diff options
| -rw-r--r-- | apt-pkg/acquire-item.cc | 49 | ||||
| -rw-r--r-- | apt-pkg/acquire.cc | 2 | ||||
| -rw-r--r-- | apt-pkg/contrib/configuration.cc | 9 | ||||
| -rw-r--r-- | apt-pkg/contrib/fileutl.cc | 2 | ||||
| -rw-r--r-- | apt-pkg/contrib/netrc.cc | 22 | ||||
| -rw-r--r-- | apt-pkg/contrib/strutl.cc | 48 | ||||
| -rw-r--r-- | apt-pkg/contrib/strutl.h | 2 | ||||
| -rw-r--r-- | apt-pkg/install-progress.cc | 2 | ||||
| -rw-r--r-- | debian/NEWS | 10 | ||||
| -rw-r--r-- | doc/apt_auth.conf.5.xml | 14 | ||||
| -rw-r--r-- | doc/po/de.po | 119 | ||||
| -rw-r--r-- | methods/gpgv.cc | 20 | ||||
| -rwxr-xr-x | test/integration/skip-bug-601016-description-translation | 13 | ||||
| -rwxr-xr-x | test/integration/test-apt-update-repeated-ims-hit | 75 | ||||
| -rwxr-xr-x | test/integration/test-authentication-basic | 42 |
15 files changed, 310 insertions, 119 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 58bd6475e..92931d1d7 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -2025,7 +2025,6 @@ void pkgAcqMetaClearSig::Failed(string const &Message,pkgAcquire::MethodConfig c * they would be considered as trusted later on */ string const FinalRelease = GetFinalFileNameFromURI(DetachedDataTarget.URI); string const PartialRelease = GetPartialFileNameFromURI(DetachedDataTarget.URI); - string const FinalReleasegpg = GetFinalFileNameFromURI(DetachedSigTarget.URI); string const FinalInRelease = GetFinalFilename(); Rename(DestFile, PartialRelease); TransactionManager->TransactionStageCopy(this, PartialRelease, FinalRelease); @@ -2225,6 +2224,11 @@ void pkgAcqMetaSig::Failed(string const &Message,pkgAcquire::MethodConfig const return; // ensures that a Release.gpg file in the lists/ is removed by the transaction + if (not MetaIndexFileSignature.empty()) + { + DestFile = MetaIndexFileSignature; + MetaIndexFileSignature.clear(); + } TransactionManager->TransactionStageRemoval(this, DestFile); // only allow going further if the user explicitly wants it @@ -2586,14 +2590,18 @@ bool pkgAcqDiffIndex::ParseDiffIndex(string const &IndexDiffFile) /*{{{*/ return false; } - for (auto const &patch: available_patches) - if (patch.result_hashes.usable() == false || - patch.patch_hashes.usable() == false || - patch.download_hashes.usable() == false) + { + auto const patch = std::find_if(available_patches.cbegin(), available_patches.cend(), [](auto const &patch) { + return not patch.result_hashes.usable() || + not patch.patch_hashes.usable() || + not patch.download_hashes.usable(); + }); + if (patch != available_patches.cend()) { - strprintf(ErrorText, "Provides no usable hashes for %s", patch.file.c_str()); + strprintf(ErrorText, "Provides no usable hashes for %s", patch->file.c_str()); return false; } + } // patching with too many files is rather slow compared to a fast download unsigned long const fileLimit = _config->FindI("Acquire::PDiffs::FileLimit", 0); @@ -2655,13 +2663,15 @@ bool pkgAcqDiffIndex::ParseDiffIndex(string const &IndexDiffFile) /*{{{*/ return false; std::string const PartialFile = GetPartialFileNameFromURI(Target.URI); std::string const PatchedFile = GetKeepCompressedFileName(PartialFile + "-patched", Target); - if (RemoveFileForBootstrapLinking(ErrorText, CurrentPackagesFile, PartialFile) == false || - RemoveFileForBootstrapLinking(ErrorText, CurrentPackagesFile, PatchedFile) == false) + if (not RemoveFileForBootstrapLinking(ErrorText, CurrentPackagesFile, PartialFile) || + not RemoveFileForBootstrapLinking(ErrorText, CurrentPackagesFile, PatchedFile)) return false; - for (auto const &ext : APT::Configuration::getCompressorExtensions()) { - if (RemoveFileForBootstrapLinking(ErrorText, CurrentPackagesFile, PartialFile + ext) == false || - RemoveFileForBootstrapLinking(ErrorText, CurrentPackagesFile, PatchedFile + ext) == false) + auto const exts = APT::Configuration::getCompressorExtensions(); + if (not std::all_of(exts.cbegin(), exts.cend(), [&](auto const &ext) { + return RemoveFileForBootstrapLinking(ErrorText, CurrentPackagesFile, PartialFile + ext) && + RemoveFileForBootstrapLinking(ErrorText, CurrentPackagesFile, PatchedFile + ext); + })) return false; } std::string const Ext = Final.substr(CurrentPackagesFile.length()); @@ -3260,19 +3270,14 @@ void pkgAcqIndex::StageDownloadDone(string const &Message) // we need to verify the file against the current Release file again // on if-modfied-since hit to avoid a stale attack against us - if(StringToBool(LookupTag(Message,"IMS-Hit"),false) == true) + if (StringToBool(LookupTag(Message, "IMS-Hit"), false)) { - // copy FinalFile into partial/ so that we check the hash again - string const FinalFile = GetExistingFilename(GetFinalFileNameFromURI(Target.URI)); - if (symlink(FinalFile.c_str(), DestFile.c_str()) != 0) - _error->WarningE("pkgAcqIndex::StageDownloadDone", "Symlinking final file %s back to %s failed", FinalFile.c_str(), DestFile.c_str()); - else - { - EraseFileName = DestFile; - Filename = DestFile; - } + Filename = GetExistingFilename(GetFinalFileNameFromURI(Target.URI)); + EraseFileName = DestFile = flCombine(flNotFile(DestFile), flNotDir(Filename)); + if (symlink(Filename.c_str(), DestFile.c_str()) != 0) + _error->WarningE("pkgAcqIndex::StageDownloadDone", "Symlinking file %s to %s failed", Filename.c_str(), DestFile.c_str()); Stage = STAGE_DECOMPRESS_AND_VERIFY; - Desc.URI = "store:" + Filename; + Desc.URI = "store:" + DestFile; QueueURI(Desc); SetActiveSubprocess(::URI(Desc.URI).Access); return; diff --git a/apt-pkg/acquire.cc b/apt-pkg/acquire.cc index 776c82b3b..dd7dedb03 100644 --- a/apt-pkg/acquire.cc +++ b/apt-pkg/acquire.cc @@ -1378,8 +1378,6 @@ bool pkgAcquireStatus::Pulse(pkgAcquire *Owner) int fd = _config->FindI("APT::Status-Fd",-1); if(fd > 0) { - ostringstream status; - unsigned long long ETA = 0; if(CurrentCPS > 0 && TotalBytes > CurrentBytes) ETA = (TotalBytes - CurrentBytes) / CurrentCPS; diff --git a/apt-pkg/contrib/configuration.cc b/apt-pkg/contrib/configuration.cc index 997ef7423..931df9f6c 100644 --- a/apt-pkg/contrib/configuration.cc +++ b/apt-pkg/contrib/configuration.cc @@ -32,6 +32,7 @@ #include <algorithm> #include <fstream> #include <iterator> +#include <numeric> #include <sstream> #include <stack> #include <string> @@ -1149,10 +1150,10 @@ bool ReadConfigFile(Configuration &Conf,const string &FName,bool const &AsSectio bool ReadConfigDir(Configuration &Conf,const string &Dir, bool const &AsSectional, unsigned const &Depth) { - bool good = true; - for (auto const &I : GetListOfFilesInDir(Dir, "conf", true, true)) - good = ReadConfigFile(Conf, I, AsSectional, Depth) && good; - return good; + auto const files = GetListOfFilesInDir(Dir, "conf", true, true); + return std::accumulate(files.cbegin(), files.cend(), true, [&](bool good, auto const &file) { + return ReadConfigFile(Conf, file, AsSectional, Depth) && good; + }); } /*}}}*/ // MatchAgainstConfig Constructor /*{{{*/ diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index 336f979d6..b83a4bad7 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -1781,7 +1781,7 @@ class APT_HIDDEN ZstdFileFdPrivate : public FileFdPrivate #ifdef HAVE_ZSTD ZSTD_DStream *dctx; ZSTD_CStream *cctx; - size_t res; + size_t res = 0; FileFd backend; simple_buffer zstd_buffer; // Count of bytes that the decompressor expects to read next, or buffer size. diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc index ee1996f8d..2069a0394 100644 --- a/apt-pkg/contrib/netrc.cc +++ b/apt-pkg/contrib/netrc.cc @@ -72,6 +72,26 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri) active_token = MACHINE; break; case MACHINE: + // If token contains a protocol: Check it first, and strip it away if + // it matches. If it does not match, ignore this stanza. + // If there is no protocol, only allow https protocols. + if (token.find("://") != std::string::npos) + { + if (not APT::String::Startswith(token, Uri.Access + "://")) + { + active_token = NO; + break; + } + token.erase(0, Uri.Access.length() + 3); + } + else if (Uri.Access != "https" && Uri.Access != "tor+https") + { + if (Debug) + std::clog << "MaybeAddAuth: Rejecting matching host adding '" << Uri.User << "' and '" << Uri.Password << "' for " + << (std::string)Uri << " from " << NetRCFile.Name() << "as the protocol is not https" << std::endl; + active_token = NO; + break; + } if (token.find('/') == std::string::npos) { if (Uri.Port != 0 && Uri.Host == token) @@ -168,7 +188,7 @@ bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector<std::unique_ptr } // FIXME: Use the full base url - URI uri(std::string("http://") + I.Site() + "/"); + URI uri(std::string("https://") + I.Site() + "/"); for (auto &authconf : authconfs) { if (not authconf->IsOpen()) diff --git a/apt-pkg/contrib/strutl.cc b/apt-pkg/contrib/strutl.cc index 860e3fe47..70befdc48 100644 --- a/apt-pkg/contrib/strutl.cc +++ b/apt-pkg/contrib/strutl.cc @@ -40,6 +40,7 @@ #include <string.h> #include <time.h> #include <unistd.h> +#include <wchar.h> #include <apti18n.h> /*}}}*/ @@ -96,6 +97,53 @@ std::string Join(std::vector<std::string> list, const std::string &sep) return oss.str(); } +// Returns string display length honoring multi-byte characters +size_t DisplayLength(StringView str) +{ + size_t len = 0; + + const char *p = str.data(); + const char *const end = str.end(); + + mbstate_t state{}; + while (p < end) + { + wchar_t wch; + size_t res = mbrtowc(&wch, p, end - p, &state); + switch (res) + { + case 0: + // Null wide character (i.e. L'\0') - stop + p = end; + break; + + case static_cast<size_t>(-1): + // Byte sequence is invalid. Assume that it's + // a single-byte single-width character. + len += 1; + p += 1; + + // state is undefined in this case - reset it + state = {}; + + break; + + case static_cast<size_t>(-2): + // Byte sequence is too short. Assume that it's + // an incomplete single-width character and stop. + len += 1; + p = end; + break; + + default: + len += wcwidth(wch); + p += res; + } + } + + return len; +} + } } /*}}}*/ diff --git a/apt-pkg/contrib/strutl.h b/apt-pkg/contrib/strutl.h index fc02357a8..738480402 100644 --- a/apt-pkg/contrib/strutl.h +++ b/apt-pkg/contrib/strutl.h @@ -33,6 +33,8 @@ namespace APT { bool Endswith(const std::string &s, const std::string &ending); bool Startswith(const std::string &s, const std::string &starting); std::string Join(std::vector<std::string> list, const std::string &sep); + // Returns string display length honoring multi-byte characters + size_t DisplayLength(StringView str); } } diff --git a/apt-pkg/install-progress.cc b/apt-pkg/install-progress.cc index 2e8fac236..aadd28e51 100644 --- a/apt-pkg/install-progress.cc +++ b/apt-pkg/install-progress.cc @@ -382,7 +382,7 @@ bool PackageManagerFancy::DrawStatusLine() if (_config->FindB("Dpkg::Progress-Fancy::Progress-Bar", true)) { int padding = 4; - auto const progressbar_size = size.columns - padding - progress_str.size(); + auto const progressbar_size = size.columns - padding - String::DisplayLength(progress_str); auto const current_percent = percentage / 100.0f; std::cout << " " << GetTextProgressStr(current_percent, progressbar_size) diff --git a/debian/NEWS b/debian/NEWS index e8cb4e279..555791602 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +apt (1.9.5) UNRELEASED; urgency=medium + + Credentials in apt_auth.conf(5) now only apply to https and tor+https + sources to avoid them being leaked over plaintext (Closes: #945911). To + opt-in to http, add http:// before the hostname. Note that this will transmit + credentials in plain text, which you do not want on devices that could be + operating in an untrusted network. + + -- Julian Andres Klode <juliank@ubuntu.com> Mon, 02 Dec 2019 11:45:52 +0100 + apt (1.8.0~alpha3) unstable; urgency=medium The PATH for running dpkg is now configured by the option DPkg::Path, diff --git a/doc/apt_auth.conf.5.xml b/doc/apt_auth.conf.5.xml index e7961ef81..99394be00 100644 --- a/doc/apt_auth.conf.5.xml +++ b/doc/apt_auth.conf.5.xml @@ -50,7 +50,7 @@ Unknown tokens will be ignored. Tokens may be separated by spaces, tabs or newli <variablelist> <varlistentry> -<term><literal>machine</literal> <replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term> +<term><literal>machine</literal> <replaceable>[protocol://]</replaceable><replaceable>hostname</replaceable>[:<replaceable>port</replaceable>][/<replaceable>path</replaceable>]</term> <listitem><para>Entries are looked up by searching for the <emphasis><literal>machine</literal></emphasis> token matching the hostname of the URI apt needs login information for. Extending the netrc-format @@ -60,7 +60,8 @@ different login information reside on the same server. A machine token with a pa matches if the path in the URI starts with the path given in the token. Once a match is made, the subsequent tokens are processed, stopping when the end of file is reached or another <emphasis><literal>machine</literal></emphasis> -token is encountered.</para></listitem> +token is encountered.</para> +<para>If protocol is not specified, the entry only matches https and tor+https.</para></listitem> </varlistentry> <varlistentry> @@ -80,9 +81,9 @@ token is encountered.