* cmdline/apt-key:

- add support for a master-keyring that contains signing keys that can be used to sign the archive signing keys. This should make key-rollover easier. * apt-pkg/deb/dpkgpm.cc: - merged patch from Kees Cook to fix anoying upper-case display on amd64 in sbuild * apt-pkg/algorithms.cc: - add APT::Update::Post-Invoke-Success script slot - Make the breaks handling use the kill list. This means, that a Breaks: Pkg (<< version) may put Pkg onto the remove list. * apt-pkg/deb/debmetaindex.cc: - add missing "Release" file uri when apt-get update --print-uris is run * methods/connect.cc: - remember hosts with Resolve failures or connect Timeouts
author: Michael Vogt <egon@bottom> 2008-02-21 16:49:03 +0100
committer: Michael Vogt <egon@bottom> 2008-02-21 16:49:03 +0100
commit: 0252c6beaab880081c1dc491bfe0904614a1baa7 (patch)
tree: 3a31cbb1530a99a5f936dad9d5c3345a5cb90890
parent: e3a1f08d41bf6ef6a42bbc6e5f8e20f7b4aa37a0 (diff)
parent: 7810fc042d4d3dda6b2c721d09d3eb7eadc12e2d (diff)
10 files changed, 192 insertions, 13 deletions
diff --git a/apt-pkg/algorithms.cc b/apt-pkg/algorithms.cc
index 57b85e24f..eaab4c0ea 100644
--- a/apt-pkg/algorithms.cc
+++ b/apt-pkg/algorithms.cc
@@ -985,17 +985,17 @@ bool pkgProblemResolver::Resolve(bool BrokenFix)
 
 		  if (Start->Type == pkgCache::Dep::DpkgBreaks)
 		  {
-		     /* Would it help if we upgraded? */
-		     if (Cache[End] & pkgDepCache::DepGCVer) {
+		     // first, try upgradring the package, if that
+		     // does not help, the breaks goes onto the
+		     // kill list
+		     // FIXME: use DoUpgrade(Pkg) instead?
+		     if (Cache[End] & pkgDepCache::DepGCVer) 
+		     {
 			if (Debug)
 			   clog << "  Upgrading " << Pkg.Name() << " due to Breaks field in " << I.Name() << endl;
 			Cache.MarkInstall(Pkg, false, 0, false);
 			continue;
 		     }
-		     if (Debug)
-			clog << "  Will not break " << Pkg.Name() << " as stated in Breaks field in " << I.Name() <<endl;
-		     Cache.MarkKeep(I, false, false);
-		     continue;
 		  }
 
 		  // Skip adding to the kill list if it is protected
@@ -1066,6 +1066,7 @@ bool pkgProblemResolver::Resolve(bool BrokenFix)
 	       if ((Cache[J->Dep] & pkgDepCache::DepGNow) == 0)
 	       {
 		  if (J->Dep->Type == pkgCache::Dep::Conflicts || 
+		      J->Dep->Type == pkgCache::Dep::DpkgBreaks ||
 		      J->Dep->Type == pkgCache::Dep::Obsoletes)
 		  {
 		     if (Debug == true)
@@ -1371,7 +1372,11 @@ bool ListUpdate(pkgAcquireStatus &Stat,
       return _error->Error(_("Some index files failed to download, they have been ignored, or old ones used instead."));
 
 
-   // Run the scripts if all was fine
+   // Run the success scripts if all was fine
+   if(!TransientNetworkFailure && !Failed)
+      RunScripts("APT::Update::Post-Invoke-Success");
+
+   // Run the other scripts
    RunScripts("APT::Update::Post-Invoke");
    return true;
 }
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 9ac659f78..ee035191f 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -146,7 +146,16 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool GetAll) const
 	 new pkgAcqIndex(Owner, (*Target)->URI, (*Target)->Description,
 			 (*Target)->ShortDesc, HashString());
       }
+      // this is normally created in pkgAcqMetaSig, but if we run
+      // in --print-uris mode, we add it here
+      new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"),
+		     MetaIndexInfo("Release"), "Release",
+		     MetaIndexURI("Release.gpg"), 
+		     ComputeIndexTargets(),
+		     new indexRecords (Dist));
+
    }
+
    new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"),
 		     MetaIndexInfo("Release.gpg"), "Release.gpg",
 		     MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc
index 34e166447..bc15b8819 100644
--- a/apt-pkg/deb/dpkgpm.cc
+++ b/apt-pkg/deb/dpkgpm.cc
@@ -702,14 +702,16 @@ bool pkgDPkgPM::Go(int OutStatusFd)
       sighandler_t old_SIGINT = signal(SIGINT,SIG_IGN);
 
       struct	termios tt;
+      struct	termios tt_out;
       struct	winsize win;
       int	master;
       int	slave;
 
