summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Vogt <egon@bottom>2008-02-21 16:49:03 +0100
committerMichael Vogt <egon@bottom>2008-02-21 16:49:03 +0100
commit0252c6beaab880081c1dc491bfe0904614a1baa7 (patch)
tree3a31cbb1530a99a5f936dad9d5c3345a5cb90890
parente3a1f08d41bf6ef6a42bbc6e5f8e20f7b4aa37a0 (diff)
parent7810fc042d4d3dda6b2c721d09d3eb7eadc12e2d (diff)
* cmdline/apt-key:
- add support for a master-keyring that contains signing keys that can be used to sign the archive signing keys. This should make key-rollover easier. * apt-pkg/deb/dpkgpm.cc: - merged patch from Kees Cook to fix anoying upper-case display on amd64 in sbuild * apt-pkg/algorithms.cc: - add APT::Update::Post-Invoke-Success script slot - Make the breaks handling use the kill list. This means, that a Breaks: Pkg (<< version) may put Pkg onto the remove list. * apt-pkg/deb/debmetaindex.cc: - add missing "Release" file uri when apt-get update --print-uris is run * methods/connect.cc: - remember hosts with Resolve failures or connect Timeouts
-rw-r--r--apt-pkg/algorithms.cc19
-rw-r--r--apt-pkg/deb/debmetaindex.cc9
-rw-r--r--apt-pkg/deb/dpkgpm.cc4
-rw-r--r--cmdline/apt-get.cc2
-rwxr-xr-xcmdline/apt-key80
-rw-r--r--debian/changelog20
-rw-r--r--methods/connect.cc16
-rw-r--r--test/networkless-install-fixes/README5
-rw-r--r--test/networkless-install-fixes/sources.test.list25
-rwxr-xr-xtest/networkless-install-fixes/test.sh25
10 files changed, 192 insertions, 13 deletions
diff --git a/apt-pkg/algorithms.cc b/apt-pkg/algorithms.cc
index 57b85e24f..eaab4c0ea 100644
--- a/apt-pkg/algorithms.cc
+++ b/apt-pkg/algorithms.cc
@@ -985,17 +985,17 @@ bool pkgProblemResolver::Resolve(bool BrokenFix)
if (Start->Type == pkgCache::Dep::DpkgBreaks)
{
- /* Would it help if we upgraded? */
- if (Cache[End] & pkgDepCache::DepGCVer) {
+ // first, try upgradring the package, if that
+ // does not help, the breaks goes onto the
+ // kill list
+ // FIXME: use DoUpgrade(Pkg) instead?
+ if (Cache[End] & pkgDepCache::DepGCVer)
+ {
if (Debug)
clog << " Upgrading " << Pkg.Name() << " due to Breaks field in " << I.Name() << endl;
Cache.MarkInstall(Pkg, false, 0, false);
continue;
}
- if (Debug)
- clog << " Will not break " << Pkg.Name() << " as stated in Breaks field in " << I.Name() <<endl;
- Cache.MarkKeep(I, false, false);
- continue;
}
// Skip adding to the kill list if it is protected
@@ -1066,6 +1066,7 @@ bool pkgProblemResolver::Resolve(bool BrokenFix)
if ((Cache[J->Dep] & pkgDepCache::DepGNow) == 0)
{
if (J->Dep->Type == pkgCache::Dep::Conflicts ||
+ J->Dep->Type == pkgCache::Dep::DpkgBreaks ||
J->Dep->Type == pkgCache::Dep::Obsoletes)
{
if (Debug == true)
@@ -1371,7 +1372,11 @@ bool ListUpdate(pkgAcquireStatus &Stat,
return _error->Error(_("Some index files failed to download, they have been ignored, or old ones used instead."));
- // Run the scripts if all was fine
+ // Run the success scripts if all was fine
+ if(!TransientNetworkFailure && !Failed)
+ RunScripts("APT::Update::Post-Invoke-Success");
+
+ // Run the other scripts
RunScripts("APT::Update::Post-Invoke");
return true;
}
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 9ac659f78..ee035191f 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -146,7 +146,16 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool GetAll) const
new pkgAcqIndex(Owner, (*Target)->URI, (*Target)->Description,
(*Target)->ShortDesc, HashString());
}
+ // this is normally created in pkgAcqMetaSig, but if we run
+ // in --print-uris mode, we add it here
+ new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"),
