This is resolved now - please test the images available on https://downloads.pureos.net/byzantium/ (preferably the latest ones built ^^) as I could only test this on a few systems and configurations that I had available. The images should support UEFI, as long as secure boot is not enforced, as the necessary pieces are not signed.

We certainly can't update the system's certificates store, as that would mean people couldn't get the update that lets them get updates again :-P

This should be resolved in byzantium already :-)

Does this issue still exist? I changed the image build process quite a bit, so the current images are not comparable to the old ones.

This should be fixed in landing/byzantium for a while now :-)

I would rather add a search function to this, as this page can get extremely large (to the point of hanging up a browser tab).
Currently, the database has indices (no dedicated fulltext searches), but with that one could already implement a simple search. Added to the todo list, but as usual, patches welcome :-)

Just FTR, we can't binary-sync anything from experimental, ever. Packages there are built with other binaries from experimental, which would break any suite we sync them into. Source syncs can work though, but will need support implemented in Synchrontron in Laniakea.

To me, this Lintian check actually makes little sense. The one for Maintainer is important, so the maintenance status is reflected in the modified package, but Changed-by could be any address. When Zlatan and I created the project, the initial goal was explicitly to get the community involved and have people outside of Purism contribute. That didn't really work out, but by limiting change authors to people with an @puri.sm address we make this even less likely and also make the project look a lot more like a Purism inside job than is good for it ;-)

This was a bit tricky, as byzantium is still an in-development release and all changes should go through landing. Fortunately though, the synchrotron Laniakea module is flexible enough nowadays to accommodate for that.
I've implemented a solution which will fill up the -updates and -security suites directly for byzantium from the respective bullseye suites, while not allowing manual uploads from us which should still go through landing. That workflow should work well for byzantiums current odd in-between state between "released" and "in-development".

We could probably have debug symbols packages for our self-built packages with a bit more space (the dbgsym packages are *insanely* huge, they dwarf the size of the actual archive), but for the full archive, so syncing the debug symbols from Debian to make them available easily in PureOS, we'd need quite a lot of space (I need to look at Debian to actually give a - then very good - estimate).
At time, PureOS holds dbgsym packages for everything that we have built in the landing suite, but byzantium doesn't have own debug symbols. You can however use the ones from landing, which are either equal to the versions in byzantium, or newer.

I have a preliminary image with PureOS 10 for UEFI available, but some polishing work is still needed on this.

So, that RST packet is indeed the issue, and there's a high chance that either APT or GnuTLS don't handle this correctly. I talked with an APT developer, and we may actually need to debug this further in future.
In the meanwhile though, the issue can be mitigated by throwing an Apache2 webserver in front as proxy, instead of Nginx.

Some new observations:

• This is not a proxy server issue: Even without proxy, the issue occurs
• The TLS version doesn't matter at all
• Before the issue occurs, we get quite a few TCP retransmissions from the client to the server, and then the current connection is dropped:
  
• There is nothing suspicious in the Nginx logs, not even at info priority. A quick glance at the debug logs also didn't show anything interesting, but those are massive and it's possible that I missed something.

I also tried messing with timeouts on APTs transport methods, with no luck - according to APT, the server just stops responding (according to curl though, it doesn't).

I pasted the wrong log, but the connection timeout is actually even more frequent now than the Resource temporarily unavailable issue - but both appear.

