# Apt Offline 1.8.2

## apt-offline 1.8.2

I am pleased to announce the release of apt-offline version 1.8.2

This release has many bug fixes along with a long standing issue of signature validation

### 2017 - The year of realization and change

Back in 2017, the bug was reported that apt-offline did not validate apt meta Packages files. apt-offline was only doing a signature validation for the Release files but did no validation of the apt meta Packages files, which had their checksums listed in the Release files. This validation was completely missing in apt-offline and gave the user the wrong impression that validation was in place.

I had hoped to fix this issue soon when it was reported, to have it part of the next Debian Stable release. But that never happened. On the contrary, I think 2 stable releases happened in between. And now it is 2020.

2017 was a year to spend a large chunk of my time on real life issues, for good. I realized that it is important to always give precedence to personal life, fix issues, set realistic priorities, spend time on realizing the happenings around, get life rolling smooth and then come back to work. This helps sustain in the longer run. Otherwise, with no self, everything can fall apart catastrophically.

From that phase, I learned many things. I now have much more respect for people who really have been successful at committing a large amount of their time on a volunteer project like Debian. Having myself gone through the time crunch phase, I can only imagine how many of the fellow DDs manage their time, sustainably, over the years. There are many folks I have seen active for more than a decade and they still rock.

### 1.8.2 release

Because the apt meta validation was a major issue, I have decided to run through the workflow and explain how apt-offline reacts to invalid tampered data. Below are konsole captures, with snipped output, where not very relevant.

#### apt-offline ‘set’ operation

The usual first step on the offline box to generate a file with all relevant details about repositories and packages. This step generates the set.uris file that needs to be transferred to the online machine. In the following example, it is being run with the defaults, which is to generate the necessary information about the ‘update’ and ‘upgrade’ operation.

#### Back to the offline machine

Now that we’ve got all the data downloaded in set.zip and transferred back to the offline machine. Let’s look into it.

First, lets unpack the archive file.

#### Install tampered apt package meta files

So in this step, we tell apt-offline to install the downloaded files. This will also include the tampered file. The output you see below is standard and reports everything to have succeeded.

But note that the tampered file is not in the list of synced files. That file is just simply missing from the list.