+ MetaIndexInfo("Release"), "Release",
+ MetaIndexURI("Release.gpg"),
+ ComputeIndexTargets(),
+ new indexRecords (Dist));
+
}
+
new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"),
MetaIndexInfo("Release.gpg"), "Release.gpg",
MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc
index 34e166447..bc15b8819 100644
--- a/apt-pkg/deb/dpkgpm.cc
+++ b/apt-pkg/deb/dpkgpm.cc
@@ -702,14 +702,16 @@ bool pkgDPkgPM::Go(int OutStatusFd)
sighandler_t old_SIGINT = signal(SIGINT,SIG_IGN);
struct termios tt;
+ struct termios tt_out;
struct winsize win;
int master;
int slave;
// FIXME: setup sensible signal handling (*ick*)
tcgetattr(0, &tt);
+ tcgetattr(1, &tt_out);
ioctl(0, TIOCGWINSZ, (char *)&win);
- if (openpty(&master, &slave, NULL, &tt, &win) < 0)
+ if (openpty(&master, &slave, NULL, &tt_out, &win) < 0)
{
const char *s = _("Can not write log, openpty() "
"failed (/dev/pts not mounted?)\n");
diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index 258133c19..11a8b2ef4 100644
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -1506,7 +1506,7 @@ bool TryInstallTask(pkgDepCache &Cache, pkgProblemResolver &Fix,
buf[end-start] = 0x0;
if (regexec(&Pattern,buf,0,0,0) != 0)
continue;
- res &= TryToInstall(Pkg,Cache,Fix,Remove,true,ExpectedInst);
+ res &= TryToInstall(Pkg,Cache,Fix,Remove,false,ExpectedInst);
found = true;
}
diff --git a/cmdline/apt-key b/cmdline/apt-key
index c7db9a25a..6dd9fd8aa 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -9,9 +9,73 @@ GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-k
GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg"
+MASTER_KEYRING=""
+ARCHIVE_KEYRING_URI=""
+#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg
+#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg
+
ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg
REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg
+add_keys_with_verify_against_master_keyring() {
+ ADD_KEYRING=$1
+ MASTER=$2
+
+ if [ ! -f "$ADD_KEYRING" ]; then
+ echo "ERROR: '$ADD_KEYRING' not found"
+ return
+ fi
+ if [ ! -f "$MASTER" ]; then
+ echo "ERROR: '$MASTER' not found"
+ return
+ fi
+
+ # when adding new keys, make sure that the archive-master-keyring
+ # is honored. so:
+ # all keys that are exported and have the name
+ # "Ubuntu Archive Automatic Signing Key" must have a valid signature
+ # from a key in the ubuntu-master-keyring
+ add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+ master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
+ for add_key in $add_keys; do
+ ADDED=0
+ for master_key in $master_keys; do
+ if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
+ $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import
+ ADDED=1
+ fi
+ done
+ if [ $ADDED = 0 ]; then
+ echo >&2 "Key '$add_key' not added. It is not signed with a master key"
+ fi
+ done
+}
+
+# update the current archive signing keyring from a network URI
+# the archive-keyring keys needs to be signed with the master key
+# (otherwise it does not make sense from a security POV)
+net_update() {
+ if [ -z "$ARCHIVE_KEYRING_URI" ]; then
+ echo "ERROR: no location for the archive-keyring given"
+ fi
+ if [ ! -d /var/lib/apt/keyrings ]; then
+ mkdir -p /var/lib/apt/keyrings
+ fi
+ keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
+ old_mtime=0
+ if [ -e $keyring ]; then
+ old_mtime=$(stat -c %Y $keyring)
+ fi
+ (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)
+ if [ ! -e $keyring ]; then
+ return
+ fi
+ new_mtime=$(stat -c %Y $keyring)
+ if [ $new_mtime -ne $old_mtime ]; then