       // FIXME: setup sensible signal handling (*ick*)
       tcgetattr(0, &tt);
+      tcgetattr(1, &tt_out);
       ioctl(0, TIOCGWINSZ, (char *)&win);
-      if (openpty(&master, &slave, NULL, &tt, &win) < 0) 
+      if (openpty(&master, &slave, NULL, &tt_out, &win) < 0) 
       {
 	 const char *s = _("Can not write log, openpty() "
 			   "failed (/dev/pts not mounted?)\n");
diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index 258133c19..11a8b2ef4 100644
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -1506,7 +1506,7 @@ bool TryInstallTask(pkgDepCache &Cache, pkgProblemResolver &Fix,
       buf[end-start] = 0x0;
       if (regexec(&Pattern,buf,0,0,0) != 0)
 	 continue;
-      res &= TryToInstall(Pkg,Cache,Fix,Remove,true,ExpectedInst);
+      res &= TryToInstall(Pkg,Cache,Fix,Remove,false,ExpectedInst);
       found = true;
    }
    
diff --git a/cmdline/apt-key b/cmdline/apt-key
index c7db9a25a..6dd9fd8aa 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -9,9 +9,73 @@ GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-k
 GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg"
 
 
+MASTER_KEYRING=""
+ARCHIVE_KEYRING_URI=""
+#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg
+#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg
+
 ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg
 REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg
 
+add_keys_with_verify_against_master_keyring() {
+    ADD_KEYRING=$1
+    MASTER=$2
+    
+    if [ ! -f "$ADD_KEYRING" ]; then
+	echo "ERROR: '$ADD_KEYRING' not found"
+	return
+    fi 
+    if [ ! -f "$MASTER" ]; then
+	echo "ERROR: '$MASTER' not found"
+	return
+    fi
+
+    # when adding new keys, make sure that the archive-master-keyring
+    # is honored. so:
+    #   all keys that are exported and have the name
+    #   "Ubuntu Archive Automatic Signing Key" must have a valid signature
+    #   from a key in the ubuntu-master-keyring
+    add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+    master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
+    for add_key in $add_keys; do
+	ADDED=0
+	for master_key in $master_keys; do
+	    if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
+		$GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import
+		ADDED=1
+	    fi
+	done
+	if [ $ADDED = 0 ]; then
+	    echo >&2 "Key '$add_key' not added. It is not signed with a master key"
+	fi
+    done
+}
+
+# update the current archive signing keyring from a network URI
+# the archive-keyring keys needs to be signed with the master key
+# (otherwise it does not make sense from a security POV)
+net_update() {
+    if [ -z "$ARCHIVE_KEYRING_URI" ]; then
+	echo "ERROR: no location for the archive-keyring given" 
+    fi
+    if [ ! -d /var/lib/apt/keyrings ]; then
+	mkdir -p /var/lib/apt/keyrings
+    fi
+    keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
+    old_mtime=0
+    if [ -e $keyring ]; then
+	old_mtime=$(stat -c %Y $keyring)
+    fi
+    (cd  /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)
+    if [ ! -e $keyring ]; then
+	return
+    fi
+    new_mtime=$(stat -c %Y $keyring)
+    if [ $new_mtime -ne $old_mtime ]; then
+	echo "Checking for new archive signing keys now"
+	add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
+    fi
+}
 
 update() {
     if [ ! -f $ARCHIVE_KEYRING ]; then
@@ -20,10 +84,15 @@ update() {
 	exit 1
     fi
 
-    # add new keys
-    $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
+    # add new keys, if no MASTER_KEYRING is used, use the traditional
+    # way
+    if [ -z "$MASTER_KEYRING" ]; then
+	$GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
+    else
+	add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING
+    fi
 