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41  rrs@priyasi:/tmp/set-folder$sudo apt-offline install . Proceeding with installation gpgv: Signature made Friday 07 February 2020 01:55:24 PM IST gpgv: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC gpgv: Good signature from "Debian Archive Automatic Signing Key (9/stretch) " gpgv: Signature made Friday 07 February 2020 01:55:43 PM IST gpgv: using RSA key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138 gpgv: Good signature from "Debian Archive Automatic Signing Key (10/buster) " gpgv: Signature made Friday 07 February 2020 01:56:44 PM IST gpgv: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC gpgv: Good signature from "Debian Archive Automatic Signing Key (9/stretch) " gpgv: Signature made Friday 07 February 2020 01:56:45 PM IST gpgv: using RSA key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138 gpgv: Good signature from "Debian Archive Automatic Signing Key (10/buster) " gpgv: Signature made Friday 07 February 2020 01:56:58 PM IST gpgv: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC gpgv: Good signature from "Debian Archive Automatic Signing Key (9/stretch) " gpgv: Signature made Friday 07 February 2020 01:56:58 PM IST gpgv: using RSA key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138 gpgv: Good signature from "Debian Archive Automatic Signing Key (10/buster) " deb.debian.org_debian_dists_testing_contrib_Contents-amd64.gz synced. deb.debian.org_debian_dists_testing_contrib_Contents-i386.gz synced. deb.debian.org_debian_dists_testing_contrib_binary-all_Packages.xz synced. deb.debian.org_debian_dists_testing_contrib_binary-amd64_Packages.xz synced. deb.debian.org_debian_dists_testing_contrib_binary-i386_Packages.xz synced. deb.debian.org_debian_dists_testing_contrib_i18n_Translation-en.bz2 synced. deb.debian.org_debian_dists_testing_contrib_source_Sources.xz synced. deb.debian.org_debian_dists_testing_main_Contents-amd64.gz synced. deb.debian.org_debian_dists_testing_main_Contents-i386.gz synced. deb.debian.org_debian_dists_testing_main_binary-all_Packages.xz synced. deb.debian.org_debian_dists_testing_main_binary-amd64_Packages.xz synced. deb.debian.org_debian_dists_testing_main_binary-i386_Packages.xz synced. deb.debian.org_debian_dists_testing_main_i18n_Translation-en.bz2 synced. deb.debian.org_debian_dists_testing_main_source_Sources.xz synced. deb.debian.org_debian_dists_testing_non-free_Contents-amd64.gz synced. deb.debian.org_debian_dists_testing_non-free_Contents-i386.gz synced. deb.debian.org_debian_dists_testing_non-free_binary-all_Packages.xz synced. deb.debian.org_debian_dists_testing_non-free_binary-amd64_Packages.xz synced. deb.debian.org_debian_dists_testing_non-free_binary-i386_Packages.xz synced. deb.debian.org_debian_dists_testing_non-free_i18n_Translation-en.bz2 synced. 16:41 ♒ ॐ ☺ 😄  #### Install tampered apt package meta files with verbose switch one So, in the above example, apt-offline discarded the tampered file and the final exit of the command was a success. Now, let’s run the same command with the ‘–verbose’ switch. Below is the output. Notice the highlighted line below, where it reports that the file is tampered and does not match the checksum   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45  rrs@priyasi:/tmp/set-folder$ sudo apt-offline install . --verbose VERBOSE: Namespace(allow_unauthenticated=False, func=, install='.', install_simulate=False, install_src_path=None, skip_bug_reports=False, skip_changelog=False, strict_deb_check=False, verbose=True) VERBOSE: No changelog available Proceeding with installation VERBOSE: {} VERBOSE: Great!!! No bugs found for all the packages that were downloaded. VERBOSE: APT Signature verification path is: ['/etc/apt/trusted.gpg.d/', '/etc/apt/trusted.gpg'] VERBOSE: Adding /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg to the apt-offline keyring VERBOSE: Adding /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg to the apt-offline keyring VERBOSE: Adding /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg to the apt-offline keyring VERBOSE: Adding /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg to the apt-offline keyring VERBOSE: Adding /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg to the apt-offline keyring VERBOSE: Adding /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg to the apt-offline keyring VERBOSE: Adding /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg to the apt-offline keyring VERBOSE: Adding /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg to the apt-offline keyring .....snipped..... VERBOSE: localFile ./deb.debian.org_debian_dists_testing_non-free_Contents-amd64.gz Integrity with checksum 024957d30be2acbb9e66c9802f825115d32437420300a2b28ab60ae4ecb76fcf matches VERBOSE: localFile ./deb.debian.org_debian_dists_testing_non-free_Contents-i386.gz Integrity with checksum 5266d2f3ea41c4e988e71b4bbe58dd1178a23ce1ed50908c73a0cb39201136e3 matches VERBOSE: localFile ./deb.debian.org_debian_dists_testing_non-free_binary-all_Packages.xz Integrity with checksum 9f0f3aa5560452d45f82c5121ea844c68e641c8fbb56ef69d570c641b6cce662 matches VERBOSE: localFile ./deb.debian.org_debian_dists_testing_non-free_binary-amd64_Packages.xz Integrity with checksum 811f7752a13dfcbd748478dda267fb810c52fc14769d2d5c7871c75e35350d66 matches VERBOSE: localFile ./deb.debian.org_debian_dists_testing_non-free_binary-i386_Packages.xz Integrity with checksum 7df3512b5da7258613774921023d68c71858d89fddafd694e2dfd19cef54314b matches VERBOSE: localFile ./deb.debian.org_debian_dists_testing_non-free_i18n_Translation-en.bz2 Integrity with checksum 1bf3cd0cff6fadf1a74280912c3229374344cd6c347d2f533b001843d84b236d matches VERBOSE: localFile ./deb.debian.org_debian_dists_testing_non-free_source_Sources.xz integrity doesn't match to checksum a94589ab3c204bb4d710d72ea21abac8007b14e5c5dacbe43be07c51ba5f0a0a VERBOSE: Synchronized file to /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_Contents-amd64 VERBOSE: /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_Contents-amd64 file synced to APT. deb.debian.org_debian_dists_testing_contrib_Contents-amd64.gz synced. VERBOSE: Synchronized file to /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_Contents-i386 VERBOSE: /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_Contents-i386 file synced to APT. deb.debian.org_debian_dists_testing_contrib_Contents-i386.gz synced. VERBOSE: Synchronized file to /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_binary-all_Packages VERBOSE: /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_binary-all_Packages file synced to APT. deb.debian.org_debian_dists_testing_contrib_binary-all_Packages.xz synced. VERBOSE: Synchronized file to /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_binary-amd64_Packages VERBOSE: /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_binary-amd64_Packages file synced to APT. deb.debian.org_debian_dists_testing_contrib_binary-amd64_Packages.xz synced. VERBOSE: Synchronized file to /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_binary-i386_Packages VERBOSE: /var/lib/apt/lists/deb.debian.org_debian_dists_testing_contrib_binary-i386_Packages file synced to APT. deb.debian.org_debian_dists_testing_contrib_binary-i386_Packages.xz synced. .....snipped..... 16:42 ♒ ॐ ☺ 😄