+ echo "Checking for new archive signing keys now"
+ add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
+ fi
+}
update() {
if [ ! -f $ARCHIVE_KEYRING ]; then
@@ -20,10 +84,15 @@ update() {
exit 1
fi
- # add new keys
- $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
+ # add new keys, if no MASTER_KEYRING is used, use the traditional
+ # way
+ if [ -z "$MASTER_KEYRING" ]; then
+ $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
+ else
+ add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING
+ fi
- # remove no-longer used keys
+ # remove no-longer supported/used keys
keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
for key in $keys; do
if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
@@ -32,6 +101,7 @@ update() {
done
}
+
usage() {
echo "Usage: apt-key [command] [arguments]"
echo
@@ -42,6 +112,7 @@ usage() {
echo " apt-key export <keyid> - output the key <keyid>"
echo " apt-key exportall - output all trusted keys"
echo " apt-key update - update keys using the keyring package"
+ echo " apt-key net-update - update keys using the network"
echo " apt-key list - list keys"
echo
}
@@ -71,6 +142,9 @@ case "$command" in
update)
update
;;
+ net-update)
+ net_update
+ ;;
list)
$GPG --batch --list-keys
;;
diff --git a/debian/changelog b/debian/changelog
index 7f6d893d2..32995db61 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,28 @@
apt (0.7.12) UNRELEASED; urgency=low
+ [ Michael Vogt ]
+ * cmdline/apt-key:
+ - add support for a master-keyring that contains signing keys
+ that can be used to sign the archive signing keys. This should
+ make key-rollover easier.
+ * apt-pkg/deb/dpkgpm.cc:
+ - merged patch from Kees Cook to fix anoying upper-case display
+ on amd64 in sbuild
+ * apt-pkg/algorithms.cc:
+ - add APT::Update::Post-Invoke-Success script slot
+ - Make the breaks handling use the kill list. This means, that a
+ Breaks: Pkg (<< version) may put Pkg onto the remove list.
+ * apt-pkg/deb/debmetaindex.cc:
+ - add missing "Release" file uri when apt-get update --print-uris
+ is run
+ * methods/connect.cc:
+ - remember hosts with Resolve failures or connect Timeouts
+
[ Christian Perrier ]
* Fix typos in manpages. Thanks to Daniel Leidert for the fixes
Closes: #444922
- -- Christian Perrier <bubulle@debian.org> Tue, 19 Feb 2008 20:34:02 +0100
+ -- Michael Vogt <mvo@debian.org> Thu, 10 Jan 2008 12:06:12 +0100
apt (0.7.11) unstable; urgency=critical
diff --git a/methods/connect.cc b/methods/connect.cc
index aef7db389..355bd5c4d 100644
--- a/methods/connect.cc
+++ b/methods/connect.cc
@@ -19,6 +19,9 @@
#include <errno.h>
#include <unistd.h>
+#include<set>
+#include<string>
+
// Internet stuff
#include <netinet/in.h>
#include <sys/socket.h>
@@ -34,6 +37,9 @@ static int LastPort = 0;
static struct addrinfo *LastHostAddr = 0;
static struct addrinfo *LastUsed = 0;
+// Set of IP/hostnames that we timed out before or couldn't resolve
+static std::set<string> bad_addr;
+
// RotateDNS - Select a new server from a DNS rotation /*{{{*/
// ---------------------------------------------------------------------
/* This is called during certain errors in order to recover by selecting a
@@ -63,6 +69,10 @@ static bool DoConnect(struct addrinfo *Addr,string Host,
NI_NUMERICHOST|NI_NUMERICSERV);
Owner->Status(_("Connecting to %s (%s)"),Host.c_str(),Name);
+ // if that addr did timeout before, we do not try it again
+ if(bad_addr.find(string(Name)) != bad_addr.end())
+ return false;
+
/* If this is an IP rotation store the IP we are using.. If something goes
wrong this will get tacked onto the end of the error message */
