Merge remote-tracking branch 'upstream/debian/experimental' into feature/acq-trans

2 files changed, 26 insertions, 0 deletions

diff --git a/debian/apt.postinst b/debian/apt.postinst
index fd3e273bb..fab026504 100644
--- a/debian/apt.postinst
+++ b/debian/apt.postinst
@@ -26,6 +26,13 @@ case "$1" in
 	    fi
 	fi
 
+        # add unprivileged user for the apt methods
+        adduser --force-badname --system --no-create-home \
+            --quiet _apt || true
+        chown -R _apt:root \
+            /var/lib/apt/lists \
+            /var/cache/apt/archives
+
         # ensure tighter permissons on the logs, see LP: #975199
         if dpkg --compare-versions "$2" lt-nl 0.9.7.7; then
             # ensure permissions are right
diff --git a/debian/changelog b/debian/changelog
index 32447d5e1..acbe7ddba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+apt (1.1~exp3) experimental; urgency=medium
+
+  [ Michael Vogt ]
+  * merged changes from debian/sid up to 1.0.9.1
+  * Make /var/lib/apt/lists and /var/cache/apt/archives owned
+    by the new _apt user
+  * Drop Privileges in the following acquire methods:
+     copy, http, https, ftp, gpgv, gzip/bzip2/lzma/xz 
+  * DropPrivs: Improvements based on feedback from error@debian.org
+
+  [ Julian Andres Klode ]
+  * DropPriv: Really call seteuid and not setuid, and add more checks
+  * Use _apt as our unprivileged user name
+  * DropPrivs: Also check for saved set-user-ID and set-group-ID
+  * methods: Fail if we cannot drop privileges
+  * DropPrivs: Also check for saved set-user-ID and set-group-ID
+
+ -- Michael Vogt <mvo@debian.org>  Wed, 24 Sep 2014 22:30:09 +0200
+
 apt (1.1~exp2) experimental; urgency=medium
 
   [ Guillem Jover ]