From cbbf185c3c55effe47f218a07e7b1f324973a8a6 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Mon, 29 May 2017 12:37:08 +0200
Subject: fail InRelease on non-404 HTTP errorcodes

There are very many HTTP errorcodes which indicate that the repository
isn't available at the moment or the connection has some kind of
problem. Given that we do not require Release files the result was that
these errors were ignored and the user presented with a message like
"Repository is no longer signed" which sends the user in the wrong
direction.

Instead of trying to figure out which http errorcodes indicate a global
problem we accept only 404 for ignoring and consider all the rest as
hard errors now causing us to stop instantly after the InRelease file
and print the errorcode (with short description from server) received.
---
 apt-pkg/acquire-item.cc                                        | 6 +++++-
 test/integration/test-ubuntu-bug-346386-apt-get-update-paywall | 9 +++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 3ce0f25cf..574ef4939 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1717,7 +1717,11 @@ void pkgAcqMetaClearSig::Failed(string const &Message,pkgAcquire::MethodConfig c
 
    if (AuthPass == false)
    {
-      if (Status == StatAuthError || Status == StatTransientNetworkError)
+      auto const failreason = LookupTag(Message, "FailReason");
+      auto const httperror = "HttpError";
+      if (Status == StatAuthError || Status == StatTransientNetworkError ||
+	    (strncmp(failreason.c_str(), httperror, strlen(httperror)) == 0 &&
+	     failreason != "HttpError404"))
       {
 	 // if we expected a ClearTextSignature (InRelease) but got a network
 	 // error or got a file, but it wasn't valid, we end up here (see VerifyDone).
diff --git a/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall b/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall
index a756b5df2..46c7c5672 100755
--- a/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall
+++ b/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall
@@ -70,3 +70,12 @@ partial' ls "$LISTS"
 runtests '^E:.*Clearsigned file .*NOSPLIT.*'
 webserverconfig 'aptwebserver::overwrite::.*InRelease::filename' '/404'
 runtests '^E:.*Signed file .*NODATA.*'
+
+webserverconfig 'aptwebserver::overwrite::.*::filename' '/404'
+webserverconfig 'aptwebserver::httpcode::404' '511 Network Authentication Required'
+rm -rf rootdir/var/lib/apt/lists
+testfailureequal "Err:1 http://localhost:${APTHTTPPORT} unstable InRelease
+  511  Network Authentication Required
+Reading package lists...
+E: Failed to fetch http://localhost:${APTHTTPPORT}/dists/unstable/InRelease  511  Network Authentication Required
+E: Some index files failed to download. They have been ignored, or old ones used instead." apt update
-- 
cgit v1.2.3