summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--apt-pkg/acquire-item.cc97
-rw-r--r--apt-pkg/acquire-item.h8
-rw-r--r--apt-pkg/contrib/fileutl.h2
-rw-r--r--apt-pkg/contrib/proxy.cc4
-rw-r--r--debian/changelog15
-rw-r--r--doc/po/de.po124
-rw-r--r--methods/copy.cc32
-rw-r--r--po/tr.po16
-rwxr-xr-xprepare-release55
-rwxr-xr-xtest/integration/test-apt-update-stale46
-rwxr-xr-xtest/integration/test-apt-update-unauth48
-rwxr-xr-xtest/integration/test-hashsum-verification14
12 files changed, 302 insertions, 159 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 6cb9b012a..058b8bf74 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1021,6 +1021,31 @@ void pkgAcqIndex::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /*{{{*/
Item::Failed(Message,Cnf);
}
/*}}}*/
+// pkgAcqIndex::GetFinalFilename - Return the full final file path /*{{{*/
+std::string pkgAcqIndex::GetFinalFilename(std::string const &URI,
+ std::string const &compExt)
+{
+ std::string FinalFile = _config->FindDir("Dir::State::lists");
+ FinalFile += URItoFileName(URI);
+ if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz")
+ FinalFile += ".gz";
+ return FinalFile;
+}
+ /*}}}*/
+// AcqIndex::ReverifyAfterIMS - Reverify index after an ims-hit /*{{{*/
+void pkgAcqIndex::ReverifyAfterIMS(std::string const &FileName)
+{
+ std::string const compExt = CompressionExtension.substr(0, CompressionExtension.find(' '));
+ if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz")
+ DestFile += ".gz";
+
+ string FinalFile = GetFinalFilename(RealURI, compExt);
+ Rename(FinalFile, FileName);
+ Decompression = true;
+ Desc.URI = "copy:" + FileName;
+ QueueURI(Desc);
+}
+ /*}}}*/
// AcqIndex::Done - Finished a fetch /*{{{*/
// ---------------------------------------------------------------------
/* This goes through a number of states.. On the initial fetch the
@@ -1032,6 +1057,7 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
pkgAcquire::MethodConfig *Cfg)
{
Item::Done(Message,Size,Hash,Cfg);
+ std::string const compExt = CompressionExtension.substr(0, CompressionExtension.find(' '));
if (Decompression == true)
{
@@ -1043,6 +1069,7 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
if (!ExpectedHash.empty() && ExpectedHash.toStr() != Hash)
{
+ Desc.URI = RealURI;
RenameOnError(HashSumMismatch);
return;
}
@@ -1053,9 +1080,9 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
/* Always verify the index file for correctness (all indexes must
* have a Package field) (LP: #346386) (Closes: #627642)
*/
- FileFd fd(DestFile, FileFd::ReadOnly);
+ FileFd fd(DestFile, FileFd::ReadOnlyGzip);
// Only test for correctness if the file is not empty (empty is ok)
- if (fd.FileSize() > 0)
+ if (fd.Size() > 0)
{
pkgTagSection sec;
pkgTagFile tag(&fd);
@@ -1069,8 +1096,7 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
}
// Done, move it into position
- string FinalFile = _config->FindDir("Dir::State::lists");
- FinalFile += URItoFileName(RealURI);
+ string FinalFile = GetFinalFilename(RealURI, compExt);
Rename(DestFile,FinalFile);
chmod(FinalFile.c_str(),0644);
@@ -1078,7 +1104,9 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
will work OK */
DestFile = _config->FindDir("Dir::State::lists") + "partial/";
DestFile += URItoFileName(RealURI);
-
+ if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz")
+ DestFile += ".gz";
+
// Remove the compressed version.