This is pretty much the validation required and done by apt-offline for apt meta Packages files.

Please do file bug reports if you think the overall exit status of apt-offline under such scenarios should be different than what it is currently.

For the tampered meta Packages files:

• should the visual representation be different ?
• Should an error be printed ?
• What about the exit status ?

Similarly, for the ‘get’ operation:

• Should we do something different for non-existing localization files on the repository server ?
• Is there any different way to go through the supported list of compression types for meta files ?

#### Now the deb file examples

apt-offline allows a user to install a new package and all its dependencies easily on the offline machine. The below workflow will demonstrate the same and will also go through the tampering of the .deb files and see how apt-offline/apt deals with it.

In below example, a user wants to install the gnome-todo package on the offline machine, which has a couple of dependencies.

#### apt-offline ‘get’ operation

Below is the usual step to be performed on the online machine with the generated gnome-todo.uris signature file.

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32  rrs@priyasi:/tmp/set-folder$apt-offline get /tmp/gnome-todo.uris --download-dir /tmp/gnome-todo --bug-reports --threads 3 Fetching APT Data WARNING: If you are on a slow connection, it is good to WARNING: limit the number of threads to a low number like 2. WARNING: Else higher number of threads executed could cause WARNING: network congestion and timeouts. Downloading libpeas-common - 187 KiB Downloading libpeas-1.0-0 - 196 KiB Downloading gnome-todo-common - 228 KiB libpeas-common done Fetching bug report for libpeas-common libpeas-1.0-0 done Fetching bug report for libpeas-1.0-0 gnome-todo-common done Fetching bug report for gnome-todo-common Fetched bug report for libpeas-common Downloading libgnome-todo - 6 KiB libgnome-todo done Fetching bug report for libgnome-todo Fetched bug report for gnome-todo-common Downloading gnome-todo - 146 KiB gnome-todo done Fetching bug report for gnome-todo Fetched bug report for libpeas-1.0-0 Fetched bug report for libgnome-todo Fetched bug report for gnome-todo 5 / 5 items: [##############################] 100.0% of 765 KiB Downloaded data to /tmp/gnome-todo 16:49 ♒ ॐ ☺ 😄  #### The --strict-deb-check option This new option has been introduced for the ‘install’ command in the 1.8.2 release. The default behavior for apt-offline is to not do strict checks for the .deb files. Note: The fact is that apt-offline will not do any checksum validation for the .deb files. The validation is completely delegated to apt. rrs@priyasi:/tmp/gnome-todo$ sudo apt-offline install -h
usage: apt-offline install [-h] [--verbose] [--simulate]
[--install-src-path INSTALL_SRC_PATH]
[--skip-bug-reports] [--skip-changelog]
[--allow-unauthenticated] [--strict-deb-check]

