Apt upgrade shows error "sources disagree on hashes for supposedly identical version"

[RossBarnie]

Environment:
Ubuntu 22.04 in WSL2

Apt source for quick-lint-js:

$ cat /etc/apt/sources.list.d/quick-lint-js.list
deb [arch=amd64,arm64 signed-by=/etc/apt/keyrings/quick-lint-js.gpg] https://c.quick-lint-js.com/debian experimental main

Note this does deviate from the provided install instructions to get around the apt-key deprecation warning as reported in #1041 but has not been a problem before today. Last update was approximately a week ago.

Steps:

• Run apt update && apt upgrade

Expected:

• No warnings

Actual:

...
Hit:6 https://c.quick-lint-js.com/debian experimental InRelease
...
The following packages will be upgraded:
... quick-lint-js quick-lint-js-vim ...
...
W: Sources disagree on hashes for supposely identical version '2.15.0-1' of 'quick-lint-js-vim:amd64'.
W: Sources disagree on hashes for supposely identical version '2.15.0-1' of 'quick-lint-js-vim:amd64'.
Do you want to continue? [Y/n]

I'm not clear on the source of the warning but given that my environment hasn't changed and that I only have one source for quick-lint-js, I believe it's something on the apt repo end rather than mine.

[strager]

Thanks for reporting this issue.

I suspect this is the problem:

• When we create the package pool, we create it for arm64 and amd64 separately. Each outputs a quick-lint-js_*.deb and a quick-lint-js-vim_*.deb.
• quick-lint-js_*.deb is architecture-dependent, so when the architecture-specific package lists are created, only one quick-lint-js_*.deb is included.
• quick-lint-js-vim_*.deb is architecture-independent, so when the architecture-specific package lists are created, both quick-lint-js-vim_*.deb files (one from arm64 and one from amd64) are included.

Evidence supporting this hypothesis: The amd64 packages list lists quick-lint-js-vim_*.deb for both amd64 and arm64:

$ curl -s 'https://c.quick-lint-js.com/debian/dists/experimental/main/binary-amd64/Packages' | fgrep quick-lint-js-vim_2.15.0-1_all.deb
Filename: pool/2.15.0/amd64/quick-lint-js-vim_2.15.0-1_all.deb
Filename: pool/2.15.0/arm64/quick-lint-js-vim_2.15.0-1_all.deb

I'll see what I can do to fix it.

[strager]

Our current apt pool file structure looks like this:

debian/pool/
  $(VERSION)/
    # newer quick-lint-js versions:
    $(ARCH)/
      quick-lint-js_$(VERSION)-1.dsc          # source package
      quick-lint-js_$(VERSION)-1_$(ARCH).deb  # arch-dependent package
      quick-lint-js-vim_$(VERSION)-1_all.deb  # arch-independent package
    # older quick-lint-js versions (no $(ARCH) directory):
    quick-lint-js_$(VERSION)-1.dsc          # source package
    quick-lint-js_$(VERSION)-1_$(ARCH).deb  # arch-dependent package
    quick-lint-js-vim_$(VERSION)-1_all.deb  # arch-independent package

I think apt-ftparchive cannot handle this structure well if we want to segregate by $(ARCH). In particular, TreeDefault::Directory and TreeDefault::SrcDirectory don't seem to support (debian/pool/*/$(ARCH)/ for example). Therefore, I think we need to change the pool file structure:

debian/pool/
  $(ARCH)/
    $(VERSION)/
      quick-lint-js_$(VERSION)-1.dsc          # source package
      quick-lint-js_$(VERSION)-1_$(ARCH).deb  # arch-dependent package
      quick-lint-js-vim_$(VERSION)-1_all.deb  # arch-independent package

---

Thinking about it more, I'm not convinced this will fix the warning. OP's sources.list mentions [arch=amd64,arm64], so I suspect even if we fix the duplicate packages in each Packages file (by redesigning the pool), apt will download the two Packages files and see duplicates anyway. I will need to test this hypothesis.

If duplicates are still a problem after the pool restructuring, then one possible fix is to delete the quick-lint-js-vim package from one of the architectures. Ugly.

Another possible fix is to make the packages bit-identical. (They have different hashes for some reason. Perhaps there are timestamps somewhere.) This won't work for old versions (because I don't want to modify old versions), but it might fix the duplicate-package warnings going forward.

[RossBarnie]

OP's sources.list mentions [arch=amd64,arm64], so I suspect even if we fix the duplicate packages in each Packages file (by redesigning the pool), apt will download the two Packages files and see duplicates anyway. I will need to test this hypothesis.

Based on this I tried removing the arm64 arch since I don't need the arm package but the same warning showed.

In the meantime I've run the following so that I can update other packages without the warning:

apt-mark hold quick-lint-js quick-lint-js-vim

[strager]

I pushed a fix to the apt repository (commits 570eaa0 and 226e84b). @RossBarnie Can you please un-hold the packages and see if the original problem occurs?

[RossBarnie]

@strager That's fixed it for me, upgrade went through without any warnings, thanks very much.