if (Erase == true)
unlink(DestFile.c_str());
@@ -1094,7 +1122,10 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
{
// The files timestamp matches
if (StringToBool(LookupTag(Message,"Alt-IMS-Hit"),false) == true)
- return;
+ {
+ ReverifyAfterIMS(FileName);
+ return;
+ }
Decompression = true;
Local = true;
DestFile += ".decomp";
@@ -1111,15 +1142,12 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
ErrorText = "Method gave a blank filename";
}
- std::string const compExt = CompressionExtension.substr(0, CompressionExtension.find(' '));
-
// The files timestamp matches
- if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) {
- if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz")
- // Update DestFile for .gz suffix so that the clean operation keeps it
- DestFile += ".gz";
+ if (StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
+ {
+ ReverifyAfterIMS(FileName);
return;
- }
+ }
if (FileName == DestFile)
Erase = true;
@@ -1128,16 +1156,16 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
string decompProg;
- // If we enable compressed indexes and already have gzip, keep it
- if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz" && !Local) {
- string FinalFile = _config->FindDir("Dir::State::lists");
- FinalFile += URItoFileName(RealURI) + ".gz";
- Rename(DestFile,FinalFile);
- chmod(FinalFile.c_str(),0644);
-
- // Update DestFile for .gz suffix so that the clean operation keeps it
- DestFile = _config->FindDir("Dir::State::lists") + "partial/";
+ // If we enable compressed indexes, queue for hash verification
+ if (_config->FindB("Acquire::GzipIndexes",false) && compExt == "gz" && !Local)
+ {
+ DestFile = _config->FindDir("Dir::State::lists");
DestFile += URItoFileName(RealURI) + ".gz";
+
+ Decompression = true;
+ Desc.URI = "copy:" + FileName;
+ QueueURI(Desc);
+
return;
}
@@ -1181,6 +1209,9 @@ string pkgAcqIndexTrans::Custom600Headers()
string Final = _config->FindDir("Dir::State::lists");
Final += URItoFileName(RealURI);
+ if (_config->FindB("Acquire::GzipIndexes",false))
+ Final += ".gz";
+
struct stat Buf;
if (stat(Final.c_str(),&Buf) != 0)
return "\nFail-Ignore: true\nIndex-File: true";
@@ -1510,6 +1541,28 @@ void pkgAcqMetaIndex::AuthDone(string Message) /*{{{*/
std::cerr << "Signature verification succeeded: "
<< DestFile << std::endl;
+ // do not trust any previously unverified content that we may have
+ string LastGoodSigFile = _config->FindDir("Dir::State::lists").append("partial/").append(URItoFileName(RealURI));
+ if (DestFile != SigFile)
+ LastGoodSigFile.append(".gpg");
+ LastGoodSigFile.append(".reverify");
+ if(IMSHit == false && RealFileExists(LastGoodSigFile) == false)
+ {
+ for (vector <struct IndexTarget*>::const_iterator Target = IndexTargets->begin();
+ Target != IndexTargets->end();
+ ++Target)
+ {
+ // remove old indexes
+ std::string index = _config->FindDir("Dir::State::lists") +
+ URItoFileName((*Target)->URI);
+ unlink(index.c_str());
+ // and also old gzipindexes
+ index += ".gz";
+ unlink(index.c_str());
+ }
+ }
+
+
// Download further indexes with verification
QueueIndexes(true);
diff --git a/apt-pkg/acquire-item.h b/apt-pkg/acquire-item.h
index 06537bf2c..384c5ee2b 100644
--- a/apt-pkg/acquire-item.h
+++ b/apt-pkg/acquire-item.h