-    # remove no-longer used keys
+    # remove no-longer supported/used keys
     keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
     for key in $keys; do
 	if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
@@ -32,6 +101,7 @@ update() {
     done
 }
 
+
 usage() {
     echo "Usage: apt-key [command] [arguments]"
     echo
@@ -42,6 +112,7 @@ usage() {
     echo "  apt-key export <keyid>      - output the key <keyid>"
     echo "  apt-key exportall           - output all trusted keys"
     echo "  apt-key update              - update keys using the keyring package"
+    echo "  apt-key net-update          - update keys using the network"
     echo "  apt-key list                - list keys"
     echo
 }
@@ -71,6 +142,9 @@ case "$command" in
     update)
 	update
 	;;
+    net-update)
+	net_update
+	;;
     list)
         $GPG --batch --list-keys
         ;;
diff --git a/debian/changelog b/debian/changelog
index 7f6d893d2..32995db61 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,28 @@
 apt (0.7.12) UNRELEASED; urgency=low
 
+  [ Michael Vogt ]
+  * cmdline/apt-key:
+    - add support for a master-keyring that contains signing keys
+      that can be used to sign the archive signing keys. This should
+      make key-rollover easier.
+  * apt-pkg/deb/dpkgpm.cc:
+    - merged patch from Kees Cook to fix anoying upper-case display
+      on amd64 in sbuild
+  * apt-pkg/algorithms.cc: 
+    - add APT::Update::Post-Invoke-Success script slot
+    - Make the breaks handling use the kill list. This means, that a
+      Breaks: Pkg (<< version) may put Pkg onto the remove list.
+  * apt-pkg/deb/debmetaindex.cc:
+    - add missing "Release" file uri when apt-get update --print-uris
+      is run
+  * methods/connect.cc:
+    - remember hosts with Resolve failures or connect Timeouts
+
   [ Christian Perrier ]
   * Fix typos in manpages. Thanks to Daniel Leidert for the fixes
     Closes: #444922
 
- -- Christian Perrier <bubulle@debian.org>  Tue, 19 Feb 2008 20:34:02 +0100
+ -- Michael Vogt <mvo@debian.org>  Thu, 10 Jan 2008 12:06:12 +0100
 
 apt (0.7.11) unstable; urgency=critical
   
diff --git a/methods/connect.cc b/methods/connect.cc
index aef7db389..355bd5c4d 100644
--- a/methods/connect.cc
+++ b/methods/connect.cc
@@ -19,6 +19,9 @@
 #include <errno.h>
 #include <unistd.h>
 
+#include<set>
+#include<string>
+
 // Internet stuff
 #include <netinet/in.h>
 #include <sys/socket.h>
@@ -34,6 +37,9 @@ static int LastPort = 0;
 static struct addrinfo *LastHostAddr = 0;
 static struct addrinfo *LastUsed = 0;
 
+// Set of IP/hostnames that we timed out before or couldn't resolve
+static std::set<string> bad_addr;
+
 // RotateDNS - Select a new server from a DNS rotation			/*{{{*/
 // ---------------------------------------------------------------------
 /* This is called during certain errors in order to recover by selecting a 
@@ -63,6 +69,10 @@ static bool DoConnect(struct addrinfo *Addr,string Host,
 	       NI_NUMERICHOST|NI_NUMERICSERV);
    Owner->Status(_("Connecting to %s (%s)"),Host.c_str(),Name);
 
+   // if that addr did timeout before, we do not try it again
+   if(bad_addr.find(string(Name)) != bad_addr.end()) 
+      return false;
+
    /* If this is an IP rotation store the IP we are using.. If something goes
       wrong this will get tacked onto the end of the error message */
    if (LastHostAddr->ai_next != 0)
@@ -89,6 +99,7 @@ static bool DoConnect(struct addrinfo *Addr,string Host,
    /* This implements a timeout for connect by opening the connection
       nonblocking */
    if (WaitFd(Fd,true,TimeOut) == false) {
+      bad_addr.insert(bad_addr.begin(), string(Name));
       Owner->SetFailExtraMsg("\nFailReason: Timeout");
       return _error->Error(_("Could not connect to %s:%s (%s), "
 			   "connection timed out"),Host.c_str(),Service,Name);
@@ -149,6 +160,10 @@ bool Connect(string Host,int Port,const char *Service,int DefPort,int &Fd,
       Hints.ai_socktype = SOCK_STREAM;
       Hints.ai_protocol = 0;
       
