summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--apt-pkg/deb/debmetaindex.cc39
-rw-r--r--apt-pkg/deb/debmetaindex.h3
-rw-r--r--apt-pkg/metaindex.h4
-rw-r--r--debian/changelog5
-rw-r--r--doc/sources.list.5.xml9
-rwxr-xr-xtest/integration/test-bug-596498-trusted-unsigned-repo47
6 files changed, 97 insertions, 10 deletions
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index a91cc34e9..81afb22b6 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -142,11 +142,13 @@ string debReleaseIndex::TranslationIndexURI(const char *Type, const string &Sect
return URI + "dists/" + Dist + "/" + TranslationIndexURISuffix(Type, Section);
}
-debReleaseIndex::debReleaseIndex(string const &URI, string const &Dist) {
- this->URI = URI;
- this->Dist = Dist;
- this->Indexes = NULL;
- this->Type = "deb";
+debReleaseIndex::debReleaseIndex(string const &URI, string const &Dist) :
+ metaIndex(URI, Dist, "deb"), Trusted(CHECK_TRUST)
+{}
+
+debReleaseIndex::debReleaseIndex(string const &URI, string const &Dist, bool const Trusted) :
+ metaIndex(URI, Dist, "deb") {
+ SetTrusted(Trusted);
}
debReleaseIndex::~debReleaseIndex() {
@@ -252,8 +254,22 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const
return true;
}
+void debReleaseIndex::SetTrusted(bool const Trusted)
+{
+ if (Trusted == true)
+ this->Trusted = ALWAYS_TRUSTED;
+ else
+ this->Trusted = NEVER_TRUSTED;
+}
+
bool debReleaseIndex::IsTrusted() const
{
+ if (Trusted == ALWAYS_TRUSTED)
+ return true;
+ else if (Trusted == NEVER_TRUSTED)
+ return false;
+
+
if(_config->FindB("APT::Authentication::TrustCDROM", false))
if(URI.substr(0,strlen("cdrom:")) == "cdrom:")
return true;
@@ -349,6 +365,7 @@ class debSLTypeDebian : public pkgSourceList::Type
vector<string> const Archs =
(arch != Options.end()) ? VectorizeString(arch->second, ',') :
APT::Configuration::getArchitectures();
+ map<string, string>::const_iterator const trusted = Options.find("trusted");
for (vector<metaIndex *>::const_iterator I = List.begin();
I != List.end(); I++)
@@ -358,6 +375,9 @@ class debSLTypeDebian : public pkgSourceList::Type
continue;
debReleaseIndex *Deb = (debReleaseIndex *) (*I);
+ if (trusted != Options.end())
+ Deb->SetTrusted(StringToBool(trusted->second, false));
+
/* This check insures that there will be only one Release file
queued for all the Packages files and Sources files it
corresponds to. */
@@ -375,9 +395,14 @@ class debSLTypeDebian : public pkgSourceList::Type
return true;
}
}
+
// No currently created Release file indexes this entry, so we create a new one.
- // XXX determine whether this release is trusted or not
- debReleaseIndex *Deb = new debReleaseIndex(URI, Dist);
+ debReleaseIndex *Deb;
+ if (trusted != Options.end())
+ Deb = new debReleaseIndex(URI, Dist, StringToBool(trusted->second, false));
+ else
+ Deb = new debReleaseIndex(URI, Dist);
+
if (IsSrc == true)
Deb->PushSectionEntry ("source", new debReleaseIndex::debSectionEntry(Section, IsSrc));
else
diff --git a/apt-pkg/deb/debmetaindex.h b/apt-pkg/deb/debmetaindex.h
index 0aaf7f14a..695cfa7cc 100644
--- a/apt-pkg/deb/debmetaindex.h
+++ b/apt-pkg/deb/debmetaindex.h
@@ -22,10 +22,12 @@ class debReleaseIndex : public metaIndex {
/** \brief dpointer placeholder (for later in case we need it) */
void *d;
std::map<string, vector<debSectionEntry const*> > ArchEntries;
+ enum { ALWAYS_TRUSTED, NEVER_TRUSTED, CHECK_TRUST } Trusted;
public:
debReleaseIndex(string const &URI, string const &Dist);
+ debReleaseIndex(string const &URI, string const &Dist, bool const Trusted);
virtual ~debReleaseIndex();
virtual string ArchiveURI(string const &File) const {return URI + File;};
@@ -43,6 +45,7 @@ class debReleaseIndex : public metaIndex {
string TranslationIndexURISuffix(const char *Type, const string &Section) const;
virtual vector <pkgIndexFile *> *GetIndexFiles();
+ void SetTrusted(bool const Trusted);
virtual bool IsTrusted() const;
void PushSectionEntry(vector<string> const &Archs, const debSectionEntry *Entry);
diff --git a/apt-pkg/metaindex.h b/apt-pkg/metaindex.h
index 1d2140799..f60235a5d 100644
--- a/apt-pkg/metaindex.h