@@ -706,6 +706,14 @@ class pkgAcqIndex : public pkgAcquire::Item
*/
std::string CompressionExtension;
+ /** \brief Get the full pathname of the final file for the given URI
+ */
+ std::string GetFinalFilename(std::string const &URI,
+ std::string const &compExt);
+
+ /** \brief Schedule file for verification after a IMS hit */
+ void ReverifyAfterIMS(std::string const &FileName);
+
public:
// Specialized action members
diff --git a/apt-pkg/contrib/fileutl.h b/apt-pkg/contrib/fileutl.h
index cc1a98eae..667057067 100644
--- a/apt-pkg/contrib/fileutl.h
+++ b/apt-pkg/contrib/fileutl.h
@@ -85,7 +85,9 @@ class FileFd
bool Skip(unsigned long long To);
bool Truncate(unsigned long long To);
unsigned long long Tell();
+ // the size of the file content (compressed files will be uncompressed first)
unsigned long long Size();
+ // the size of the file itself
unsigned long long FileSize();
time_t ModificationTime();
diff --git a/apt-pkg/contrib/proxy.cc b/apt-pkg/contrib/proxy.cc
index b58db8478..0c753131d 100644
--- a/apt-pkg/contrib/proxy.cc
+++ b/apt-pkg/contrib/proxy.cc
@@ -26,6 +26,10 @@ bool AutoDetectProxy(URI &URL)
// we support both http/https debug options
bool Debug = _config->FindB("Debug::Acquire::"+URL.Access,false);
+ // the user already explicitly set a proxy for this host
+ if(_config->Find("Acquire::"+URL.Access+"::proxy::"+URL.Host, "") != "")
+ return true;
+
// option is "Acquire::http::Proxy-Auto-Detect" but we allow the old
// name without the dash ("-")
std::string AutoDetectProxyCmd = _config->Find("Acquire::"+URL.Access+"::Proxy-Auto-Detect",
diff --git a/debian/changelog b/debian/changelog
index 97290275e..f8c56cf3d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+apt (1.0.8ubuntu3) utopic; urgency=low
+
+ * fix autopkgtest
+
+ -- Michael Vogt <michael.vogt@ubuntu.com> Tue, 16 Sep 2014 21:12:37 +0200
+
+apt (1.0.8ubuntu2) utopic; urgency=high
+
+ * SECURITY UPDATE:
+ - incorrect invalidating of unauthenticated data (CVE-2014-0488)
+ - incorect verification of 304 reply (CVE-2014-0487)
+ - incorrect verification of Acquire::Gzip indexes (CVE-2014-0489)
+
+ -- Michael Vogt <michael.vogt@ubuntu.com> Mon, 15 Sep 2014 08:25:54 +0200
+
apt (1.0.8ubuntu1) utopic; urgency=low
* merged fixes from debian/sid
diff --git a/doc/po/de.po b/doc/po/de.po
index b2cff7770..b376bc9b7 100644
--- a/doc/po/de.po
+++ b/doc/po/de.po
@@ -5,10 +5,10 @@
#
msgid ""
msgstr ""
-"Project-Id-Version: apt-doc 1.0.4\n"
+"Project-Id-Version: apt-doc 1.0.8\n"
"Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
"POT-Creation-Date: 2014-08-28 00:20+0000\n"
-"PO-Revision-Date: 2014-07-04 00:34+0200\n"
+"PO-Revision-Date: 2014-09-14 14:46+0200\n"
"Last-Translator: Chris Leick <c.leick@vollbio.de>\n"
"Language-Team: German <debian-l10n-german@lists.debian.org>\n"
"Language: de\n"
@@ -750,12 +750,6 @@ msgstr ""
#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
#: apt.8.xml:101
-#, fuzzy
-#| msgid ""
-#| "<literal>upgrade</literal> is used to install the newest versions of all "
-#| "packages currently installed on the system from the sources enumerated in "
-#| "<filename>/etc/apt/sources.list</filename>. New package will be "
-#| "installed, but existing package will never removed."