positional arguments:
Install apt-offline data, a bundle file or a directory

optional arguments:
-h, --help            show this help message and exit
--verbose             Enable verbose messages
--simulate            Just simulate. Very helpful when debugging
--install-src-path INSTALL_SRC_PATH
Install src packages to specified path.
--skip-bug-reports    Skip the bug report check
--skip-changelog      Skip display of changelog
--allow-unauthenticated
Ignore apt gpg signatures mismatch
files
16:50 ♒ ॐ  ☺ 😄    

and from the manpage:

       --strict-deb-check
With  this option enabled, apt-offline delegate's .deb package checksum validation to apt. While the .debs are already avail‐
able, they are stored in the temporary apt cache, where apt validates its checksum, before considering it  for  further  pro‐
cessing.   Note:  This  does  have the caveat that apt may need network availability even though it doesn't download anything
ther proceeds with checksum validation

The  default  behavior  is to not do strict checksum validation for .deb files. Instead, apt-offline copies the .deb files to
apt's download location. apt still does size validation of the available .deb files and discards them in case there is a mis‐
match.

#### Non Tampered file with default option, i.e. no strict deb checking.

Before we proceed with the example of checksum verification for .deb files, lets do a pristine run of the downloaded files, without any tampering to them.

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35  rrs@priyasi:/tmp/gnome-todo$sudo apt-offline install . Proceeding with installation Following are the list of bugs present. 822525 gnome-todo : gnome-todo: Memory leak while loading local and remote lists 853114 gnome-todo : no longer loads caldav lists 883961 libgnome-todo : libgnome-todo: Not actually a library 829470 libpeas-1.0-0 : libpeas: Python Plugin Broken (Y) Yes. Proceed with installation (N) No, Abort. (R) Redisplay the list of bugs. (Bug Number) Display the bug report from the Offline Bug Reports. (?) Display this help message. What would you like to do next: (y, N, ?)y gnome-todo_3.28.1-5_amd64.deb file synced. libgnome-todo_3.28.1-5_amd64.deb file synced. gnome-todo-common_3.28.1-5_all.deb file synced. libpeas-1.0-0_1.22.0-5_amd64.deb file synced. libpeas-common_1.22.0-5_all.deb file synced. 16:51 ♒ ॐ ☺ 😄 rrs@priyasi:/tmp/gnome-todo$ sudo apt install gnome-todo Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: gnome-todo-common libgnome-todo libpeas-1.0-0 libpeas-common The following NEW packages will be installed: gnome-todo gnome-todo-common libgnome-todo libpeas-1.0-0 libpeas-common 0 upgraded, 5 newly installed, 0 to remove and 1 not upgraded. Need to get 0 B/784 kB of archives. After this operation, 2,337 kB of additional disk space will be used. Do you want to continue? [Y/n] n Abort. 16:51 ♒ ॐ ☹ 😟=> 1 

In the above example, everything is clean and all requirements to apt are satisfied.

#### Non tampered file with strict deb checking

Here’s one more exaple, where we invoke the non-default --strict-deb-check option.

Everything remains the same, but apt gives a prompt saying that it needs to download the payload from the web. The reality is that if you just proceed with yes, nothing gets downloaded.

Note: It is not possible to explain that with a still presentation and I’m lazy to make a motion object of it.

