Join Log in
Score:4
avatar Server

security.debian.org 'does not have a Release file' on with Debian Docker images

ro flag
vpetersson

It appears as both debian:stable-slim and debian:stable are both currently broken (for updates):

> $ docker run -ti --rm  debian:stable-slim
Unable to find image 'debian:stable-slim' locally
stable-slim: Pulling from library/debian
fc491617b0f1: Pull complete
Digest: sha256:a85c2c0e634946e92a6f4a9a4f6ce5f19ce7c11885bc198f04ab3ae8dacbaffa
Status: Downloaded newer image for debian:stable-slim
root@e610973ac2f8:/# apt update
Ign:1 http://security.debian.org/debian-security stable/updates InRelease
Err:2 http://security.debian.org/debian-security stable/updates Release
  404  Not Found [IP: 151.101.130.132 80]
Get:3 http://deb.debian.org/debian stable InRelease [113 kB]
Get:4 http://deb.debian.org/debian stable-updates InRelease [36.8 kB]
Get:5 http://deb.debian.org/debian stable/main amd64 Packages [8178 kB]
Reading package lists... Done
E: The repository 'http://security.debian.org/debian-security stable/updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Anyone else experienced this or found a workaround?

3391
1 + 1
ro flag
vpetersson
This is most likely related to the release of Debian Bullseye. I was able to work around the issue by switching to "debian:buster-slim".
0
Reply
alanionita avatar
pk flag
alanionita
FYI buster-slim(Debian 10) has 6X the critical vulnerabilities of stretch-slim (Debian 9) or jessie-slim (Debian 8)
0
Reply
Score:10
alanionita avatar Server
pk flag
alanionita

Issue

Faced this issue on a Debian Stretch (9) Docker image.

The below error came up when running apt-get update

W: The repository 'http://security.debian.org/debian-security stretch/updates Release' does not have a Release file.
W: The repository 'http://deb.debian.org/debian stretch Release' does not have a Release file.
W: The repository 'http://deb.debian.org/debian stretch-updates Release' does not have a Release file.
E: Failed to fetch http://security.debian.org/debian-security/dists/stretch/updates/main/binary-amd64/Packages  404  Not Found [IP: xx]
E: Failed to fetch http://deb.debian.org/debian/dists/stretch/main/binary-amd64/Packages  404  Not Found
E: Failed to fetch http://deb.debian.org/debian/dists/stretch-updates/main/binary-amd64/Packages  404  Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.

Background

This is related to the security repo in particular.

These repo definitions are used by apt to fetch update and they are defined in /etc/apt/sources.list

The official Debian Security recommendation - https://www.debian.org/security/

To keep your Debian operating system up-to-date with security patches, please add the following line to your /etc/apt/sources.list file

`deb http://security.debian.org/debian-security bullseye-security main contrib non-free`

Answer

Add this line in the Dockerfile

RUN echo "deb http://security.debian.org/debian-security bullseye-security main contrib non-free" > /etc/apt/sources.list

RUN apt-get update

Other solutions

What didn't work for me:

  • Changing the repo to stable-security
  • Running apt with --allow-releaseinfo-change flag - the flag pairing with apt-get update was not recognised

What else worked:

  • Instead of using the bullseye security repo you could use the stretch archive repo deb http://archive.debian.org/debian stretch main contrib non-free; it would be better to stick to the security from the latest release from a security perspective

Update

The above is correct if you are just zooming in on the security repo issue.

Why are we having these problems with the security repo?

In my case Debian 9 is an archived, unsupported, unmaintained version.

Although I could "fix" (bypass) the security repo, I had further issues with dependency repos for APT. Since the version is deprecated these repos needed to point to archive.

In general this forced me to upgrade to Debian 10. On Debian 10 I had no need for the above fix.

+ 6
Tyler Collier avatar
ke flag
Tyler Collier
When I do your idea, I see this: `apt update Hit:1 http://security.debian.org/debian-security stable-security/updates InRelease Get:2 http://security.debian.org/debian-security stable-security/updates/non-free amd64 Packages [528 B] Ign:3 https://packages.sury.org/php stretch InRelease Err:4 https://packages.sury.org/php stretch Release 403 Forbidden Reading package lists... Done` Do you see a 403 as well?
0
Reply
Tyler Collier avatar
ke flag
Tyler Collier
Nevermind. I realized it was trying to access https://packages.sury.org/php... due to a file at `/etc/apt/sources.list.d/php.list` which I didn't realize was there.
0
Reply
alanionita avatar
pk flag
alanionita
Just added an update. Turns out that I didn't spend enough time asking why I'm having these security repo issues. In my case it was because we used Debian 9 which is outside of LTS support. The fix above resolves apt security repo issues, but you will later experience issues with downloading packages.This is because apt should point to an archive repo for packages, but as you know this stops you from using the latest versions. In my case I had to upgrade the base image to Debian 10 and I didn't need the above fix at all, nor did I have any problems with package downloads via apt.
1
Reply
Tyler Collier avatar
ke flag
Tyler Collier
Yeah, it would be nice if, when trying to run `apt update`, it said something like `You know you're on a super old version that's beyond support, even LTS support, right?`. That might've saved me a lot of googling. As it was, I found dozens of related answers around the internet that were all from before June 2022, when LTS support ended, so i went down too many rabbit holes. In the end I upgraded my Debian version just like you.
0
Reply
james emanon avatar
my flag
james emanon
hey @alanionita , I posted above about my docker, would you know how to update that to get the appropriate debian updates?
0
Reply
alanionita avatar
pk flag
alanionita
@TylerCollier - an apt message would be good, but for most people that have this issue they're using Debian in the supply chain. The official node images for example are built on top of Debian, but the non-scoped images are still on Debian 9 (they were at the time of the answer). If you know enough about Linux you can figure it out, but for most people using that image it's going a very well hidden supply chain misconfiguration.
0
Reply
Score:10
avatar Server
in flag
Gerald Schneider

I was able to fix this by changing this line:

deb http://security.debian.org/debian-security stable/updates main

to

deb http://security.debian.org/debian-security stable-security/updates main

You can do that by running:

sed -i 's/stable\/updates/stable-security\/updates/' /etc/apt/sources.list
0 + 2
ro flag
vpetersson
Nice. Yeah it's most likely related to some changes in Debian Bullseye, which is now the latest 'stable' release.
1
Reply
zzu avatar
in flag
zzu
There's been a rename of the security updates repository for Debian 11. See the gray box: https://debian-handbook.info/browse/en-US/stable/apt.html#sect.apt-sources.list.testing
2
Reply
cn flag
Nicolas Rouquette
Thanks, this helped me immensely!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.