msgid ""
"<literal>upgrade</literal> is used to install the newest versions of all "
"packages currently installed on the system from the sources enumerated in "
@@ -4591,17 +4585,6 @@ msgstr ""
#. type: Content of: <refentry><refsect1><para>
#: apt.conf.5.xml:601
-#, fuzzy
-#| msgid ""
-#| "<literal>Dir::Cache</literal> contains locations pertaining to local "
-#| "cache information, such as the two package caches <literal>srcpkgcache</"
-#| "literal> and <literal>pkgcache</literal> as well as the location to place "
-#| "downloaded archives, <literal>Dir::Cache::archives</literal>. Generation "
-#| "of caches can be turned off by setting their names to the empty string. "
-#| "This will slow down startup but save disk space. It is probably "
-#| "preferable to turn off the pkgcache rather than the srcpkgcache. Like "
-#| "<literal>Dir::State</literal> the default directory is contained in "
-#| "<literal>Dir::Cache</literal>"
msgid ""
"<literal>Dir::Cache</literal> contains locations pertaining to local cache "
"information, such as the two package caches <literal>srcpkgcache</literal> "
@@ -4618,8 +4601,9 @@ msgstr ""
"Paketzwischenspeicher <literal>srcpkgcache</literal> und <literal>pkgcache</"
"literal>, sowie den Ort, an den heruntergeladene Archive platziert werden, "
"<literal>Dir::Cache::archives</literal>. Die Generierung von "
-"Zwischenspeichern kann ausgeschaltet werden, indem ihre Namen auf leere "
-"Zeichenketten gesetzt werden. Dies wird den Start verlangsamen, aber "
+"Zwischenspeichern kann ausgeschaltet werden, indem "
+"<literal>pkgcache</literal> oder <literal>srcpkgcache</literal> auf "
+"<literal>\"\"</literal> wird. Dies wird den Start verlangsamen, aber "
"Plattenplatz sparen. Es ist vermutlich vorzuziehen, statt des »srcpkgcache«s "
"den »pkgcache« auszuschalten. Wie <literal>Dir::State</literal> ist das "
"Standardverzeichnis in <literal>Dir::Cache</literal> enthalten."
@@ -8549,7 +8533,7 @@ msgstr "jgg@debian.org"
#. type: Content of: <book><bookinfo><releaseinfo>
#: guide.dbk:21 offline.dbk:21
msgid "Version &apt-product-version;"
-msgstr ""
+msgstr "Version &apt-product-version;"
#. type: Content of: <book><bookinfo><abstract><para>
#: guide.dbk:25
@@ -8569,7 +8553,7 @@ msgstr ""
#. type: Content of: <book><bookinfo><legalnotice><title>
#: guide.dbk:32 offline.dbk:33
msgid "License Notice"
-msgstr ""
+msgstr "Lizenzhinweis"
#. type: Content of: <book><bookinfo><legalnotice><para>
#: guide.dbk:34 offline.dbk:35
@@ -10158,97 +10142,3 @@ msgstr " # apt-get -o dir::cache::archives=\"/Platte/\" dist-upgrade\n"
#: offline.dbk:242
msgid "Which will use the already fetched archives on the disc."
msgstr "Es wird die bereits auf die Platte heruntergeladenen Archive benutzen."
-
-#~ msgid "$Id: guide.sgml,v 1.7 2003/04/26 23:26:13 doogie Exp $"
-#~ msgstr "$Id: guide.sgml,v 1.7 2003/04/26 23:26:13 doogie Exp $"
-
-#~ msgid "<pubdate></pubdate>"
-#~ msgstr "<pubdate></pubdate>"
-
-#~ msgid "$Id: offline.sgml,v 1.8 2003/02/12 15:06:41 doogie Exp $"
-#~ msgstr "$Id: offline.sgml,v 1.8 12.02.2003 15:06:41 doogie Exp $"
-
-#~ msgid "<name>Jason Gunthorpe </name><email>jgg@debian.org</email>"
-#~ msgstr "<name>Jason Gunthorpe </name><email>jgg@debian.org</email>"
-
-#~ msgid "Copyright &copy; Jason Gunthorpe, 1998."
-#~ msgstr "Copyright &copy; Jason Gunthorpe, 1998."
-
-#~ msgid "Copyright &copy; Jason Gunthorpe, 1999."
-#~ msgstr "Copyright &copy; Jason Gunthorpe, 1999."
-
-#~ msgid "apt"
-#~ msgstr "apt"
-
-#~ msgid "16 June 1998"
-#~ msgstr "16. Juni 1998"
-
-#~ msgid "Debian"
-#~ msgstr "Debian"
-
-#~ msgid "NAME"
-#~ msgstr "NAME"
-
-#~ msgid "apt - Advanced Package Tool"
-#~ msgstr "apt - Fortschrittliches Paketwerkzeug (Advanced Package Tool)"
-
-#~ msgid "SYNOPSIS"
-#~ msgstr "ÜBERSICHT"
-
-#~ msgid "B<apt>"
-#~ msgstr "B<apt>"
-
-#~ msgid "DESCRIPTION"
-#~ msgstr "BESCHREIBUNG"
-
-#, fuzzy
-#~ msgid ""
-#~ "For normal day to day package management there are several frontends "
-#~ "available, such as B<aptitude>(8) for the command line or "
-#~ "B<synaptic>(8) for the X Window System. Some options are only "
-#~ "implemented in B<apt-get>(8) though."