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42  rrs@priyasi:/tmp/gnome-todo$sudo apt-offline install . --strict-deb-check Proceeding with installation Following are the list of bugs present. 822525 gnome-todo : gnome-todo: Memory leak while loading local and remote lists 853114 gnome-todo : no longer loads caldav lists 883961 libgnome-todo : libgnome-todo: Not actually a library 829470 libpeas-1.0-0 : libpeas: Python Plugin Broken (Y) Yes. Proceed with installation (N) No, Abort. (R) Redisplay the list of bugs. (Bug Number) Display the bug report from the Offline Bug Reports. (?) Display this help message. What would you like to do next: (y, N, ?)y gnome-todo_3.28.1-5_amd64.deb file synced. libgnome-todo_3.28.1-5_amd64.deb file synced. gnome-todo-common_3.28.1-5_all.deb file synced. libpeas-1.0-0_1.22.0-5_amd64.deb file synced. libpeas-common_1.22.0-5_all.deb file synced. 16:52 ♒ ॐ ☺ 😄 rrs@priyasi:/tmp/gnome-todo$ sudo apt install gnome-todo Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: gnome-todo-common libgnome-todo libpeas-1.0-0 libpeas-common The following NEW packages will be installed: gnome-todo gnome-todo-common libgnome-todo libpeas-1.0-0 libpeas-common 0 upgraded, 5 newly installed, 0 to remove and 1 not upgraded. Need to get 784 kB of archives. After this operation, 2,337 kB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://deb.debian.org/debian testing/main amd64 libpeas-common all 1.22.0-5 [192 kB] Get:2 http://deb.debian.org/debian testing/main amd64 libpeas-1.0-0 amd64 1.22.0-5 [201 kB] Get:3 http://deb.debian.org/debian testing/main amd64 gnome-todo-common all 3.28.1-5 [234 kB] Get:4 http://deb.debian.org/debian testing/main amd64 libgnome-todo amd64 3.28.1-5 [6,260 B] Get:5 http://deb.debian.org/debian testing/main amd64 gnome-todo amd64 3.28.1-5 [150 kB] Retrieving bug reports... Done Parsing Found/Fixed information... Done .....snipped..... 16:53 ♒ ॐ ☺ 😄 

To sum it up, this one is an odd case because though nothing for the debs is downloaded, BUT, the network needs to be active for this co-routine to run. If, say, the network is unavailable, apt complains. I haven’t checked, but apt does invoke some network code.

#### Tamper the .deb file

Now, let’s really tamper one of the .deb files.

rrs@priyasi:/tmp/gnome-todo$echo fasdfadsfasdfasdfasd >> gnome-todo_3.28.1-5_amd64.deb 16:54 ♒ ॐ ☺ 😄 rrs@priyasi:/tmp/gnome-todo$ sudo apt clean
16:54 ♒ ॐ  ☺ 😄    

#### Install tampered file with –strict-deb-check

So we tampered one of the .deb files, gnome-todo_3.28.1-5_amd64.deb. And ask apt-offline to run its ‘install’ operation along with the new --strict-deb-check option.