</para></listitem> <refsect1><title>Example</title> <para>Supplying login information for a user named <literal>apt</literal> with the password <literal>debian</literal> for the &sources-list; entry -<literallayout>deb http://example.org/debian &debian-stable-codename; main</literallayout> +<literallayout>deb https://example.org/debian &debian-stable-codename; main</literallayout> could be done in the entry directly: -<literallayout>deb http://apt:debian@example.org/debian &debian-stable-codename; main</literallayout> +<literallayout>deb https://apt:debian@example.org/debian &debian-stable-codename; main</literallayout> Alternatively an entry like the following in the auth.conf file could be used: <literallayout>machine example.org login apt @@ -95,7 +96,7 @@ machine example.org/debian login apt password debian machine example.org/debian/ login apt password debian </literallayout> On the other hand neither of the following lines apply: -<literallayout>machine example.org:80 login apt password debian +<literallayout>machine example.org:443 login apt password debian machine example.org/deb/ login apt password debian machine example.org/ubuntu login apt password debian machine example.orga login apt password debian @@ -111,6 +112,9 @@ also the implementation slightly. For maximum backward compatibility you should avoid multiple <literal>machine</literal> tokens with the same hostname, but if you need multiple they should all have a path specified in the <literal>machine</literal> token.</para> +<para>Login information in auth.conf are more flexible than those in sources.list. For +example, login information can be specified for parts of a repository only, or if the +sources.list entry redirects elsewhere, login information for the redirect destination can be supplied.</para> </refsect1> <refsect1> diff --git a/doc/po/de.po b/doc/po/de.po index 9ec060dba..1c4ccbaa1 100644 --- a/doc/po/de.po +++ b/doc/po/de.po @@ -1,14 +1,14 @@ # Translation of apt/doc to German # Copyright (C) 1997, 1998, 1999 Jason Gunthorpe and others. # This file is distributed under the same license as the apt package. -# Chris Leick <c.leick@vollbio.de>, 2009-2018. +# Chris Leick <c.leick@vollbio.de>, 2009-2019. # msgid "" msgstr "" -"Project-Id-Version: apt 1.6\n" +"Project-Id-Version: apt 1.9.2\n" "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n" -"POT-Creation-Date: 2019-08-19 16:22+0200\n" -"PO-Revision-Date: 2018-10-21 12:58+0200\n" +"POT-Creation-Date: 2019-09-13 10:38+0200\n" +"PO-Revision-Date: 2019-08-15 10:22+0200\n" "Last-Translator: Chris Leick <c.leick@vollbio.de>\n" "Language-Team: German <debian-l10n-german@lists.debian.org>\n" "Language: de\n" @@ -818,6 +818,9 @@ msgid "" "Depends. It also handles conflicts, by prefixing an argument with <literal>" "\"Conflicts: \"</literal>." msgstr "" +"<option>satisfy</option> erfüllt Abhängigkeitszeichenketten, wie sie in " +"Build-Depends benutzt werden. Es handhabt auch Konflikte, indem es einem " +"Argument ein <literal>\"Conflicts: \"</literal> voranstellt." #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt.8.xml @@ -825,6 +828,8 @@ msgid "" "Example: <literal>apt satisfy \"foo, bar (>= 1.0)\" \"Conflicts: baz, fuzz" "\"</literal>" msgstr "" +"Beispiel: <literal>apt satisfy \"foo, bar (>= 1.0)\" \"Conflicts: baz, fuzz" +"\"</literal>" #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term> #: apt.8.xml @@ -1194,12 +1199,12 @@ msgstr "" #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt-get.8.xml -#, fuzzy -#| msgid "the <literal>Archive:</literal> or <literal>Suite:</literal> line" msgid "" "<literal>reinstall</literal> is an alias for <literal>install --reinstall</" "literal>." -msgstr "die <literal>Archive:</literal>- oder <literal>Suite:</literal>-Zeile" +msgstr "" +"<literal>reinstall</literal> ist ein Alias für <literal>install --reinstall</" +"literal>." #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt-get.8.xml @@ -1254,6 +1259,9 @@ msgid "" "The arguments are interpreted as binary and source package names. See the " "<option>--only-source</option> option if you want to change that." msgstr "" +"Die Argumente werden als Binär- und Quellpaketnamen interpretiert. Falls Sie " +"dies ändern möchten, sehen Sie sich die Option <option>--only-source</" +"option> an." #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt-get.8.xml @@ -1335,6 +1343,9 @@ msgid "" "The arguments are interpreted as binary or source package names. See the " "<option>--only-source</option> option if you want to change that." msgstr "" +"Die Argumente werden als Binär- oder Quellpaketnamen interpretiert. Falls " +"Sie dies ändern möchten, sehen Sie