-#~ msgstr ""
-#~ "APT ist ein Verwaltungssystem für Softwarepakete. Für normale alltägliche "
-#~ "Paketverwaltung sind mehrere Oberflächen, wie B<aptitude>(8) für die "
-#~ "Befehlszeile oder B<synaptic>(8) für das X-Window-System, verfügbar. "
-#~ "Einige Optionen sind jedoch nur in B<apt-get>(8) implementiert."
-
-#~ msgid "SEE ALSO"
-#~ msgstr "SIEHE AUCH"
-
-#, fuzzy
-#~ msgid ""
-#~ "B<apt>(8), B<apt-cache>(8), B<apt-get>(8), B<apt.conf>(5), B<sources."
-#~ "list>(5), B<apt_preferences>(5), B<apt-secure>(8)"
-#~ msgstr ""
-#~ "B<apt-cache>(8), B<apt-get>(8), B<apt.conf>(5), B<sources.list>(5), "
-#~ "B<apt_preferences>(5), B<apt-secure>(8)"
-
-#~ msgid "DIAGNOSTICS"
-#~ msgstr "DIAGNOSE"
-
-#~ msgid "apt returns zero on normal operation, decimal 100 on error."
-#~ msgstr ""
-#~ "APT gibt bei normalen Operationen 0 zurück, dezimal 100 bei Fehlern."
-
-#~ msgid "BUGS"
-#~ msgstr "FEHLER"
-
-#~ msgid "This manpage isn't even started."
-#~ msgstr "Diese Handbuchseite wurde noch nicht mal begonnen."
-
-#~ msgid ""
-#~ "See E<lt>http://bugs.debian.org/aptE<gt>. If you wish to report a bug in "
-#~ "B<apt>, please see I</usr/share/doc/debian/bug-reporting.txt> or the "
-#~ "B<reportbug>(1) command."
-#~ msgstr ""
-#~ "siehe auch E<lt>http://bugs.debian.org/aptE<gt>. Wenn Sie einen Fehler in "
-#~ "B<apt> berichten möchten, sehen Sie sich bitte I</usr/share/doc/debian/"
-#~ "bug-reporting.txt> oder den Befehl B<reportbug>(1) an."
-
-#~ msgid "AUTHOR"
-#~ msgstr "AUTOR"
-
-#~ msgid "apt was written by the APT team E<lt>apt@packages.debian.orgE<gt>."
-#~ msgstr ""
-#~ "APT wurde vom APT-Team E<lt>apt@packages.debian.orgE<gt> geschrieben."
