merged from debian-sid

2 files changed, 35 insertions, 6 deletions

diff --git a/doc/examples/apt-https-method-example.conf b/doc/examples/apt-https-method-example.conf
index 0067171bd..cc7889044 100644
--- a/doc/examples/apt-https-method-example.conf
+++ b/doc/examples/apt-https-method-example.conf
@@ -36,6 +36,8 @@
       to access its content.
     - The certificate presented by both server have (as expected) a CN that
       matches their respective DNS names.
+    - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
+      to use them.
     - It somtimes happens that we had other more generic https available
       repository to our list. We want the checks to be performed against
       a common list of anchors (like the one provided by ca-certificates
@@ -56,10 +58,13 @@ Acquire::https::CaInfo     "/etc/ssl/certs/ca-certificates.pem";
 // Use a specific anchor and associated CRL. Enforce issuer of
 // server certificate using its cert.
 Acquire::https::secure.dom1.tld::CaInfo     "/etc/apt/certs/ca-dom1-crt.pem";
+Acquire::https::secure.dom1.tld::CrlFile    "/etc/apt/certs/ca-dom1-crl.pem";
+Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";
 
 // Like previous for anchor and CRL, but also provide our
 // certificate and keys for client authentication.
 Acquire::https::secure.dom2.tld::CaInfo  "/etc/apt/certs/ca-dom2-crt.pem";
+Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
 Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
 Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
 
@@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
     used for the https entries in the sources.list file that use that
     repository (with the same name).
 
+  Acquire::https[::repo.domain.tld]::CrlFile  "/path/to/all/crl.pem";
+
+    Like previous knob but for passing the list of CRL files (in PEM
+    format) to be used to verify revocation status. Again, if the
+    option is defined with no specific mirror (probably makes little
+    sense), this CRL information is used for all defined https entries
+    in sources.list file. In a mirror specific context, it only applies
+    to that mirror.
+
+  Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
+
+    Allows to constrain the issuer of the server certificate (for all
+    https mirrors or a specific one) to a specific issuer. If the
+    server certificate has not been issued by this certificate,
+    connection fails.
+
   Acquire::https[::repo.domain.tld]::Verify-Peer "true";
 
     When authenticating the server, if the certificate verification fails
diff --git a/doc/examples/configure-index b/doc/examples/configure-index
index 0b0025fca..233fa2b7d 100644
--- a/doc/examples/configure-index
+++ b/doc/examples/configure-index
@@ -90,11 +90,6 @@ APT
      TrustCDROM "false";            // consider the CDROM always trusted
   };
 
-  GPGV
-  {
-     TrustedKeyring "/etc/apt/trusted.gpg";
-  };
-
   // Some general options
   Ignore-Hold "false";
   Clean-Installed "true";
@@ -176,7 +171,10 @@ Acquire
   Source-Symlinks "true";
 
   PDiffs "true";     // try to get the IndexFile diffs
-  
+  PDiffs::FileLimit "4"; // don't use diffs if we would need more than 4 diffs
+  PDiffs::SizeLimit "50"; // don't use diffs if size of all patches excess
+			  // 50% of the size of the original file
+
   // HTTP method configuration
   http 
   {
@@ -312,6 +310,8 @@ Dir "/"
      SourceParts "sources.list.d";
      VendorList "vendors.list";
      VendorParts "vendors.list.d";
+     Trusted "trusted.gpg";
+     TrustedParts "trusted.gpg.d";
   };
   
   // Locations of binaries
@@ -338,6 +338,13 @@ Dir "/"
 	// Media AutoDetect mount path
 	MountPath "/media/apt";
   };
+
+  // Media 
+  Media 
+  {
+	// Media AutoDetect mount path
+	MountPath "/media/apt";
+  };
 };
 
 // Things that effect the APT dselect method
@@ -395,6 +402,7 @@ Debug
   pkgProblemResolver::ShowScores "false";
   pkgDepCache::AutoInstall "false"; // what packages apt install to satify dependencies
   pkgDepCache::Marker "false"; 
+  pkgCacheGen "false";
   pkgAcquire "false";
   pkgAcquire::Worker "false";
   pkgAcquire::Auth "false";