sich die Option <option>--only-source</" +"option> an." #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt-get.8.xml @@ -1345,6 +1356,12 @@ msgid "" "with <literal>\"Conflicts: \"</literal> to unsatisfy the dependency string. " "Multiple strings of the same type can be specified." msgstr "" +"<literal>satisfy</literal> veranlasst apt-get, die angegebenen " +"Abhängigkeitszeichenketten zu erfüllen. Die Abhängigkeitszeichenketten " +"könnten Bauprofile und Architekturbeschränkungslisten in ihren " +"Bauabhängigkeiten haben. Ihnen kann wahlweise <literal>\"Conflicts: \"</" +"literal> vorangestellt sein, um die Abhängigkeitszeichenkette nicht zu " +"erfüllen. Es dürfen mehrere Zeichenketten desselben Typs angegeben werden." #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt-get.8.xml @@ -1352,12 +1369,16 @@ msgid "" "Example: <literal>apt-get satisfy \"foo\" \"Conflicts: bar\" \"baz (>> " "1.0) | bar (= 2.0), moo\"</literal>" msgstr "" +"Beispiel: <literal>apt-get satisfy \"foo\" \"Conflicts: bar\" \"baz (>" +"> 1.0) | bar (= 2.0), moo\"</literal>" #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt-get.8.xml msgid "" "The legacy operator '</>' is not supported, use '<=/>=' instead." msgstr "" +"Der veraltete Operator »</>« wird nicht unterstützt, benutzen Sie " +"stattdessen »<=/>=«." #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt-get.8.xml @@ -3126,11 +3147,6 @@ msgstr "" #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt-mark.8.xml -#, fuzzy -#| msgid "" -#| "<literal>auto</literal> is used to mark a package as being automatically " -#| "installed, which will cause the package to be removed when no more " -#| "manually installed packages depend on this package." msgid "" "<literal>minimize-manual</literal> is used to mark (transitive) dependencies " "of metapackages as automatically installed. This can be used after an " @@ -3138,9 +3154,11 @@ msgid "" "packages; or continuously on systems managed by system configuration " "metapackages." msgstr "" -"<literal>auto</literal> wird benutzt, um ein Paket als automatisch " -"installiert zu markieren, was veranlasst, dass das Paket entfernt wird, wenn " -"keine manuell installierten Pakete von ihm abhängen." +"<literal>minimize-manual</literal> wird benutzt, um (transitive) " +"Abhängigkeiten von Metapaketen als automatisch installiert zu markieren. " +"Dies kann zum Beispiel nach einer Installation benutzt werden, um die Anzahl " +"manuell installierter Pakete gering zu halten oder stetig auf Systemen, die " +"durch Systemkonfigurations-Metapakete verwaltet werden." #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt-mark.8.xml @@ -5592,6 +5610,10 @@ msgid "" "used when running dpkg. It may be set to any valid value of that environment " "variable; or the empty string, in which case the variable is not changed." msgstr "" +"Dies ist eine Zeichenkette, die beim Ausführen von Dpkg die " +"Umgebungsvariable <envar>PATH</envar> definiert. Sie kann auf jeden Wert " +"dieser Umgebungsvariable oder eine leere Zeichenkette gesetzt werden, falls " +"sich die Variable nicht geändert hat." #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt.conf.5.xml @@ -7705,7 +7727,7 @@ msgstr "" "Derivaten benutzte Dateien, wie Metadatendateien, die APT von den " "konfigurierten Quellen herunterlädt oder der Datei <filename>debian/control</" "filename> in einem Debian-Quellpaket. Individuelle Einträge werden durch " -"eine leere Zeile getrennt: Zusätzliche leere Zeilen werden ignoriert und " +"eine leere Zeile getrennt; zusätzliche leere Zeilen werden ignoriert und " "<literal>#</literal>-Zeichen am Anfang einer Zeile kennzeichnen die ganze " "Zeile als Kommentar. Ein Eintrag kann daher deaktiviert werden, indem jede " "Zeile, die zum Absatz gehört, auskommentiert wird. Es ist üblicherweise " @@ -8129,20 +8151,6 @@ msgstr "" #. type: Content of: <refentry><refsect1><para><itemizedlist><listitem><para> #: sources.list.5.xml -#, fuzzy -#| msgid "" -#| "<option>Signed-By</option> (<option>signed-by</option>) is either an " -#| "absolute path to a keyring file (has to be accessible and readable for " -#| "the <literal>_apt</literal> user, so ensure everyone has read-permissions " -#| "on the file) or one or more fingerprints of keys either in the " -#| "<filename>trusted.gpg</filename> keyring or in the keyrings in the " -#| "<filename>trusted.gpg.d/</filename> directory (see <command>apt-key " -#| "fingerprint</command>). If