16

It appears as both debian:stable-slim and debian:stable are both currently broken (for updates):

> $ docker run -ti --rm  debian:stable-slim
Unable to find image 'debian:stable-slim' locally
stable-slim: Pulling from library/debian
fc491617b0f1: Pull complete
Digest: sha256:a85c2c0e634946e92a6f4a9a4f6ce5f19ce7c11885bc198f04ab3ae8dacbaffa
Status: Downloaded newer image for debian:stable-slim
root@e610973ac2f8:/# apt update
Ign:1 http://security.debian.org/debian-security stable/updates InRelease
Err:2 http://security.debian.org/debian-security stable/updates Release
  404  Not Found [IP: 151.101.130.132 80]
Get:3 http://deb.debian.org/debian stable InRelease [113 kB]
Get:4 http://deb.debian.org/debian stable-updates InRelease [36.8 kB]
Get:5 http://deb.debian.org/debian stable/main amd64 Packages [8178 kB]
Reading package lists... Done
E: The repository 'http://security.debian.org/debian-security stable/updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Anyone else experienced this or found a workaround?

vpetersson
  • 861
  • 1
  • 11
  • 22
  • This is most likely related to the release of Debian Bullseye. I was able to work around the issue by switching to "debian:buster-slim". – vpetersson Aug 16 '21 at 13:34
  • FYI buster-slim(Debian 10) has 6X the critical vulnerabilities of stretch-slim (Debian 9) or jessie-slim (Debian 8) – alanionita May 02 '23 at 09:46

2 Answers2

23

I was able to fix this by changing this line:

deb http://security.debian.org/debian-security stable/updates main

to

deb http://security.debian.org/debian-security stable-security/updates main

You can do that by running:

sed -i 's/stable\/updates/stable-security\/updates/' /etc/apt/sources.list
Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • 1
    Nice. Yeah it's most likely related to some changes in Debian Bullseye, which is now the latest 'stable' release. – vpetersson Aug 16 '21 at 13:35
  • 5
    There's been a rename of the security updates repository for Debian 11. See the gray box: https://debian-handbook.info/browse/en-US/stable/apt.html#sect.apt-sources.list.testing – zzu Aug 17 '21 at 15:25
  • Thanks, this helped me immensely! – Nicolas Rouquette Dec 06 '21 at 23:06
10

Issue

Faced this issue on a Debian Stretch (9) Docker image.

The below error came up when running apt-get update

W: The repository 'http://security.debian.org/debian-security stretch/updates Release' does not have a Release file.
W: The repository 'http://deb.debian.org/debian stretch Release' does not have a Release file.
W: The repository 'http://deb.debian.org/debian stretch-updates Release' does not have a Release file.
E: Failed to fetch http://security.debian.org/debian-security/dists/stretch/updates/main/binary-amd64/Packages  404  Not Found [IP: xx]
E: Failed to fetch http://deb.debian.org/debian/dists/stretch/main/binary-amd64/Packages  404  Not Found
E: Failed to fetch http://deb.debian.org/debian/dists/stretch-updates/main/binary-amd64/Packages  404  Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.

Background

This is related to the security repo in particular.

These repo definitions are used by apt to fetch update and they are defined in /etc/apt/sources.list

The official Debian Security recommendation - https://www.debian.org/security/

To keep your Debian operating system up-to-date with security patches, please add the following line to your /etc/apt/sources.list file

`deb http://security.debian.org/debian-security bullseye-security main contrib non-free`

Answer

Add this line in the Dockerfile

RUN echo "deb http://security.debian.org/debian-security bullseye-security main contrib non-free" > /etc/apt/sources.list

RUN apt-get update

Other solutions

What didn't work for me:

  • Changing the repo to stable-security
  • Running apt with --allow-releaseinfo-change flag - the flag pairing with apt-get update was not recognised

What else worked:

  • Instead of using the bullseye security repo you could use the stretch archive repo deb http://archive.debian.org/debian stretch main contrib non-free; it would be better to stick to the security from the latest release from a security perspective

Update

The above is correct if you are just zooming in on the security repo issue.

Why are we having these problems with the security repo?

In my case Debian 9 is an archived, unsupported, unmaintained version.

Although I could "fix" (bypass) the security repo, I had further issues with dependency repos for APT. Since the version is deprecated these repos needed to point to archive.

In general this forced me to upgrade to Debian 10. On Debian 10 I had no need for the above fix.

alanionita
  • 201
  • 2
  • 4
  • When I do your idea, I see this: `apt update Hit:1 http://security.debian.org/debian-security stable-security/updates InRelease Get:2 http://security.debian.org/debian-security stable-security/updates/non-free amd64 Packages [528 B] Ign:3 https://packages.sury.org/php stretch InRelease Err:4 https://packages.sury.org/php stretch Release 403 Forbidden Reading package lists... Done` Do you see a 403 as well? – Tyler Collier May 02 '23 at 17:26
  • Nevermind. I realized it was trying to access https://packages.sury.org/php... due to a file at `/etc/apt/sources.list.d/php.list` which I didn't realize was there. – Tyler Collier May 02 '23 at 17:39
  • 1
    Just added an update. Turns out that I didn't spend enough time asking why I'm having these security repo issues. In my case it was because we used Debian 9 which is outside of LTS support. The fix above resolves apt security repo issues, but you will later experience issues with downloading packages.This is because apt should point to an archive repo for packages, but as you know this stops you from using the latest versions. In my case I had to upgrade the base image to Debian 10 and I didn't need the above fix at all, nor did I have any problems with package downloads via apt. – alanionita May 03 '23 at 15:58
  • Yeah, it would be nice if, when trying to run `apt update`, it said something like `You know you're on a super old version that's beyond support, even LTS support, right?`. That might've saved me a lot of googling. As it was, I found dozens of related answers around the internet that were all from before June 2022, when LTS support ended, so i went down too many rabbit holes. In the end I upgraded my Debian version just like you. – Tyler Collier May 03 '23 at 16:18
  • hey @alanionita , I posted above about my docker, would you know how to update that to get the appropriate debian updates? – james emanon May 04 '23 at 23:11
  • @TylerCollier - an apt message would be good, but for most people that have this issue they're using Debian in the supply chain. The official node images for example are built on top of Debian, but the non-scoped images are still on Debian 9 (they were at the time of the answer). If you know enough about Linux you can figure it out, but for most people using that image it's going a very well hidden supply chain misconfiguration. – alanionita Jun 29 '23 at 11:13