diff options
author | Michael Vogt <egon@bottom> | 2008-02-21 16:49:03 +0100 |
---|---|---|
committer | Michael Vogt <egon@bottom> | 2008-02-21 16:49:03 +0100 |
commit | 0252c6beaab880081c1dc491bfe0904614a1baa7 (patch) | |
tree | 3a31cbb1530a99a5f936dad9d5c3345a5cb90890 | |
parent | e3a1f08d41bf6ef6a42bbc6e5f8e20f7b4aa37a0 (diff) | |
parent | 7810fc042d4d3dda6b2c721d09d3eb7eadc12e2d (diff) |
* cmdline/apt-key:
- add support for a master-keyring that contains signing keys
that can be used to sign the archive signing keys. This should
make key-rollover easier.
* apt-pkg/deb/dpkgpm.cc:
- merged patch from Kees Cook to fix anoying upper-case display
on amd64 in sbuild
* apt-pkg/algorithms.cc:
- add APT::Update::Post-Invoke-Success script slot
- Make the breaks handling use the kill list. This means, that a
Breaks: Pkg (<< version) may put Pkg onto the remove list.
* apt-pkg/deb/debmetaindex.cc:
- add missing "Release" file uri when apt-get update --print-uris
is run
* methods/connect.cc:
- remember hosts with Resolve failures or connect Timeouts
-rw-r--r-- | apt-pkg/algorithms.cc | 19 | ||||
-rw-r--r-- | apt-pkg/deb/debmetaindex.cc | 9 | ||||
-rw-r--r-- | apt-pkg/deb/dpkgpm.cc | 4 | ||||
-rw-r--r-- | cmdline/apt-get.cc | 2 | ||||
-rwxr-xr-x | cmdline/apt-key | 80 | ||||
-rw-r--r-- | debian/changelog | 20 | ||||
-rw-r--r-- | methods/connect.cc | 16 | ||||
-rw-r--r-- | test/networkless-install-fixes/README | 5 | ||||
-rw-r--r-- | test/networkless-install-fixes/sources.test.list | 25 | ||||
-rwxr-xr-x | test/networkless-install-fixes/test.sh | 25 |
10 files changed, 192 insertions, 13 deletions
diff --git a/apt-pkg/algorithms.cc b/apt-pkg/algorithms.cc index 57b85e24f..eaab4c0ea 100644 --- a/apt-pkg/algorithms.cc +++ b/apt-pkg/algorithms.cc @@ -985,17 +985,17 @@ bool pkgProblemResolver::Resolve(bool BrokenFix) if (Start->Type == pkgCache::Dep::DpkgBreaks) { - /* Would it help if we upgraded? */ - if (Cache[End] & pkgDepCache::DepGCVer) { + // first, try upgradring the package, if that + // does not help, the breaks goes onto the + // kill list + // FIXME: use DoUpgrade(Pkg) instead? + if (Cache[End] & pkgDepCache::DepGCVer) + { if (Debug) clog << " Upgrading " << Pkg.Name() << " due to Breaks field in " << I.Name() << endl; Cache.MarkInstall(Pkg, false, 0, false); continue; } - if (Debug) - clog << " Will not break " << Pkg.Name() << " as stated in Breaks field in " << I.Name() <<endl; - Cache.MarkKeep(I, false, false); - continue; } // Skip adding to the kill list if it is protected @@ -1066,6 +1066,7 @@ bool pkgProblemResolver::Resolve(bool BrokenFix) if ((Cache[J->Dep] & pkgDepCache::DepGNow) == 0) { if (J->Dep->Type == pkgCache::Dep::Conflicts || + J->Dep->Type == pkgCache::Dep::DpkgBreaks || J->Dep->Type == pkgCache::Dep::Obsoletes) { if (Debug == true) @@ -1371,7 +1372,11 @@ bool ListUpdate(pkgAcquireStatus &Stat, return _error->Error(_("Some index files failed to download, they have been ignored, or old ones used instead.")); - // Run the scripts if all was fine + // Run the success scripts if all was fine + if(!TransientNetworkFailure && !Failed) + RunScripts("APT::Update::Post-Invoke-Success"); + + // Run the other scripts RunScripts("APT::Update::Post-Invoke"); return true; } diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index 9ac659f78..ee035191f 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -146,7 +146,16 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool GetAll) const new pkgAcqIndex(Owner, (*Target)->URI, (*Target)->Description, (*Target)->ShortDesc, HashString()); } + // this is