the option is set, only the key(s) in this " -#| "keyring or only the keys with these fingerprints are used for the &apt-" -#| "secure; verification of this repository. Defaults to the value of the " -#| "option with the same name if set in the previously acquired " -#| "<filename>Release</filename> file. Otherwise all keys in the trusted " -#| "keyrings are considered valid signers for this repository." msgid "" "<option>Signed-By</option> (<option>signed-by</option>) is an option to " "require a repository to pass &apt-secure; verification with a certain set of " @@ -8162,18 +8170,25 @@ msgid "" "(only fingerprints can be specified there through). Otherwise all keys in " "the trusted keyrings are considered valid signers for this repository." msgstr "" -"<option>Signed-By</option> (<option>signed-by</option>) ist entweder ein " -"absoluter Pfad zu einer Schlüsselbunddatei (muss für den Benutzer von " -"<literal>_apt</literal> zugänglich und lesbar sein, sorgen Sie also dafür, " -"dass jeder Leserechte an der Datei hat) oder einer oder mehrere " -"Fingerabdrücke von Schlüsseln, die entweder im <filename>trusted.gpg</" -"filename>-Schlüsselbund oder in den Schlüsselbunden im Verzeichnis " -"<filename>trusted.gpg.d/</filename> liegen (siehe <command>apt-key " -"fingerprint</command>). Falls die Option gesetzt ist, wird/werden nur der/" -"die Schlüssel in diesem Schlüsselbund oder nur die Schlüssel mit diesen " -"Fingerabdrücken für die &apt-secure;-Überprüfung dieses Depots benutzt. Sie " -"ist auf den Wert der Option mit demselben Namen voreingestellt, falls sie in " -"der vorher beschafften <filename>Release</filename>-Datei gesetzt ist. " +"<option>Signed-By</option> (<option>signed-by</option>) ist eine Option, die " +"erfordert, dass ein Depot die &apt-secure;-Prüfung mit einem bestimmten Satz " +"von Schlüsseln, statt mit allen vertrauenswürdigen Schlüsseln, durchläuft, " +"die für APT konfiguriert sind. Sie wird als eine Liste absoluter Pfade zu " +"Schlüsselbunddateien angegeben (müssen für den Systembenutzer <literal>_apt</" +"literal> zugreif- und lesbar sein, stellen Sie also sicher, dass jedermann " +"Leserechte für die Datei hat) sowie Fingerabdrücke von Schlüsseln, um diese " +"aus Schlüsselbunden auszuwählen. Falls keine Schlüsselbunddateien angegeben " +"wurden, sind der Schlüsselbund <filename>trusted.gpg</filename> und alle " +"Schlüsselbunde im Verzeichnis <filename>trusted.gpg.d/</filename> " +"voreingestellt (siehe <command>apt-key fingerprint</command>). Falls kein " +"Fingerabdruck angegeben wurde, werden alle Schlüssel in den Schlüsselbunden " +"ausgewählt. Ein Fingerabdruck wird außerdem alle Signaturen eines " +"Unterschlüssels dieses Schlüssels akzeptieren, falls dies nicht gewünscht " +"wird, kann ein Ausrufezeichen (<literal>!</literal>) an den Fingerabdruck " +"angehängt werden, um dieses Verhalten zu deaktivieren. Die Option ist auf " +"den Wert der Option mit demselben Namen voreingestellt, falls sie in der " +"vorher beschafften <filename>Release</filename>-Datei dieses Depots gesetzt " +"ist (allerdings können dadurch nur Fingerabdrücke angegeben werden). " "Andernfalls werden alle Schlüssel in den vertrauenswürdigen Schlüsselbunden " "als gültige Unterzeichner für dieses Depot angesehen." @@ -9941,19 +9956,15 @@ msgstr "" #. type: Content of: <refentry><refsect1><para> #: apt_auth.conf.5.xml -#, fuzzy -#| msgid "" -#| "The APT auth.conf file <filename>/etc/apt/auth.conf</filename> can be " -#| "used to store login information in a netrc-like format with restrictive " -#| "file permissions." msgid "" "The APT auth.conf file <filename>/etc/apt/auth.conf</filename>, and .conf " "files inside <filename>/etc/apt/auth.conf.d</filename> can be used to store " "login information in a netrc-like format with restrictive file permissions." msgstr "" -"Die APT-Auth.conf-Datei <filename>/etc/apt/auth.conf</filename> kann benutzt " +"Die APT-Auth.conf-Datei <filename>/etc/apt/auth.conf</filename> und .conf-" +"Dateien innerhalb <filename>/etc/apt/auth.conf.d</filename> können benutzt " "werden, um Anmeldeinformationen in einem Netrc-ähnlichen Format mit " -"einschränkenden Dateizugriffsrechten gespeichert." +"beschränkten Dateizugriffsrechten zu speichern." #. type: Content of: <refentry><refsect1><title> #: apt_auth.conf.5.xml @@ -10163,23 +10174,17 @@ msgstr "" #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term> #: apt_auth.conf.5.xml -#, fuzzy -#| msgid "<filename>/etc/apt/auth.conf</filename>" msgid "<filename>/etc/apt/auth.conf.d/*.conf</filename>" -msgstr "<filename>/etc/apt/auth.conf</filename>" +msgstr "<filename>/etc/apt/auth.conf.d/*.conf</filename>" #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para> #: apt_auth.conf.5.xml -#, fuzzy -#| msgid "" -#| "Login information for APT sources and proxies in a netrc-like format. " -#| "Configuration Item: <literal>Dir::Etc::netrc</literal>." msgid "" "Login information for APT sources and proxies in a netrc-like format. " "Configuration Item: <literal>Dir::Etc::netrcparts</literal>." msgstr "" "Anmeldeinformationen für APT-Quellen und -Proxys in einem Netrc-ähnlichen " -"Format. Konfigurationselement: <literal>Dir::Etc::netrc</literal>." +"Format. Konfigurationselement: <literal>Dir::Etc::netrcparts</literal>." #. type: Content of: <refentry><refsect1><para> #: apt_auth.conf.5.xml diff --git a/methods/gpgv.cc b/methods/gpgv.cc index 04a4f6a83..660041764 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -309,18 +309,16 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, auto const master = SubKeyMapping.find(l); if (master == SubKeyMapping.end()) continue; - for (auto const &sub : master->second) - if (IsTheSameKey(sub, good)) - { - if (std::find(Signers.Valid.cbegin(), Signers.Valid.cend(), sub) == Signers.Valid.cend()) - continue; - found = true; - Signers.SignedBy.push_back(l); - Signers.SignedBy.push_back(sub + "!"); - break; - } - if (found) + auto const validsubkeysig = std::find_if(master->second.cbegin(), master->second.cend(), [&](auto const subkey) { + return IsTheSameKey(subkey, good) && std::find(Signers.Valid.cbegin(), Signers.Valid.cend(), subkey) != Signers.Valid.cend(); + }); + if (validsubkeysig != master->second.cend()) + { + found = true; + Signers.SignedBy.push_back(l); + Signers.SignedBy.push_back(*validsubkeysig + "!"); break; + } } } if (Debug) diff --git a/test/integration/skip-bug-601016-description-translation b/test/integration/skip-bug-601016-description-translation index fd0465acd..3f68ce2d5 100755 --- a/test/integration/skip-bug-601016-description-translation +++ b/test/integration/skip-bug-601016-description-translation @@ -47,11 +47,11 @@ Description-${LOCALE}: Mächtige Oberfläche für dpkg auf den dpkg-Paketmanager. Es beinhaltet das apt-get-Werkzeug und die APT-Dselect-Methode. Beides sind einfache und sicherere Wege, um Pakete zu installieren und Upgrades durchzuführen. -$MD5Sum" | bzip2 > aptarchive/${LOCALE}.bz2 +$MD5Sum" > "aptarchive/${LOCALE}" -# the $LOCALE translation file will not be included as it is a flat archive it came from and therefore -# its name can not be guessed correctly… (in non-flat archives the files are called Translation-*) -echo 'APT::Cache::Generate "false";' > rootdir/etc/apt/apt.conf.d/00nogenerate +# add our $LOCALE translation file explicitly to be picked up by apt-ftparchive +echo "APT::FTPArchive::Release::Patterns:: \"en\"; +APT::FTPArchive::Release::Patterns:: \"${LOCALE}\";" > rootdir/etc/apt/apt.conf.d/ftparchivepattern NOLONGSTANZA="$PACKAGESTANZA Description: Advanced front-end for dpkg @@ -90,7 +90,8 @@ testrun() { testequal "$LOCALESTANZA2" aptcache show apt:amd64 -o Test=File-${LOCALE} testequal "$NOLONGSTANZA" aptcache show apt -o Acquire::Languages="ww" -o Test=File-${LOCALE} testequal "$LOCALESTANZA" aptcache show apt -o Acquire::Languages::="ww" -o Test=File-${LOCALE} - LC_ALL=C testequal "$ENGLISHSTANZA" aptcache show apt -o Test=File-${LOCALE} + LC_ALL=C.UTF-8 testequal "$LOCALESTANZA" aptcache show apt -o Test=File-${LOCALE} + LC_ALL=C.UTF-8 testequal "$ENGLISHSTANZA" aptcache show apt -o Test=File-${LOCALE} -o Acquire::Languages="environment,${LOCALE}" export LC_ALL="" echo "Acquire::Languages { \"ww\"; \"${LOCALE}\"; \"en\"; };" > rootdir/etc/apt/apt.conf.d/00languages testequal "$LOCALESTANZA" aptcache show apt -o Test=File-ww-${LOCALE} @@ -113,7 +114,7 @@ Description-en: Advanced front-end for dpkg This is Debian's next generation front-end for the dpkg package manager. It provides the apt-get utility and APT dselect method that provides a simpler, safer way to install and upgrade packages. -$MD5Sum" | bzip2 > aptarchive/en.bz2 +$MD5Sum" > aptarchive/en ENGLISHSTANZA="$PACKAGESTANZA Description-en: Advanced front-end for dpkg diff --git a/test/integration/test-apt-update-repeated-ims-hit b/test/integration/test-apt-update-repeated-ims-hit new file mode 100755 index 000000000..74d46b31b --- /dev/null +++ b/test/integration/test-apt-update-repeated-ims-hit @@ -0,0 +1,75 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' +configcompression '.' 