#1105041 document that apt (and rust packages) require SSE2 on i386

Package:
apt
Source:
apt
Description:
commandline package manager
Submitter:
Martin-Éric Racine
Date:
2025-05-10 10:51:03 UTC
Severity:
normal
Tags:
#1105041#5
Date:
2025-05-10 08:02:55 UTC
From:
To:
Since the above sqv bin-NMU trickled down to Trixie, APT systematically fails to verify Debian archive keys:

W: Failed to fetch https://deb.debian.org/debian-security/dists/stable-security/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian-security/dists/testing-security/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian/dists/stable-updates/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian/dists/stable/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian/dists/stable-backports/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian/dists/testing-updates/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian/dists/testing/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian/dists/testing-backports/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian-debug/dists/stable-debug/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian-debug/dists/stable-backports-debug/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian-debug/dists/testing-debug/InRelease  No good signature
W: Failed to fetch https://deb.debian.org/debian-debug/dists/testing-backports-debug/InRelease  No good signature
W: Some index files failed to download. They have been ignored, or old ones used instead.

$ dpkg -l | grep archive-keyring
ii  debian-archive-keyring         2025.1                         all          OpenPGP archive certificates of the Debian archive
ii  debian-ports-archive-keyring   2025.04.05                     all          OpenPGP archive certificates of the debian-ports archive

This only happens on one of my Trixie hosts, so this could be a Rust issue.

Martin-Éric

#1105041#10
Date:
2025-05-10 08:22:48 UTC
From:
To:
control: tags -1 + moreinfo
thanks
[...]

what are your versions of apt and sqv installed?

how strange, though I dont understand why you think this would be a Rust issue?

do you have several i386 hosts or only one? what CPU models do they have?

fwiw:

root@psi:~# apt update
Hit:1 http://deb.debian.org/debian trixie InRelease
Hit:2 http://deb.debian.org/debian trixie-updates InRelease
Hit:3 http://deb.debian.org/debian trixie-backports InRelease
Hit:4 http://security.debian.org trixie-security InRelease
All packages are up to date.
Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so.
root@psi:~# dpkg -l apt sqv gnupg2 debian-archive-keyring debian-ports-archive-keyring
dpkg-query: no packages found matching debian-ports-archive-keyring
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version      Architecture Description
+++-======================-============-============-======================================>
ii  apt                    3.0.1        amd64        commandline package manager
ii  debian-archive-keyring 2025.1       all          OpenPGP archive certificates of the De>
un  gnupg2                 <none>       <none>       (no description available)
ii  sqv                    1.3.0-1+b1   amd64        Simple OpenPGP signature verification >
root@psi:~#

#1105041#17
Date:
2025-05-10 08:27:39 UTC
From:
To:
control: tags -1 + unreproducible

holger@infom07-i386:~$ sudo apt update
Hit:1 http://security.debian.org trixie-security InRelease
Hit:2 http://deb.debian.org/debian trixie InRelease
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://deb.debian.org/debian trixie-backports InRelease
All packages are up to date.
Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so.
holger@infom07-i386:~$ dpkg -l apt sqv gnupg2 debian-archive-keyring
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version      Architecture Description
+++-======================-============-============-==================================================
ii  apt                    3.0.1        i386         commandline package manager
ii  debian-archive-keyring 2025.1       all          OpenPGP archive certificates of the Debian archive
un  gnupg2                 <none>       <none>       (no description available)
ii  sqv                    1.3.0-1+b1   i386         Simple OpenPGP signature verification program
holger@infom07-i386:~$ cat /proc/cpuinfo |tail -28|head -13
processor       : 7
vendor_id       : AuthenticAMD
cpu family      : 23
model           : 49
model name      : AMD EPYC-Rome Processor
stepping        : 0
microcode       : 0x1000065
cpu MHz         : 1996.250
cache size      : 512 KB
physical id     : 1
siblings        : 4
core id         : 3
cpu cores       : 4
holger@infom07-i386:~$

#1105041#24
Date:
2025-05-10 08:27:39 UTC
From:
To:
control: tags -1 + unreproducible

holger@infom07-i386:~$ sudo apt update
Hit:1 http://security.debian.org trixie-security InRelease
Hit:2 http://deb.debian.org/debian trixie InRelease
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://deb.debian.org/debian trixie-backports InRelease
All packages are up to date.
Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so.
holger@infom07-i386:~$ dpkg -l apt sqv gnupg2 debian-archive-keyring
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version      Architecture Description
+++-======================-============-============-==================================================
ii  apt                    3.0.1        i386         commandline package manager
ii  debian-archive-keyring 2025.1       all          OpenPGP archive certificates of the Debian archive
un  gnupg2                 <none>       <none>       (no description available)
ii  sqv                    1.3.0-1+b1   i386         Simple OpenPGP signature verification program
holger@infom07-i386:~$ cat /proc/cpuinfo |tail -28|head -13
processor       : 7
vendor_id       : AuthenticAMD
cpu family      : 23
model           : 49
model name      : AMD EPYC-Rome Processor
stepping        : 0
microcode       : 0x1000065
cpu MHz         : 1996.250
cache size      : 512 KB
physical id     : 1
siblings        : 4
core id         : 3
cpu cores       : 4
holger@infom07-i386:~$

#1105041#29
Date:
2025-05-10 08:37:48 UTC
From:
To:
la 10.5.2025 klo 11.23 Holger Levsen (holger@layer-acht.org) kirjoitti:

ii  apt                            3.0.1                          i386
        commandline package manager
ii  sqv                            1.3.0-1+b1                     i386
        Simple OpenPGP signature verification program

Precisely.