+++ b/apt-pkg/metaindex.h
@@ -39,6 +39,10 @@ class metaIndex
virtual vector<pkgIndexFile *> *GetIndexFiles() = 0;
virtual bool IsTrusted() const = 0;
+ metaIndex(string const &URI, string const &Dist, char const * const Type) :
+ Indexes(NULL), Type(Type), URI(URI), Dist(Dist) {
+ }
+
virtual ~metaIndex() {
if (Indexes == 0)
return;
diff --git a/debian/changelog b/debian/changelog
index 5686e02fa..d226d91c4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,13 +11,16 @@ apt (0.8.16~exp3) UNRELEASEDexperimental; urgency=low
- generate all checksums in one run over the file for Release
* cmdline/apt-get.cc:
- add an --assume-no option for testing to say 'no' to everything
+ * apt-pkg/deb/debmetaindex.cc:
+ - add trusted=yes option to mark unsigned (local) repository as trusted
+ based on a patch from Ansgar Burchardt, thanks a lot! (Closes: #596498)
[ Michael Vogt ]
* merge fixes from the debian/unstable upload
* merge lp:~mvo/apt/sha512-template to get fixes for the
sha1/md5 verifiation (closes: #632520)
- -- David Kalnischkies <kalnischkies@gmail.com> Thu, 14 Jul 2011 12:01:53 +0200
+ -- David Kalnischkies <kalnischkies@gmail.com> Thu, 14 Jul 2011 20:56:45 +0200
apt (0.8.16~exp2) experimental; urgency=low
diff --git a/doc/sources.list.5.xml b/doc/sources.list.5.xml
index fab125b4e..bf8356348 100644
--- a/doc/sources.list.5.xml
+++ b/doc/sources.list.5.xml
@@ -117,8 +117,13 @@
<itemizedlist><listitem><para><literal>arch=<replaceable>arch1</replaceable>,<replaceable>arch2</replaceable>,…</literal>
can be used to specify for which architectures packages information should
be downloaded. If this option is not set all architectures defined by the
- <literal>APT::Architectures</literal> option will be downloaded.</para>
- </listitem></itemizedlist></para>
+ <literal>APT::Architectures</literal> option will be downloaded.</para></listitem>
+ <listitem><para><literal>trusted=yes</literal> can be set to indicate that packages
+ from this source are always authenificated even if the <filename>Release</filename> file
+ is not signed or the signature can't be checked. This disables parts of &apt-secure;
+ and should therefore only be used in a local and trusted context. <literal>trusted=no</literal>
+ is the opposite which handles even correctly authenificated sources as not authenificated.</para></listitem>
+ </itemizedlist></para>
<para>It is important to list sources in order of preference, with the most
preferred source listed first. Typically this will result in sorting
diff --git a/test/integration/test-bug-596498-trusted-unsigned-repo b/test/integration/test-bug-596498-trusted-unsigned-repo
new file mode 100755
index 000000000..6ebc4a3bb
--- /dev/null
+++ b/test/integration/test-bug-596498-trusted-unsigned-repo
@@ -0,0 +1,47 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+setupenvironment
+configarchitecture 'i386'
+
+buildsimplenativepackage 'cool' 'i386' '1.0' 'unstable'
+
+setupaptarchive
+
+aptgetupdate() {
+ rm -rf rootdir/var/lib/apt/ rootdir/var/cache/apt/*.bin
+ aptget update -qq
+}
+
+PKGTEXT="$(aptget install cool --assume-no -d | head -n 7)"
+DEBFILE='rootdir/etc/apt/sources.list.d/apt-test-unstable-deb.list'
+
+testequal "$PKGTEXT
+Download complete and in download only mode" aptget install cool --assume-no -d
+
+sed -i -e 's#deb#deb [trusted=no]#' $DEBFILE
+aptgetupdate
+
+testequal "$PKGTEXT
+WARNING: The following packages cannot be authenticated!
+ cool
+Install these packages without verification [y/N]? N
+E: Some packages could not be authenticated" aptget install cool --assume-no -d
+
+find aptarchive/ \( -name 'Release.gpg' -o -name 'InRelease' \) -delete
+sed -i -e 's#deb \[trusted=no\]#deb#' $DEBFILE
+aptgetupdate
+
+testequal "$PKGTEXT
+WARNING: The following packages cannot be authenticated!
+ cool
+Install these packages without verification [y/N]? N
+E: Some packages could not be authenticated" aptget install cool --assume-no -d
+
+sed -i -e 's#deb#deb [trusted=yes]#' $DEBFILE
+aptgetupdate
+
+testequal "$PKGTEXT
+Download complete and in download only mode" aptget install cool --assume-no -d