Since the above sqv bin-NMU trickled down to Trixie, APT systematically fails to verify Debian archive keys: W: Failed to fetch https://deb.debian.org/debian-security/dists/stable-security/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian-security/dists/testing-security/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian/dists/stable-updates/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian/dists/stable/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian/dists/stable-backports/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian/dists/testing-updates/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian/dists/testing/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian/dists/testing-backports/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian-debug/dists/stable-debug/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian-debug/dists/stable-backports-debug/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian-debug/dists/testing-debug/InRelease No good signature W: Failed to fetch https://deb.debian.org/debian-debug/dists/testing-backports-debug/InRelease No good signature W: Some index files failed to download. They have been ignored, or old ones used instead. $ dpkg -l | grep archive-keyring ii debian-archive-keyring 2025.1 all OpenPGP archive certificates of the Debian archive ii debian-ports-archive-keyring 2025.04.05 all OpenPGP archive certificates of the debian-ports archive This only happens on one of my Trixie hosts, so this could be a Rust issue. Martin-Éric
control: tags -1 + moreinfo thanks [...] what are your versions of apt and sqv installed? how strange, though I dont understand why you think this would be a Rust issue? do you have several i386 hosts or only one? what CPU models do they have? fwiw: root@psi:~# apt update Hit:1 http://deb.debian.org/debian trixie InRelease Hit:2 http://deb.debian.org/debian trixie-updates InRelease Hit:3 http://deb.debian.org/debian trixie-backports InRelease Hit:4 http://security.debian.org trixie-security InRelease All packages are up to date. Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so. root@psi:~# dpkg -l apt sqv gnupg2 debian-archive-keyring debian-ports-archive-keyring dpkg-query: no packages found matching debian-ports-archive-keyring Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-======================-============-============-======================================> ii apt 3.0.1 amd64 commandline package manager ii debian-archive-keyring 2025.1 all OpenPGP archive certificates of the De> un gnupg2 <none> <none> (no description available) ii sqv 1.3.0-1+b1 amd64 Simple OpenPGP signature verification > root@psi:~#
control: tags -1 + unreproducible holger@infom07-i386:~$ sudo apt update Hit:1 http://security.debian.org trixie-security InRelease Hit:2 http://deb.debian.org/debian trixie InRelease Hit:3 http://deb.debian.org/debian trixie-updates InRelease Hit:4 http://deb.debian.org/debian trixie-backports InRelease All packages are up to date. Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so. holger@infom07-i386:~$ dpkg -l apt sqv gnupg2 debian-archive-keyring Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-======================-============-============-================================================== ii apt 3.0.1 i386 commandline package manager ii debian-archive-keyring 2025.1 all OpenPGP archive certificates of the Debian archive un gnupg2 <none> <none> (no description available) ii sqv 1.3.0-1+b1 i386 Simple OpenPGP signature verification program holger@infom07-i386:~$ cat /proc/cpuinfo |tail -28|head -13 processor : 7 vendor_id : AuthenticAMD cpu family : 23 model : 49 model name : AMD EPYC-Rome Processor stepping : 0 microcode : 0x1000065 cpu MHz : 1996.250 cache size : 512 KB physical id : 1 siblings : 4 core id : 3 cpu cores : 4 holger@infom07-i386:~$
control: tags -1 + unreproducible holger@infom07-i386:~$ sudo apt update Hit:1 http://security.debian.org trixie-security InRelease Hit:2 http://deb.debian.org/debian trixie InRelease Hit:3 http://deb.debian.org/debian trixie-updates InRelease Hit:4 http://deb.debian.org/debian trixie-backports InRelease All packages are up to date. Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so. holger@infom07-i386:~$ dpkg -l apt sqv gnupg2 debian-archive-keyring Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-======================-============-============-================================================== ii apt 3.0.1 i386 commandline package manager ii debian-archive-keyring 2025.1 all OpenPGP archive certificates of the Debian archive un gnupg2 <none> <none> (no description available) ii sqv 1.3.0-1+b1 i386 Simple OpenPGP signature verification program holger@infom07-i386:~$ cat /proc/cpuinfo |tail -28|head -13 processor : 7 vendor_id : AuthenticAMD cpu family : 23 model : 49 model name : AMD EPYC-Rome Processor stepping : 0 microcode : 0x1000065 cpu MHz : 1996.250 cache size : 512 KB physical id : 1 siblings : 4 core id : 3 cpu cores : 4 holger@infom07-i386:~$
la 10.5.2025 klo 11.23 Holger Levsen (holger@layer-acht.org) kirjoitti:
ii apt 3.0.1 i386
commandline package manager
ii sqv 1.3.0-1+b1 i386
Simple OpenPGP signature verification program
Precisely.