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44  rrs@priyasi:/tmp/gnome-todo$sudo apt-offline install . --strict-deb-check Proceeding with installation Following are the list of bugs present. 822525 gnome-todo : gnome-todo: Memory leak while loading local and remote lists 853114 gnome-todo : no longer loads caldav lists 883961 libgnome-todo : libgnome-todo: Not actually a library 829470 libpeas-1.0-0 : libpeas: Python Plugin Broken (Y) Yes. Proceed with installation (N) No, Abort. (R) Redisplay the list of bugs. (Bug Number) Display the bug report from the Offline Bug Reports. (?) Display this help message. What would you like to do next: (y, N, ?)y gnome-todo_3.28.1-5_amd64.deb file synced. libgnome-todo_3.28.1-5_amd64.deb file synced. gnome-todo-common_3.28.1-5_all.deb file synced. libpeas-1.0-0_1.22.0-5_amd64.deb file synced. libpeas-common_1.22.0-5_all.deb file synced. 16:54 ♒ ॐ ☺ 😄 rrs@priyasi:/tmp/gnome-todo$ sudo apt install gnome-todo Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: gnome-todo-common libgnome-todo libpeas-1.0-0 libpeas-common The following NEW packages will be installed: gnome-todo gnome-todo-common libgnome-todo libpeas-1.0-0 libpeas-common 0 upgraded, 5 newly installed, 0 to remove and 1 not upgraded. Need to get 784 kB of archives. After this operation, 2,337 kB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://deb.debian.org/debian testing/main amd64 libpeas-common all 1.22.0-5 [192 kB] Get:2 http://deb.debian.org/debian testing/main amd64 libpeas-1.0-0 amd64 1.22.0-5 [201 kB] Get:3 http://deb.debian.org/debian testing/main amd64 gnome-todo-common all 3.28.1-5 [234 kB] Get:4 http://deb.debian.org/debian testing/main amd64 libgnome-todo amd64 3.28.1-5 [6,260 B] Get:5 http://deb.debian.org/debian testing/main amd64 gnome-todo amd64 3.28.1-5 [150 kB] Fetched 150 kB in 1s (141 kB/s) Retrieving bug reports... Done Parsing Found/Fixed information... Done 16:55 ♒ ॐ ☹ 😟=> 100 

Pay attention to the downloaded data which is only 150 KiB, for the gnome-todo package, which was tampered. Even though apt stated that it needs to download 784 KiB of data, it actually downloaded 150 KiB only. All data was already downloaded by apt-offline but we had tampered one of the files, which resulted in it being re-downloaded.

#### Tampered file with no –strict-deb-check

Now, lets do one more run with the default behavior of apt-offline, i.e. without the --strict-deb-check option. This will result in apt (internally) detecting the tampering and prompting the user that the (tampered) file needs to be downloaded

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41  rrs@priyasi:/tmp/gnome-todo$sudo apt-offline install . Proceeding with installation Following are the list of bugs present. 822525 gnome-todo : gnome-todo: Memory leak while loading local and remote lists 853114 gnome-todo : no longer loads caldav lists 883961 libgnome-todo : libgnome-todo: Not actually a library 829470 libpeas-1.0-0 : libpeas: Python Plugin Broken (Y) Yes. Proceed with installation (N) No, Abort. (R) Redisplay the list of bugs. (Bug Number) Display the bug report from the Offline Bug Reports. (?) Display this help message. What would you like to do next: (y, N, ?)y gnome-todo_3.28.1-5_amd64.deb file synced. libgnome-todo_3.28.1-5_amd64.deb file synced. gnome-todo-common_3.28.1-5_all.deb file synced. libpeas-1.0-0_1.22.0-5_amd64.deb file synced. libpeas-common_1.22.0-5_all.deb file synced. 16:56 ♒ ॐ ☺ 😄 rrs@priyasi:/tmp/gnome-todo$ sudo apt^C 16:56 ♒ ॐ ☹ 😟=> 130 rrs@priyasi:/tmp/gnome-todo\$ sudo apt install gnome-todo Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: gnome-todo-common libgnome-todo libpeas-1.0-0 libpeas-common The following NEW packages will be installed: gnome-todo gnome-todo-common libgnome-todo libpeas-1.0-0 libpeas-common 0 upgraded, 5 newly installed, 0 to remove and 1 not upgraded. Need to get 150 kB/784 kB of archives. After this operation, 2,337 kB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://deb.debian.org/debian testing/main amd64 gnome-todo amd64 3.28.1-5 [150 kB] Fetched 150 kB in 0s (448 kB/s) Retrieving bug reports... Done Parsing Found/Fixed information... Done .....snipped...... 16:57 ♒ ॐ ☺ 😄 

Notice the highlighted line, which gives a less confusing, realistic summary of what needs to be done. In this case, apt is prompting the user that 150 KiB of data needs to be downloaded, which indeed is the case.

### Resources

• Tarball and Zip archive for apt-offline are available here
• Packages should be available in Debian.
• Development for apt-offline is currently hosted here