diff --git a/methods/copy.cc b/methods/copy.cc
index d59f032ff..5570f31c8 100644
--- a/methods/copy.cc
+++ b/methods/copy.cc
@@ -16,6 +16,7 @@
#include <apt-pkg/acquire-method.h>
#include <apt-pkg/error.h>
#include <apt-pkg/hashes.h>
+#include <apt-pkg/configuration.h>
#include <string>
#include <sys/stat.h>
@@ -27,12 +28,28 @@
class CopyMethod : public pkgAcqMethod
{
virtual bool Fetch(FetchItem *Itm);
+ void CalculateHashes(FetchResult &Res);
public:
- CopyMethod() : pkgAcqMethod("1.0",SingleInstance) {};
+ CopyMethod() : pkgAcqMethod("1.0",SingleInstance | SendConfig) {};
};
+void CopyMethod::CalculateHashes(FetchResult &Res)
+{
+ // For gzip indexes we need to look inside the gzip for the hash
+ // We can not use the extension here as its not used in partial
+ // on a IMS hit
+ FileFd::OpenMode OpenMode = FileFd::ReadOnly;
+ if (_config->FindB("Acquire::GzipIndexes", false) == true)
+ OpenMode = FileFd::ReadOnlyGzip;
+
+ Hashes Hash;
+ FileFd Fd(Res.Filename, OpenMode);
+ Hash.AddFD(Fd);
+ Res.TakeHashes(Hash);
+}
+
// CopyMethod::Fetch - Fetch a file /*{{{*/
// ---------------------------------------------------------------------
/* */
@@ -54,6 +71,14 @@ bool CopyMethod::Fetch(FetchItem *Itm)
Res.IMSHit = false;
URIStart(Res);
+ // just calc the hashes if the source and destination are identical
+ if (File == Itm->DestFile)
+ {
+ CalculateHashes(Res);
+ URIDone(Res);
+ return true;
+ }
+
// See if the file exists
FileFd From(File,FileFd::ReadOnly);
FileFd To(Itm->DestFile,FileFd::WriteAtomic);
@@ -82,10 +107,7 @@ bool CopyMethod::Fetch(FetchItem *Itm)
if (utimes(Res.Filename.c_str(), times) != 0)
return _error->Errno("utimes",_("Failed to set modification time"));
- Hashes Hash;
- FileFd Fd(Res.Filename, FileFd::ReadOnly);
- Hash.AddFD(Fd);
- Res.TakeHashes(Hash);
+ CalculateHashes(Res);
URIDone(Res);
return true;
diff --git a/po/tr.po b/po/tr.po
index aced1a532..a3cd7077f 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -9,7 +9,7 @@ msgstr ""
"Project-Id-Version: apt\n"
"Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
"POT-Creation-Date: 2014-09-09 20:35+0200\n"
-"PO-Revision-Date: 2014-08-01 02:29+0200\n"
+"PO-Revision-Date: 2014-09-11 02:47+0200\n"
"Last-Translator: Mert Dirik <mertdirik@gmail.com>\n"
"Language-Team: Debian l10n Turkish <debian-l10n-turkish@lists.debian.org>\n"
"Language: tr\n"
@@ -635,7 +635,7 @@ msgstr ""
#: cmdline/apt-helper.cc:36
msgid "Need one URL as argument"
-msgstr ""
+msgstr "Argüman olarak bir adet URL'ye ihtiyaç vardır"
#: cmdline/apt-helper.cc:49
msgid "Must specify at least one pair url/filename"
@@ -646,7 +646,6 @@ msgid "Download Failed"
msgstr "İndirme Başarısız"
#: cmdline/apt-helper.cc:80
-#, fuzzy
msgid ""
"Usage: apt-helper [options] command\n"
" apt-helper [options] download-file uri target-path\n"
@@ -666,8 +665,9 @@ msgstr ""
"\n"
"Komutlar:\n"
" download-file - verilen adresi hedef yola kaydet\n"
+" auto-detect-proxy - apt.conf kullanarak vekil sunucuyu algıla\n"
"\n"
-" Bu APT yardımcısının Süper Meep Güçleri var.\n"
+" Bu APT yardımcısının Süper Meep Güçleri var.\n"
#: cmdline/apt-mark.cc:68
#, c-format
@@ -1563,10 +1563,10 @@ msgid ""
" Keep also in mind that locking is deactivated,\n"
" so don't depend on the relevance to the real current situation!"
msgstr ""
-"NOT: Bu sadece simülasyondur!\n"
-" apt-get sadece root hakları ile gerçekten kullanılabilir.\n"
-" Unutmayın ki simülasyonda kilitleme yapılmaz,\n"
-" bu nedenle bu simülasyonun tam uygunluğuna güvenmeyin."
+"NOT: Bu yalnızca bir benzetimdir!\n"
+" apt-get'i gerçekten çalıştırmak için root haklarına ihtiyaç vardır.\n"
+" Unutmayın ki benzetim kipinde kilitleme yapılmaz, bu nedenle\n"
+" bu benzetimin gerçekteki durumla birebir aynı olacağına güvenmeyin."