I have two i386 hosts tracking Testing (currently Trixie). The U1400
one updates its APT lists just fine. This Pentium III (Coppermine) has
been failing to do so ever since sqv 1.3.0-1+b1 trickled into Testing
yesterday.
Martin-Éric
control: reassign -1 release-notes control: tags -1 - moreinfo unreproducible control: retitle -1 document that rust packages require SSE2 on i386 thanks Hi, I'm reassigning this to release-notes as this needs to be documented for the trixie release. Leaving some context too, but please read the full bug. ok, this was to be expected, see #1095862, thus reassigning to release-notes. That said, can you please try removing sqv and see what happens? apt should use gpgv then instead and that should work.
also I wanted to add: this is with a Pentium III processor. It's successor, the Pentium IV (which has SSE2) was launched in November 2000, so almost 25 years ago. Pentium IIIs were produced from 1999 until 2004 (desktop) and 2007 (mobile versions).
la 10.5.2025 klo 11.51 Holger Levsen (holger@layer-acht.org) kirjoitti: This might indeed be a good idea. IIRC Go packages have similar requirements. Debian might as well push i386 over to debian-ports at this point, instead of releasing Trixie with broken support and without kernels, since making Pentium 4 the base CPU level for Rust, Go, etc. will essentially kill the whole x86-32 user base, except for the last few laptop chipsets that were released before AMD and Intel discontinued x86-32 production. It cannot be removed without --force-depends since APT nowadays has sqv as a hard Depends. It would be a good idea for APT to list supported alternatives e.g. "sqv | gpgv" instead, preferably in the same order as dpkg-dev does. Once sqv was force-removed, APT indeed was able to update its APT lists. However, since a Depends was removed, it now cannot perform any useful operation until that missing dependency is resolved. Martin-Éric
right. I'm not sure why this isn't the case already, but maybe it's worth cloning and reassigning this bug to src:apt. equivs helps with that, but is probably not installed :/
control: clone -1 apt control: reassign -1 apt control: retitle -1 apt: replace Depends on sqv with sqv | gpgv, etc. thanks la 10.5.2025 klo 12.37 Holger Levsen (holger@layer-acht.org) kirjoitti: Done. Martin-Éric
control: affects -1 apt control: document that apt (and rust packages) require SSE2 on i386 thanks Hi, looping in the apt maintainers, please read the full report, in short: since the latest binNMU sqv now fails to run on i386 because due to #1095862 in rustc the baseline was raised to require SSE2, so causing apt to fail to verify because sqv fails to run...
la 10.5.2025 klo 12.50 Holger Levsen (holger@layer-acht.org) kirjoitti: Incorrect title. APT doesn't require SSE2. Only sqv does. Making apt Depends on sqv | gpgv fixes this.
Hi, [...] As I mentioned on #-release: I think we should just document that the baseline on i386 now requires SSE2 instead of limiting the statement to selected packages. If apt requires SSE2 indirectly, it doesn't matter to most users that technically it is only sqv. This together with other changes (such as dropped i386 kernels) probably also answers de-facto the questions what the i386 port is for: running on old systems or running old software on new systems. (And would probably mean that GCC could also enable SSE2 by default in future releases.) Ansgar
Hi, i386 is not supported for upgrades. i386 is only supported to be used as multi-arch or in a i386 chroot (on otherwise more powerful hardware). See https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/171 Paul
reassign 1105027 release-notes clone 1105027 -1 reassign -1 apt tag -1 + wontfix thanks hi, from an apt maintainer: < juliank> I'm not adding a | gpgv alternative because that completely undermines our security support and will cause systems behaving differently < juliank> There's more details < juliank> If you have a | gpgv alternative all upgraded systems stay on gpgv < juliank> This is horrible divergence