner (ubuntu-18.04 instead of ubuntu-latest), but nothing changed, same error.

How can I resolve this issue?

Answer

I observed afterwards that the problem was happening at the first command : sudo apt-get update (and I was adding the other command after...).

Substituting it for sudo apt-get --allow-releaseinfo-change update resolved my problem.

Therefore the answer was not to add the sudo apt-get --allow-releaseinfo-change update to the step executed commands, but substituting the sudo apt-get update command for it.

jobs:
  build:
    runs-on: ubuntu-latest
    container:
        image: docker://guillaumefalourd/ritchiecli:py-3.8
    steps:
      - name: Install Chrome Driver
        run: |
            sudo apt-get --allow-releaseinfo-change update
            sudo apt-get install -y unzip xvfb libxi6 libgconf-2-4 gnupg2
            sudo curl -sS -o - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add
            sudo echo "deb https://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list
            sudo apt-get -y update
            sudo apt-get -y install google-chrome-stable
            wget -N https://chromedriver.storage.googleapis.com/89.0.4389.23/chromedriver_linux64.zip -P ~/
            unzip ~/chromedriver_linux64.zip -d ~/
            rm ~/chromedriver_linux64.zip
            sudo mv -f ~/chromedriver /usr/local/bin/chromedriver
            sudo chown root:root /usr/local/bin/chromedriver
            sudo chmod 0755 /usr/local/bin/chromedriver
Psychotomimetic answered 16/8, 2021 at 12:25 Comment(3)
If you want stable (which changes), use "stable" on source.list, else use the release name. Note: a sed command could correct it, if you get wrong data from others. So check your /etc/apt/sources.list*Hagiographer
Side note: this has probably happened because Debian have just released "bullseye" (debian.org/News/2021/20210814), so Buster moves into LTS - wiki.debian.org/LTSUnquote
apt upgrade solved the problem for me.Rete
D
178

I know you tried it with

apt-get --allow-releaseinfo-change update

but it worked for me.

This is my command in the dockerfile:

wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
&& sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \
&& apt-get --allow-releaseinfo-change update \
&& apt-get install -y google-chrome-unstable \
   --no-install-recommends \
&& rm -rf /var/lib/apt/lists/*

not required: rm -rf /var/lib/apt/lists/*

Derouen answered 16/8, 2021 at 14:11 Comment(4)
Thanks for the answer. I observed afterwards that the problem was happening at the first command : sudo apt-get update (and I was adding the other command after...). Just substituting it for sudo apt-get --allow-releaseinfo-change update resolved my problem :)Psychotomimetic
It didn't use to be there and then all of a sudden apt-get --allow-releaseinfo-change update is required to get rid of the errors! Could someone explain this a bit more in brief?March
Just what my Buster system needed. As of my writing this my system is NOW currently updating 263 packages with several additional security updates. A++Cabalist
Trying to install docker on raspberry pi with their convenience script - your solution worked for meInanity
Q
35

FWIW, you may reduce your risk in using this option (--allow-releaseinfo-change) by adding "specialist options" to limit the fields you permit to bypass apt-secure. From man apt-get:

Specialist options (--allow-releaseinfo-change-field) exist to allow changes only for certain fields like origin, label, codename, suite, version and defaultpin. See also apt_preferences(5).

For example, in the current bugaboo created by the delayed release of bullseye between the Debian and its derivative RPi OS, the specialist option would be suite. This due to the fact that the suite label in buster has been changed from stable to oldstable:

$ sudo apt-get --allow-releaseinfo-change-suite update
Quirt answered 30/8, 2021 at 22:13 Comment(1)
This answer seems better to me, because the allowed release info change is limited to the specific field suite and nothing more.Petronel
Z
8

Note

This is a cross post from serverfault.com.

It feels relevant here too because I couldn't solve the issue with the accepted answer apt-get --allow-releaseinfo-change-suite update and the accepted answer has security implications and doesn't actually tackle the underlying issue of apt getting security updates from the wrong repo.

Issue

Faced this issue on a Debian Stretch (9) Docker image.

The below error came up when running apt-get update

W: The repository 'http://security.debian.org/debian-security stretch/updates Release' does not have a Release file.
W: The repository 'http://deb.debian.org/debian stretch Release' does not have a Release file.
W: The repository 'http://deb.debian.org/debian stretch-updates Release' does not have a Release file.
E: Failed to fetch http://security.debian.org/debian-security/dists/stretch/updates/main/binary-amd64/Packages  404  Not Found [IP: xx]
E: Failed to fetch http://deb.debian.org/debian/dists/stretch/main/binary-amd64/Packages  404  Not Found
E: Failed to fetch http://deb.debian.org/debian/dists/stretch-updates/main/binary-amd64/Packages  404  Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.

Background

This is related to the security repo in particular.

These repo definitions are used by apt to fetch update and they are defined in /etc/apt/sources.list

The official Debian Security recommendation - https://www.debian.org/security/

To keep your Debian operating system up-to-date with security patches, please add the following line to your /etc/apt/sources.list file

`deb http://security.debian.org/debian-security bullseye-security main contrib non-free`

Answer

Add this line in the Dockerfile

RUN echo "deb http://security.debian.org/debian-security bullseye-security main contrib non-free" > /etc/apt/sources.list

RUN apt-get update

Other solutions

What didn't work for me:

  • Changing the repo to stable-security
  • Running apt with --allow-releaseinfo-change flag - the flag pairing with apt-get update was not recognised

What else worked:

  • Instead of using the bullseye security repo you could use the stretch archive repo deb http://archive.debian.org/debian stretch main contrib non-free; it would be better to stick to the security from the latest release from a security perspective

Update

The above is correct if you are just zooming in on the security repo issue.

Why are we having these problems with the security repo?

In my case Debian 9 is an archived, unsupported, unmaintained version.

Although I could "fix" (bypass) the security repo, I had further issues with dependency repos for APT. Since the version is deprecated these repos needed to point to archive.

In general this forced me to upgrade to Debian 10. On Debian 10 I had no need for the above fix.

Ziwot answered 2/5, 2023 at 10:30 Comment(2)
I had this issues with an old PHP Docker image and only adding stretch archive repo worked.Breach
@Breach glad it worked, but aim to upgrade to a base LTS version as soon as you can. This state freezes the security updates and it leaves you open to future exploits.Ziwot

© 2022 - 2024 — McMap. All rights reserved.