#: apt-private/private-output.cc:103 apt-private/private-show.cc:84
#: apt-private/private-show.cc:89
diff --git a/prepare-release b/prepare-release
index 1b8f1e49e..e61266eef 100755
--- a/prepare-release
+++ b/prepare-release
@@ -123,16 +123,63 @@ elif [ "$1" = 'buildlog' ]; then
elif [ "$1" = 'travis-ci' ]; then
apt-get install -q --no-install-recommends $(sed -n -e '/^Build-Depends: /,/^Build-Depends-Indep: / {p}' debian/control | sed -e 's#([^)]*)##g' -e 's#^Build-Depends\(-Indep\)\?: ##' | tr -d ',')
apt-get install -q --no-install-recommends $(sed -n 's#^Depends: .*@, \(.*\)$#\1#p' debian/tests/control | tr -d ',')
+elif [ "$1" = 'coverage' ]; then
+ DIR="${2:-./coverage}"
+ git clean -dfX # remove ignored build artefacts for a clean start
+ make CFLAGS+='--coverage' CXXFLAGS+='--coverage'
+ LCOVRC='--rc geninfo_checksum=1 --rc lcov_branch_coverage=1'
+ mkdir "$DIR"
+ lcov --no-external --directory . --capture --initial --output-file "${DIR}/apt.coverage.init" ${LCOVRC}
+ make test
+ ./test/integration/run-tests -q
+ lcov --no-external --directory . --capture --output-file "${DIR}/apt.coverage.run" ${LCOVRC}
+ lcov -a "${DIR}/apt.coverage.init" -a "${DIR}/apt.coverage.run" -o "${DIR}/apt.coverage.total" ${LCOVRC}
+ cp "${DIR}/apt.coverage.total" "${DIR}/apt.coverage.fixed"
+ rewritefile() {
+ file="$1"
+ shift
+ name="$(basename "$file")"
+ while [ -n "$1" ]; do
+ if [ -r "$1/$name" ]; then
+ sed -i "s#$file#$1/$name#" "${DIR}/apt.coverage.fixed"
+ break
+ fi
+ shift
+ done
+ if [ -z "$1" ]; then
+ echo >&2 "Coverage data captured for unknown file $file"
+ fi
+ }
+ grep 'build/include/' "${DIR}/apt.coverage.fixed" | sed "s#^SF:$(pwd)/##" | while read file; do
+ rewritefile "$file" 'apt-pkg' 'apt-pkg/deb' 'apt-pkg/edsp' 'apt-pkg/contrib' \
+ 'apt-inst' 'apt-inst/deb' 'apt-inst/contrib' 'apt-private'
+ done
+ genhtml --output-directory "${DIR}" "${DIR}/apt.coverage.fixed" ${LCOVRC}
else
echo >&1 "Usage:\t$0 pre-export
\t$0 post-build
-\t$0 library
-If you use »git buildpackage« you can leave this script alone as it will
+If you use »git buildpackage« you can leave these alone as they will
be run at the right places auto-magically. Otherwise you should use
»pre-export« to update po and pot files as well as version numbering.
»post-build« can be used to run some more or less useful checks later on.
-»library« isn't run automatically but can be useful for maintaining the
-(more or less experimental) symbols files we provide"
+\t$0 library
+\t$0 buildlog filename…
+
+»library« and »buildlog« aren't run automatically but can be useful for
+maintaining the (more or less experimental) symbols files we provide.
+»library« displays the diff between advertised symbols and the once provided
+by the libraries, while »buildlog« extracts this diff from the buildlogs.
+Both will format the diff properly.
+
+\t$0 travis-ci
+\t$0 coverage [output-dir]
+
+»travis-ci« is a shortcut to install all build- as well as test-dependencies
+used by .travis.yml.
+»coverage« does a clean build with the right flags for coverage reporting,
+runs all tests and generates a html report in the end.