I tested this with https::Verify-Peer false, still the same issue happens:

Fetched 1016 MB in 4min 12s (4025 kB/s)                                        
2021/03/04 22:30:39 apt | E: Failed to fetch https://repo.pureos.net/pureos/pool/main/f/fftw3/libfftw3-double3_3.3.8-2_amd64.deb  Connection timed out [IP: 138.201.228.45 443]
2021/03/04 22:30:39 apt | E: Failed to fetch https://repo.pureos.net/pureos/pool/main/s/spice-gtk/libspice-client-glib-2.0-8_0.39-1_amd64.deb  Connection timed out [IP: 138.201.228.45 443]
2021/03/04 22:30:39 apt | E: Failed to fetch https://repo.pureos.net/pureos/pool/main/libs/libsodium/libsodium23_1.0.18-1_amd64.deb  Connection timed out [IP: 138.201.228.45 443]
2021/03/04 22:30:39 apt | E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

Done :-)

Fixed now. Apparently dak forgot a source package... Not sure how that happened, this could only occur if something was manually deleted the wrong way, or a bad database backup was restored...
It's fixed now though, and I checked for any more of this kind of issue and found none.

Noticed this too late because the warning email went straight to spam (the attached logfile apparently was suspicious).
This is caused by either a dak bug or something feeding dak bad data:

  File "/srv/dist/dak/daklib/archive.py", line 164, in install_binary
    .filter(Suite.suite_id == source_suites.c.id)
AttributeError: 'NoneType' object has no attribute 'c'

Has this been done? I think only sysadmins have the necessary privileges to destroy a user account, all I can do is disable them.

Then this should have worked - they should verify that /etc/apt/apt.conf.d/20auto-upgrades exists and has the correct values.

the issue is the "Software & Updates > Updates > Automatically check for updates: Never" configuration is not preventing the system from automatically checking for updates every day.

No, disabling the timers is completely the wrong approach. The service belonging to the timer unit has built-in logic to do only what it was configured to do + some cleanup work that we always want to have done.
All you need to do to disable upgrades is to disable them in GNOME Software as well as in software-sources-gtk which is available in GNOME Software's burger-menu as well.
See the attached picture:

Why? We want the users to stay secure by default, and disabling automatic upgrades is the opposite of that. So I think disabling updates is a huge disservice and definitely not beginner-friendly. Users who want to disable autoupdates can always do that via the respective GUI (software-properties-gtk).

I think @adrien.plazas pushed a workaround for this recently: https://source.puri.sm/Librem5/pureos-store/-/merge_requests/14

That depends on how the suite is set up and where it gets its overrides from - the phone suites do not share overrides with the main amber suite, so everything goes through NEW once (but that also means the changing overrides for the phone suite is easier and there is less room for error and it impacting one of the main suites).

Those packages are available, but only for the latest builds of the development version of PureOS and only for the ones we rebuilt ourselves: https://repo.pureos.net/pureos-debug/dists/
Anything else would require mirroring the debug packages from Debian, and we do not have the disk space for that, currently.

Did you use the OEM image or the Live image? Which version of the install ISO (date) did you use?

What is the use case for explicitly staying below a Debian revision? This may break quite a few assumptions and no Debian derivative (that I know of) does this.

These images should now be(come) default. Thanks everyone for testing!

Nice! If nobody vetoes this image until next Monday/Tuesday, I will send this image to the factory and marketing people - we really have to update the default image, and especially that OEM username issue is causing very frequent support issues, so it has to go (not to mention the huge amount of security fixes that newer PureOS releases contain and that just aren't there yet with the current images).

The image has been updated to incorporate the latest security fixed for a bunch of vulnerabilities in GRUB (less relevant for us if /boot is verified anyway, but still good to have, especially for custom installations).

This should have been resolved with the latest util-linux upload.

At some point the intent is to make this nicer-looking and better integrated, but until that point is there, we'll have this page :-)

They were signed with an expired key. refreshging that key from a keyserver fixed this issue.

https://master.pureos.net/raw/web/new.html

@all but especially @richard.kolla : Can you please test the 2020-07-22 image? There were now functional changes, only minor bugfixes from Debian and security fixes (so I expect everything to still work as before).

In T919#17068, @richard.kolla wrote:

[...]

Does the OEM initial setup work as expected?

Won't boot.

Any noticeable bugs/regressions?