normally created in pkgAcqMetaSig, but if we run + // in --print-uris mode, we add it here + new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"), + MetaIndexInfo("Release"), "Release", + MetaIndexURI("Release.gpg"), + ComputeIndexTargets(), + new indexRecords (Dist)); + } + new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"), MetaIndexInfo("Release.gpg"), "Release.gpg", MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release", diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc index 34e166447..bc15b8819 100644 --- a/apt-pkg/deb/dpkgpm.cc +++ b/apt-pkg/deb/dpkgpm.cc @@ -702,14 +702,16 @@ bool pkgDPkgPM::Go(int OutStatusFd) sighandler_t old_SIGINT = signal(SIGINT,SIG_IGN); struct termios tt; + struct termios tt_out; struct winsize win; int master; int slave; // FIXME: setup sensible signal handling (*ick*) tcgetattr(0, &tt); + tcgetattr(1, &tt_out); ioctl(0, TIOCGWINSZ, (char *)&win); - if (openpty(&master, &slave, NULL, &tt, &win) < 0) + if (openpty(&master, &slave, NULL, &tt_out, &win) < 0) { const char *s = _("Can not write log, openpty() " "failed (/dev/pts not mounted?)\n"); diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 258133c19..11a8b2ef4 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -1506,7 +1506,7 @@ bool TryInstallTask(pkgDepCache &Cache, pkgProblemResolver &Fix, buf[end-start] = 0x0; if (regexec(&Pattern,buf,0,0,0) != 0) continue; - res &= TryToInstall(Pkg,Cache,Fix,Remove,true,ExpectedInst); + res &= TryToInstall(Pkg,Cache,Fix,Remove,false,ExpectedInst); found = true; } diff --git a/cmdline/apt-key b/cmdline/apt-key index c7db9a25a..6dd9fd8aa 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -9,9 +9,73 @@ GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-k GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg" +MASTER_KEYRING="" +ARCHIVE_KEYRING_URI="" +#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg +#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg + ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg +add_keys_with_verify_against_master_keyring() { + ADD_KEYRING=$1 + MASTER=$2 + + if [ ! -f "$ADD_KEYRING" ]; then + echo "ERROR: '$ADD_KEYRING' not found" + return + fi + if [ ! -f "$MASTER" ]; then + echo "ERROR: '$MASTER' not found" + return + fi + + # when adding new keys, make sure that the archive-master-keyring + # is honored. so: + # all keys that are exported and have the name + # "Ubuntu Archive Automatic Signing Key" must have a valid signature + # from a key in the ubuntu-master-keyring + add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + for add_key in $add_keys; do + ADDED=0 + for master_key in $master_keys; do + if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import + ADDED=1 + fi + done + if [ $ADDED = 0 ]; then + echo >&2 "Key '$add_key' not added. It is not signed with a master key" + fi + done +} + +# update the current archive signing keyring from a network URI +# the archive-keyring keys needs to be signed with the master key +# (otherwise it does not make sense from a security POV) +net_update() { + if [ -z "$ARCHIVE_KEYRING_URI" ]; then + echo "ERROR: no location for the archive-keyring given" + fi + if [ ! -d /var/lib/apt/keyrings ]; then + mkdir -p /var/lib/apt/keyrings + fi + keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) + old_mtime=0 + if [ -e $keyring ]; then + old_mtime=$(stat -c %Y $keyring) + fi + (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI) + if [ ! -e $keyring ]; then + return + fi + new_mtime=$(stat -c %Y $keyring) + if [ $new_mtime -ne $old_mtime ]; then + echo "Checking for new archive signing keys now" + add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING + fi +} update() { if [ ! -f $ARCHIVE_KEYRING ]; then @@ -20,10 +84,15 @@ update() { exit 1 fi - # add new keys - $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import + # add new keys, if no MASTER_KEYRING is used, use the traditional + # way + if [ -z "$MASTER_KEYRING" ]; then + $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import + else + add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING + fi - # remove no-longer used keys + # remove no-longer supported/used keys keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` for key in $keys; do if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then @@ -32,6 +101,7 @@ update() { done } + usage() { echo "Usage: apt-key [command] [arguments]" echo @@ -42,6 +112,7 @@ usage() { echo " apt-key export <keyid> - output the key <keyid>" echo " apt-key exportall - output all trusted keys" echo " apt-key update - update keys using the keyring package" + echo " apt-key net-update - update keys using the network" echo " apt-key list - list keys" echo } @@ -71,6 +142,9 @@ case "$command" in update) update ;; + net-update) + net_update + ;; list) $GPG --batch --list-keys ;; diff --git a/debian/changelog b/debian/changelog index 7f6d893d2..32995db61 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,28 @@ apt (0.7.12) UNRELEASED; urgency=low + [ Michael Vogt ] + * cmdline/apt-key: + - add support for a master-keyring that contains signing keys + that can be used to sign the archive signing keys. This should + make key-rollover easier. + * apt-pkg/deb/dpkgpm.cc: + - merged patch from Kees Cook to fix anoying upper-case display + on amd64 in sbuild + * apt-pkg/algorithms.cc: + - add APT::Update::Post-Invoke-Success script slot + - Make the breaks handling use the kill list. This means, that a + Breaks: Pkg (<< version) may put Pkg onto the remove list. + * apt-pkg/deb/debmetaindex.cc: + - add missing "Release" file uri when apt-get update --print-uris + is run + * methods/connect.cc: + - remember hosts with Resolve failures or connect Timeouts + [ Christian Perrier ] * Fix typos in manpages. Thanks to Daniel Leidert for the fixes Closes: #444922 - -- Christian Perrier <bubulle@debian.org> Tue, 19 Feb 2008 20:34:02 +0100 + -- Michael Vogt <mvo@debian.org> Thu, 10 Jan 2008 12:06:12 +0100 apt (0.7.11) unstable; urgency=critical diff --git a/methods/connect.cc b/methods/connect.cc index aef7db389..355bd5c4d 100644 --- a/methods/connect.cc +++ b/methods/connect.cc @@ -19,6 +19,9 @@ #include <errno.h> #include <unistd.h> +#include<set> +#include<string> + // Internet stuff #include <netinet/in.h> #include <sys/socket.h> @@ -34,6 +37,9 @@ static int LastPort = 0; static struct addrinfo *LastHostAddr = 0; static struct addrinfo *LastUsed = 0; +// Set of IP/hostnames that we timed out before or couldn't resolve +static std::set<string> bad_addr; + // RotateDNS - Select a new server from a DNS rotation /*{{{*/ // --------------------------------------------------------------------- /* This is called during certain errors in order to recover by selecting a @@ -63,6 +69,10 @@ static bool DoConnect(struct addrinfo *Addr,string Host, NI_NUMERICHOST|NI_NUMERICSERV); Owner->Status(_("Connecting to %s (%s)"),Host.c_str(),Name); + // if that addr did timeout before, we do not try it again + if(bad_addr.find(string(Name)) != bad_addr.end()) + return false; + /* If this is an IP rotation store the IP we are using.. If something goes wrong this will get tacked