+"
+
fi
diff --git a/test/integration/test-apt-update-stale b/test/integration/test-apt-update-stale
new file mode 100755
index 000000000..780ff79af
--- /dev/null
+++ b/test/integration/test-apt-update-stale
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# Ensure that a MITM can not stale the Packages/Sources without
+# raising a error message. Note that the Release file is protected
+# via the "Valid-Until" header
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+insertpackage 'unstable' 'foo' 'all' '1.0'
+
+setupaptarchive
+changetowebserver
+aptget update -qq
+
+# insert new version
+mkdir aptarchive/dists/unstable/main/binary-i386/saved
+cp -p aptarchive/dists/unstable/main/binary-i386/Packages* \
+ aptarchive/dists/unstable/main/binary-i386/saved
+insertpackage 'unstable' 'foo' 'all' '2.0'
+
+# not using compressfile for compat with older apt releases
+gzip -c aptarchive/dists/unstable/main/binary-i386/Packages > \
+ aptarchive/dists/unstable/main/binary-i386/Packages.gz
+generatereleasefiles
+signreleasefiles
+
+# ensure that we do not get a I-M-S hit for the Release file
+touch -d "+1hour" aptarchive/dists/unstable/*Release*
+
+# but now only deliver the previous Packages file instead of the new one
+# (simulating a stale attack)
+cp -p aptarchive/dists/unstable/main/binary-i386/saved/Packages* \
+ aptarchive/dists/unstable/main/binary-i386/
+
+# ensure this raises a error
+testequal "W: Failed to fetch http://localhost:8080/dists/unstable/main/binary-i386/Packages Hash Sum mismatch
+
+E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
+
+
diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth
new file mode 100755
index 000000000..13487603c
--- /dev/null
+++ b/test/integration/test-apt-update-unauth
@@ -0,0 +1,48 @@
+#!/bin/sh
+#
+# Ensure that when going from unauthenticated to authenticated all
+# files are checked again
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+insertpackage 'unstable' 'foo' 'all' '1.0'
+insertsource 'unstable' 'foo' 'all' '1.0'
+
+setupaptarchive
+changetowebserver
+
+runtest() {
+ # start unauthenticated
+ find rootdir/var/lib/apt/lists/ -type f | xargs rm -f
+ rm -f aptarchive/dists/unstable/*Release*
+ aptget update -qq
+
+ # become authenticated
+ generatereleasefiles
+ signreleasefiles
+
+ # and ensure we do download the data again
+ msgtest "Check that the data is check when going to authenticated"
+ if aptget update |grep -q Hit; then
+ msgfail
+ else
+ msgpass
+ fi
+}
+
+for COMPRESSEDINDEXES in 'false' 'true'; do
+ echo "Acquire::GzipIndexes \"$COMPRESSEDINDEXES\";" > rootdir/etc/apt/apt.conf.d/compressindexes
+ if $COMPRESSEDINDEXES; then
+ msgmsg 'Run tests with GzipIndexes enabled'
+ else
+ msgmsg 'Run tests with GzipIndexes disabled'
+ fi
+
+ runtest
+done
diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification
index e77efb46e..2a400dcb4 100755
--- a/test/integration/test-hashsum-verification
+++ b/test/integration/test-hashsum-verification
@@ -64,7 +64,7 @@ runtest() {
msgtest 'No package from the source available'
[ "$(aptcache show apt 2>&1)" = "E: No packages found" ] && msgpass || msgfail
msgtest 'No Packages file in /var/lib/apt/lists'
- [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null)" = "" ] && msgpass || msgfail
+ [ "$(ls rootdir/var/lib/apt/lists/*Package* 2>/dev/null | grep -v FAILED 2>/dev/null)" = "" ] && msgpass || msgfail
# now with the unsigned Release file
rm -rf rootdir/var/lib/apt/lists
@@ -75,5 +75,13 @@ runtest() {
}
-runtest
-
+for COMPRESSEDINDEXES in 'false' 'true'; do
+ echo "Acquire::GzipIndexes \"$COMPRESSEDINDEXES\";" > rootdir/etc/apt/apt.conf.d/compressindexes
+ if $COMPRESSEDINDEXES; then
+ msgmsg 'Run tests with GzipIndexes enabled'
+ else
+ msgmsg 'Run tests with GzipIndexes disabled'
+ fi
+
+ runtest
+done