I erase the disk, install on my SATA SSD with the bootloader going to the MBR of the same drive. Can't boot from the coreboot 4.12-2 boot menu. Will need to confirm with Carlsbad what settings they use when installing PureOS OEM and use those same settings to test.

Is this not something that can also be pushed to upstream g-i-s

This has been fixed in PureOS for some time now, but we'll still need an upstream solution. I'll likely push this change to Debian as well meanwhile, so Debian can benefit from the bugfix as well.

This bug was indeed fixed by me earlier this week :-)

What do you mean with "breaks"? Does it crash? Is it not installable? In the former case, a backzrace or at least console output would be nice.

This should be fixed now, but the update will need a few days to migrate out of landing.

It's unfortunately one with a US keyboard :-/

Do we need a new version of the library in amber, or is there a patch that we can apply to the amber version? Uploading a new upstream version always comes with some risk of breaking other stuff (unless it's a pure bugfix release).

Hmm, I don't have a Librem with a German keyboard so I can't test this and would have to apply this change blindly.
This looks like something that should also go into upstream systemd, right?

Whoops, looks like I completely forgot to close this... Thanks!

The only thing I can say at the moment that we will have this done for the next release of PureOS. I know this is kind of vague, but at the moment I can't make a more definitive statement about it, sorry.
Most likely this feature will come with a complete overhaul of the process we use to build images for PureOS.

Yay!

Done

This should be fixed in amber now :-)
Thanks for reporting the issue!

There are no resource limits on the container, so I have no idea what goes wrong here.
Does this code access a device that is maybe unavailable?
Unfortunately I am traveling in the next weeks, so I don't know if I'll have time to look into this.

Done :-)
The update should be available once it passes QA and the regular delay period.

This is fixed in PureOS 9.0 (Amber) image build 2019-09-26.
Thank you for reporting the issue!

We may need to add some note then that it's "community supported" or something.
I build the image and somewhat maintain the flavor, but it doesn't receive nearly as much attention as the GNOME flavor does and any issue report there as a really low priority for me.

Thank you for the feature request, but unfortunately we'll definitely not have cdrtools in PureOS.
There has been an old fight about its license change which I really don't want to start again. Also, the legal situation didn't really change and Debian, the FSF and Red Hat all agree on this particular legal issue.
Plus, to put it frankly, Jörg Schilling is one of the least fun upstream developers one could ever deal with.

This has been updated a few days already, but the new images weren't fully tested yet (so aren't on the pureos.net page for download by default). That should happen this week.
Thanks for the heads up though!

In T57#14719, @jonas.smedegaard wrote:

@mak Please stop block chromium - it does not contain non-free code and is no longer unclear about licensing.

See https://software.pureos.net/sw/linphone.desktop
(there is still a warning that the icon is upscaled, which could be fixed in the packaging)

This seems to be fixed now - sort of...

Well, the message was a false and the actual culprit was a SQL query failing. The cause of that is fixed now, so this shouldn't happen again (but if it does, I'll look into it again). Not sure why exactly the database was in a wrong state though, but that's really hard to figure out at this point.
That's why the issue is resolved.

@jonas.smedegaard No, I mean the same file (without it being rebuilt) was apparently already uploaded and rejected before. Dak hashes the files to not process the same, already rejected upload multiple times (even if it has different names) - and to prevent people from just uploading the same thing over and over again.
That said, this case is really strange, as the upload actually wasn't known before, as far as I can see in the database.
I forced the package in now, it is available in the landing suite now (and will be built soon), but I'll keep an eye on this issue - could maybe be a bug in dak.

According to dak and the SHA256 hash of the package, the upload is indeed already known and would just be rejected again - can you rebuild the package again and do another upload?
TBH it is *really* weird that the package is rejected, as I would expect to find the originally rejected upload in the rejected queue, but that doesn't appear to be there.
So if your next upload doesn't succeed, let me know immediately! (I also made dak forget about the last upload attempt).