[Impact]
IWBNI apt-key obeyed apt's network preferences like the rest of the apt-* tools do. The fix is to append a timeout option to wget which is invoked in apt-key during key retrieval. An example, would be attempting to reduce the number of retries wget performs in order to receive the gpg key. The default is 20 tries, however, if the firewall is set to DROP packets then thats a 90*20 timeout.
[Test Case]
# iptables -A OUTPUT -p tcp --dport 80 -j DROP
# wget -q -N http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
[endless hang] ^C
# iptables -F
# iptables -A OUTPUT -p tcp --dport 80 -j REJECT
# wget --timeout=90 -q -N http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
[returns in 90 seconds]
#
# iptables -F
# wget --timeout=90 -q -N http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
[returns instantly]
#
#
# iptables -A OUTPUT -p tcp --dport 80 -j DROP
# route del default
# wget --timeout=90 -q -N http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
[returns instantly]
[Regression Potential]
Potential for regression is minimal as this would allow apt-key to successfully timeout if the keyserver is unreachable and allow for continued operation required by other services (i.e. cron executed instances)
I can confirm this is a problem for servers in environments which require the use of an http proxy for outbound HTTP:
Excerpt from ps uaxww at local time 08:15:
root 6779 0.0 0.3 2432 880 ? S 06:25 0:00 /USR/SBIN/CRON archive. ubuntu. com/ubuntu/ project/ ubuntu- archive- keyring. gpg
root 6780 0.0 0.1 1772 484 ? Ss 06:25 0:00 /bin/sh -c test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
root 6781 0.0 0.2 1700 548 ? S 06:25 0:00 run-parts --report /etc/cron.daily
root 6783 0.0 0.2 1772 516 ? S 06:25 0:00 /bin/sh /etc/cron.daily/apt
root 6812 0.0 0.2 1772 516 ? S 06:42 0:00 /bin/sh /usr/bin/apt-key net-update
root 6816 0.0 0.5 3868 1428 ? S 06:42 0:00 wget -q -N http://
The problem machine is 8.04.2 server. In this current state "apt-key net-update" prevents unattended-upgrades from running.
Please see attached for a proposed patch to fix this problem..