if (LastHostAddr->ai_next != 0)
@@ -89,6 +99,7 @@ static bool DoConnect(struct addrinfo *Addr,string Host,
/* This implements a timeout for connect by opening the connection
nonblocking */
if (WaitFd(Fd,true,TimeOut) == false) {
+ bad_addr.insert(bad_addr.begin(), string(Name));
Owner->SetFailExtraMsg("\nFailReason: Timeout");
return _error->Error(_("Could not connect to %s:%s (%s), "
"connection timed out"),Host.c_str(),Service,Name);
@@ -149,6 +160,10 @@ bool Connect(string Host,int Port,const char *Service,int DefPort,int &Fd,
Hints.ai_socktype = SOCK_STREAM;
Hints.ai_protocol = 0;
+ // if we couldn't resolve the host before, we don't try now
+ if(bad_addr.find(Host) != bad_addr.end())
+ return _error->Error(_("Could not resolve '%s'"),Host.c_str());
+
// Resolve both the host and service simultaneously
while (1)
{
@@ -164,6 +179,7 @@ bool Connect(string Host,int Port,const char *Service,int DefPort,int &Fd,
DefPort = 0;
continue;
}
+ bad_addr.insert(bad_addr.begin(), Host);
Owner->SetFailExtraMsg("\nFailReason: ResolveFailure");
return _error->Error(_("Could not resolve '%s'"),Host.c_str());
}
diff --git a/test/networkless-install-fixes/README b/test/networkless-install-fixes/README
new file mode 100644
index 000000000..e7ee2b03d
--- /dev/null
+++ b/test/networkless-install-fixes/README
@@ -0,0 +1,5 @@
+
+Those tests aim at making the networkless install timeout
+quicker, see
+https://wiki.ubuntu.com/NetworklessInstallationFixes
+for details
diff --git a/test/networkless-install-fixes/sources.test.list b/test/networkless-install-fixes/sources.test.list
new file mode 100644
index 000000000..380e1804d
--- /dev/null
+++ b/test/networkless-install-fixes/sources.test.list
@@ -0,0 +1,25 @@
+
+# archive.ubuntu.com
+deb http://archive.ubuntu.com/ubuntu/ hardy main restricted
+deb-src http://archive.ubuntu.com/ubuntu/ hardy main restricted
+
+deb http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted
+deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted
+
+deb http://archive.ubuntu.com/ubuntu/ hardy universe
+deb-src http://archive.ubuntu.com/ubuntu/ hardy universe
+
+deb http://archive.ubuntu.com/ubuntu/ hardy-updates universe
+deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates universe
+
+# security.ubuntu.com
+deb http://security.ubuntu.com/ubuntu/ hardy-security main restricted
+deb-src http://security.ubuntu.com/ubuntu/ hardy-security main restricted
+
+deb http://security.ubuntu.com/ubuntu/ hardy-security universe
+deb-src http://security.ubuntu.com/ubuntu/ hardy-security universe
+
+
+# archive.canonical.com
+deb http://archive.canonical.com/ubuntu/ hardy-partner universe
+deb-src http://archive.canonical.com/ubuntu/ hardy-partner universe
diff --git a/test/networkless-install-fixes/test.sh b/test/networkless-install-fixes/test.sh
new file mode 100755
index 000000000..809d467ba
--- /dev/null
+++ b/test/networkless-install-fixes/test.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+OPTS="-o Dir::Etc::sourcelist=./sources.test.list -o Acquire::http::timeout=20"
+
+# setup
+unset http_proxy
+iptables --flush
+
+echo "No network at all"
+ifdown eth0
+time apt-get update $OPTS 2>&1 |grep system
+ifup eth0
+echo ""
+
+echo "no working DNS (port 53 DROP)"
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+time apt-get update $OPTS 2>&1 |grep system
+iptables --flush
+echo ""
+
+echo "DNS but no access to archive.ubuntu.com (port 80 DROP)"
+iptables -A OUTPUT -p tcp --dport 80 -j DROP
+time apt-get update $OPTS 2>&1 |grep system
+iptables --flush
+echo ""