'bz2' + +echo 'Package: apt +Priority: important +Section: admin +Installed-Size: 5984 +Maintainer: APT Development Team <deity@lists.debian.org> +Architecture: i386 +Version: 0.8.7 +Filename: pool/main/a/apt/apt_0.8.7_i386.deb +Size: 2140230 +MD5sum: 74769bfbcef9ebc4fa74f7a5271b9c08 +Description: Advanced front-end for dpkg +Description-md5: d41ee493aa9fcc6cbc9ce4eb7069959c' > aptarchive/Packages +compressfile aptarchive/Packages + +echo "Package: apt +Description-en: Advanced front-end for dpkg + This is Debian's next generation front-end for the dpkg package manager. + It provides the apt-get utility and APT dselect method that provides a + simpler, safer way to install and upgrade packages. +$MD5Sum" > aptarchive/en +compressfile aptarchive/en + +echo "APT::FTPArchive::Release::Patterns:: \"en\"; +APT::FTPArchive::Release::Patterns:: \"en.*\";" > rootdir/etc/apt/apt.conf.d/ftparchivepattern + +export APT_DONT_SIGN='InRelease' +setupaptarchive --no-update +rm -f aptarchive/Packages aptarchive/en + +rm -f rootdir/etc/apt/trusted.gpg.d/* +sed -i -e 's#^deb #deb [trusted=yes] #' rootdir/etc/apt/sources.list.d/* + +APTARCHIVE="$(readlink -f ./aptarchive)" +GPGERROR="W: GPG error: file:$APTARCHIVE Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5A90D141DBAC8DAE" + +msgmsg 'Running update again does not change result' '0' +testwarningmsg "$GPGERROR" apt update +listcurrentlistsdirectory > lists.before +testsuccess grep 'aptarchive_en$' lists.before +testsuccess grep 'aptarchive_Packages$' lists.before +testsuccess grep 'aptarchive_Release$' lists.before +testfailure grep 'aptarchive_Release.gpg$' lists.before + +for i in $(seq 1 3); do + msgmsg 'Running update again does not change result' "$i" + testwarningmsg "$GPGERROR" apt update + testfileequal lists.before "$(listcurrentlistsdirectory)" +done + +find rootdir/var/lib/apt/lists -name '*Release*' -delete +msgmsg 'Running update with a repository gaining hashsums' +testwarningmsg "$GPGERROR" apt update +testfileequal lists.before "$(listcurrentlistsdirectory)" + +changetowebserver +find aptarchive -name '*Release*' -delete +rm -rf rootdir/var/lib/apt/lists + +msgmsg 'Running update with no indexes' '0' +testsuccess apt update +listcurrentlistsdirectory > lists.before +for i in $(seq 1 3); do + msgmsg 'Running update with no indexes' "$i" + testsuccess apt update -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::Transaction=1 + testfileequal lists.before "$(listcurrentlistsdirectory)" +done diff --git a/test/integration/test-authentication-basic b/test/integration/test-authentication-basic index 211c73e35..5aafaade0 100755 --- a/test/integration/test-authentication-basic +++ b/test/integration/test-authentication-basic @@ -65,35 +65,59 @@ runtest() { authfile '' testauthfailure "$1" + protocol="${1%%://*}" + # good auth - authfile 'machine localhost + authfile "machine ${protocol}://localhost login star@irc -password hunter2' +password hunter2" testauthsuccess "$1" # bad auth - authfile 'machine localhost + authfile "machine ${protocol}://localhost login anonymous -password hunter2' +password hunter2" testauthfailure "$1" # 2 stanzas: unmatching + good auth - authfile 'machine debian.org + authfile "machine ${protocol}://debian.org login debian password jessie -machine localhost +machine ${protocol}://localhost login star@irc -password hunter2' +password hunter2" testauthsuccess "$1" + # no protocol specifier + authfile "machine localhost +login star@irc +password hunter2" + if [ "$protocol" = "https" ]; then + testauthsuccess "$1" + else + testauthfailure "$1" + fi + + # wrong protocol specifier + if [ "$protocol" = "https" ]; then + authfile "machine http://localhost +login star@irc +password hunter2" + else + authfile "machine https://localhost +login star@irc +password hunter2" + fi + testauthfailure "$1" + # delete file, make sure it fails; add auth.conf.d snippet, works again. rm rootdir/etc/apt/auth.conf testauthfailure "$1" - authfile 'machine localhost + authfile "machine ${protocol}://localhost login star@irc -password hunter2' rootdir/etc/apt/auth.conf.d/myauth.conf +password hunter2" rootdir/etc/apt/auth.conf.d/myauth.conf testauthsuccess "$1" rm rootdir/etc/apt/auth.conf.d/myauth.conf } |