onto the end of the error message */ if (LastHostAddr->ai_next != 0) @@ -89,6 +99,7 @@ static bool DoConnect(struct addrinfo *Addr,string Host, /* This implements a timeout for connect by opening the connection nonblocking */ if (WaitFd(Fd,true,TimeOut) == false) { + bad_addr.insert(bad_addr.begin(), string(Name)); Owner->SetFailExtraMsg("\nFailReason: Timeout"); return _error->Error(_("Could not connect to %s:%s (%s), " "connection timed out"),Host.c_str(),Service,Name); @@ -149,6 +160,10 @@ bool Connect(string Host,int Port,const char *Service,int DefPort,int &Fd, Hints.ai_socktype = SOCK_STREAM; Hints.ai_protocol = 0; + // if we couldn't resolve the host before, we don't try now + if(bad_addr.find(Host) != bad_addr.end()) + return _error->Error(_("Could not resolve '%s'"),Host.c_str()); + // Resolve both the host and service simultaneously while (1) { @@ -164,6 +179,7 @@ bool Connect(string Host,int Port,const char *Service,int DefPort,int &Fd, DefPort = 0; continue; } + bad_addr.insert(bad_addr.begin(), Host); Owner->SetFailExtraMsg("\nFailReason: ResolveFailure"); return _error->Error(_("Could not resolve '%s'"),Host.c_str()); } diff --git a/test/networkless-install-fixes/README b/test/networkless-install-fixes/README new file mode 100644 index 000000000..e7ee2b03d --- /dev/null +++ b/test/networkless-install-fixes/README @@ -0,0 +1,5 @@ + +Those tests aim at making the networkless install timeout +quicker, see +https://wiki.ubuntu.com/NetworklessInstallationFixes +for details diff --git a/test/networkless-install-fixes/sources.test.list b/test/networkless-install-fixes/sources.test.list new file mode 100644 index 000000000..380e1804d --- /dev/null +++ b/test/networkless-install-fixes/sources.test.list @@ -0,0 +1,25 @@ + +# archive.ubuntu.com +deb http://archive.ubuntu.com/ubuntu/ hardy main restricted +deb-src http://archive.ubuntu.com/ubuntu/ hardy main restricted + +deb http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted +deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted + +deb http://archive.ubuntu.com/ubuntu/ hardy universe +deb-src http://archive.ubuntu.com/ubuntu/ hardy universe + +deb http://archive.ubuntu.com/ubuntu/ hardy-updates universe +deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates universe + +# security.ubuntu.com +deb http://security.ubuntu.com/ubuntu/ hardy-security main restricted +deb-src http://security.ubuntu.com/ubuntu/ hardy-security main restricted + +deb http://security.ubuntu.com/ubuntu/ hardy-security universe +deb-src http://security.ubuntu.com/ubuntu/ hardy-security universe + + +# archive.canonical.com +deb http://archive.canonical.com/ubuntu/ hardy-partner universe +deb-src http://archive.canonical.com/ubuntu/ hardy-partner universe diff --git a/test/networkless-install-fixes/test.sh b/test/networkless-install-fixes/test.sh new file mode 100755 index 000000000..809d467ba --- /dev/null +++ b/test/networkless-install-fixes/test.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +OPTS="-o Dir::Etc::sourcelist=./sources.test.list -o Acquire::http::timeout=20" + +# setup +unset http_proxy +iptables --flush + +echo "No network at all" +ifdown eth0 +time apt-get update $OPTS 2>&1 |grep system +ifup eth0 +echo "" + +echo "no working DNS (port 53 DROP)" +iptables -A OUTPUT -p udp --dport 53 -j DROP +time apt-get update $OPTS 2>&1 |grep system +iptables --flush +echo "" + +echo "DNS but no access to archive.ubuntu.com (port 80 DROP)" +iptables -A OUTPUT -p tcp --dport 80 -j DROP +time apt-get update $OPTS 2>&1 |grep system +iptables --flush +echo "" |