I have two i386 hosts tracking Testing (currently Trixie). The U1400
one updates its APT lists just fine. This Pentium III (Coppermine) has
been failing to do so ever since sqv 1.3.0-1+b1 trickled into Testing
yesterday.

Martin-Éric

#1105041#34
Date:
2025-05-10 08:51:15 UTC
From:
To:
control: reassign -1 release-notes
control: tags -1 - moreinfo unreproducible
control: retitle -1 document that rust packages require SSE2 on i386
thanks

Hi,

I'm reassigning this to release-notes as this needs to be documented
for the trixie release. Leaving some context too, but please read the full
bug.

ok, this was to be expected, see #1095862, thus reassigning to release-notes.

That said, can you please try removing sqv and see what happens? apt should use
gpgv then instead and that should work.

#1105041#47
Date:
2025-05-10 08:56:16 UTC
From:
To:
also I wanted to add: this is with a Pentium III processor. It's successor,
the Pentium IV (which has SSE2) was launched in November 2000, so almost
25 years ago.

Pentium IIIs were produced from 1999 until 2004 (desktop) and 2007
(mobile versions).

#1105041#52
Date:
2025-05-10 09:26:10 UTC
From:
To:
la 10.5.2025 klo 11.51 Holger Levsen (holger@layer-acht.org) kirjoitti:

This might indeed be a good idea. IIRC Go packages have similar requirements.

Debian might as well push i386 over to debian-ports at this point,
instead of releasing Trixie with broken support and without kernels,
since making Pentium 4 the base CPU level for Rust, Go, etc. will
essentially kill the whole x86-32 user base, except for the last few
laptop chipsets that were released before AMD and Intel discontinued
x86-32 production.

It cannot be removed without --force-depends since APT nowadays has
sqv as a hard Depends. It would be a good idea for APT to list
supported alternatives e.g. "sqv | gpgv" instead, preferably in the
same order as dpkg-dev does.

Once sqv was force-removed, APT indeed was able to update its APT
lists. However, since a Depends was removed, it now cannot perform any
useful operation until that missing dependency is resolved.

Martin-Éric

#1105041#57
Date:
2025-05-10 09:37:03 UTC
From:
To:
right.

I'm not sure why this isn't the case already, but maybe it's worth
cloning and reassigning this bug to src:apt.

equivs helps with that, but is probably not installed :/

#1105041#62
Date:
2025-05-10 09:46:16 UTC
From:
To:
control: clone -1 apt
control: reassign -1 apt
control: retitle -1 apt: replace Depends on sqv with sqv | gpgv, etc.
thanks

la 10.5.2025 klo 12.37 Holger Levsen (holger@layer-acht.org) kirjoitti:

Done.

Martin-Éric

#1105041#71
Date:
2025-05-10 09:49:40 UTC
From:
To:
control: affects -1 apt
control: document that apt (and rust packages) require SSE2 on i386
thanks

Hi,

looping in the apt maintainers, please read the full report, in short:
since the latest binNMU sqv now fails to run on i386 because due to
#1095862 in rustc the baseline was raised to require SSE2, so causing
apt to fail to verify because sqv fails to run...

#1105041#80
Date:
2025-05-10 10:06:07 UTC
From:
To:
la 10.5.2025 klo 12.50 Holger Levsen (holger@layer-acht.org) kirjoitti:

Incorrect title. APT doesn't require SSE2. Only sqv does. Making apt
Depends on sqv | gpgv fixes this.

#1105041#85
Date:
2025-05-10 09:56:46 UTC
From:
To:
Hi,
[...]

As I mentioned on #-release:

I think we should just document that the baseline on i386 now requires
SSE2 instead of limiting the statement to selected packages. If apt
requires SSE2 indirectly, it doesn't matter to most users that
technically it is only sqv.

This together with other changes (such as dropped i386 kernels)
probably also answers de-facto the questions what the i386 port is for:
running on old systems or running old software on new systems. (And
would probably mean that GCC could also enable SSE2 by default in
future releases.)

Ansgar

#1105041#90
Date:
2025-05-10 10:17:21 UTC
From:
To:
Hi,

i386 is not supported for upgrades. i386 is only supported to be used as
multi-arch or in a i386 chroot (on otherwise more powerful hardware).

See https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/171

Paul

#1105041#95
Date:
2025-05-10 10:46:52 UTC
From:
To:
reassign 1105027 release-notes
clone 1105027 -1
reassign -1 apt
tag -1 + wontfix
thanks

hi,

from an apt maintainer:

< juliank> I'm not adding a | gpgv alternative because that completely undermines our security support and will cause systems behaving differently
< juliank> There's more details
< juliank> If you have a | gpgv alternative all upgraded systems stay on gpgv
< juliank> This is horrible divergence