+      // if we couldn't resolve the host before, we don't try now
+      if(bad_addr.find(Host) != bad_addr.end()) 
+	 return _error->Error(_("Could not resolve '%s'"),Host.c_str());
+
       // Resolve both the host and service simultaneously
       while (1)
       {
@@ -164,6 +179,7 @@ bool Connect(string Host,int Port,const char *Service,int DefPort,int &Fd,
 		  DefPort = 0;
 		  continue;
 	       }
+	       bad_addr.insert(bad_addr.begin(), Host);
 	       Owner->SetFailExtraMsg("\nFailReason: ResolveFailure");
 	       return _error->Error(_("Could not resolve '%s'"),Host.c_str());
 	    }
diff --git a/test/networkless-install-fixes/README b/test/networkless-install-fixes/README
new file mode 100644
index 000000000..e7ee2b03d
--- /dev/null
+++ b/test/networkless-install-fixes/README
@@ -0,0 +1,5 @@
+
+Those tests aim at making the networkless install timeout
+quicker, see 
+https://wiki.ubuntu.com/NetworklessInstallationFixes
+for details
diff --git a/test/networkless-install-fixes/sources.test.list b/test/networkless-install-fixes/sources.test.list
new file mode 100644
index 000000000..380e1804d
--- /dev/null
+++ b/test/networkless-install-fixes/sources.test.list
@@ -0,0 +1,25 @@
+
+# archive.ubuntu.com
+deb http://archive.ubuntu.com/ubuntu/ hardy main restricted
+deb-src http://archive.ubuntu.com/ubuntu/ hardy main restricted
+
+deb http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted
+deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted
+
+deb http://archive.ubuntu.com/ubuntu/ hardy universe
+deb-src http://archive.ubuntu.com/ubuntu/ hardy universe
+
+deb http://archive.ubuntu.com/ubuntu/ hardy-updates universe
+deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates universe
+
+# security.ubuntu.com
+deb http://security.ubuntu.com/ubuntu/ hardy-security main restricted
+deb-src http://security.ubuntu.com/ubuntu/ hardy-security main restricted
+
+deb http://security.ubuntu.com/ubuntu/ hardy-security universe
+deb-src http://security.ubuntu.com/ubuntu/ hardy-security universe
+
+
+# archive.canonical.com
+deb http://archive.canonical.com/ubuntu/ hardy-partner universe
+deb-src http://archive.canonical.com/ubuntu/ hardy-partner universe
diff --git a/test/networkless-install-fixes/test.sh b/test/networkless-install-fixes/test.sh
new file mode 100755
index 000000000..809d467ba
--- /dev/null
+++ b/test/networkless-install-fixes/test.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+OPTS="-o Dir::Etc::sourcelist=./sources.test.list -o Acquire::http::timeout=20"
+
+# setup
+unset http_proxy
+iptables --flush
+
+echo "No network at all"
+ifdown eth0 
+time apt-get update $OPTS 2>&1 |grep system
+ifup eth0
+echo ""
+
+echo "no working DNS (port 53 DROP)"
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+time apt-get update $OPTS 2>&1 |grep system
+iptables --flush
+echo ""
+
+echo "DNS but no access to archive.ubuntu.com (port 80 DROP)"
+iptables -A OUTPUT -p tcp --dport 80 -j DROP
+time apt-get update $OPTS 2>&1 |grep system
+iptables --flush
+echo ""
author	Michael Vogt <egon@bottom>	2008-02-21 16:49:03 +0100
committer	Michael Vogt <egon@bottom>	2008-02-21 16:49:03 +0100
commit	0252c6beaab880081c1dc491bfe0904614a1baa7 (patch)
tree	3a31cbb1530a99a5f936dad9d5c3345a5cb90890
parent	e3a1f08d41bf6ef6a42bbc6e5f8e20f7b4aa37a0 (diff)
parent	7810fc042d4d3dda6b2c721d09d3eb7eadc12e2d (diff)