diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/NEWS | 32 | ||||
| -rw-r--r-- | debian/apt-transport-https.install | 4 | ||||
| -rwxr-xr-x | debian/apt.systemd.daily | 45 | ||||
| -rw-r--r-- | debian/changelog | 99 | ||||
| -rw-r--r-- | debian/control | 23 | ||||
| -rwxr-xr-x | debian/rules | 2 |
6 files changed, 184 insertions, 21 deletions
diff --git a/debian/NEWS b/debian/NEWS index bff3621bc..9a93de69e 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,34 @@ +apt (1.5~beta1) unstable; urgency=medium + + [ New HTTPS method ] + The default http method now supports HTTPS itself, including encrypted proxies + and connecting to HTTPS sites via HTTPS proxies; and the apt-transport-https + package only provides a "curl+https" method now as a fallback, but will be + removed shortly. If TLS support is unwanted, it can be disabled overall by + setting the option Acquire::AllowTLS to "false". + + As for backwards compatibility, the options IssuerCert and SslForceVersion + are not supported anymore, and any specified certificate files must in the + PEM format (curl might have allowed DER files as well). + + [ Changes to unauthenticated repositories ] + The security exception for apt-get to only raise warnings if it encounters + unauthenticated repositories in the "update" command is gone now, so that it + will raise errors just like apt and all other apt-based front-ends do since + at least apt version 1.3. + + It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous + behaviour of apt-get by setting the option + Binary::apt-get::Acquire::AllowInsecureRepositories "true"; + See apt-secure(8) manpage for configuration details. + + [ Release Info Changes ] + If values like Origin, Label, and Codename change in a Release file, + update fails, or asks a user (if interactive). Various + --allow-releaseinfo-change are provided for non-interactive use. + + -- Julian Andres Klode <jak@debian.org> Mon, 03 Jul 2017 15:09:23 +0200 + apt (1.4.2) unstable; urgency=medium If periodic updates and unattended upgrades are enabled, the start of @@ -121,4 +152,3 @@ apt (0.5.25) unstable; urgency=low recreated the next time. -- Matt Zimmerman <mdz@debian.org> Sat, 8 May 2004 12:38:07 -0700 - diff --git a/debian/apt-transport-https.install b/debian/apt-transport-https.install index 7b14886df..4849f1484 100644 --- a/debian/apt-transport-https.install +++ b/debian/apt-transport-https.install @@ -1 +1,3 @@ -usr/lib/apt/methods/https +usr/lib/apt/methods/curl +usr/lib/apt/methods/curl+http +usr/lib/apt/methods/curl+https diff --git a/debian/apt.systemd.daily b/debian/apt.systemd.daily index 49af931bd..40b6692ec 100755 --- a/debian/apt.systemd.daily +++ b/debian/apt.systemd.daily @@ -78,6 +78,12 @@ check_stamp() stamp="$1" interval="$2" + if [ $interval = always ]; then + debug_echo "check_stamp: ignoring time stamp file, interval set to always" + # treat as enough time has passed + return 0 + fi + if [ $interval -eq 0 ]; then debug_echo "check_stamp: interval=0" # treat as no time has passed @@ -112,8 +118,20 @@ check_stamp() delta=$(($now-$stamp)) - # interval is in days, convert to sec. - interval=$(($interval*60*60*24)) + # Calculate the interval in seconds depending on the unit specified + if [ "${interval%s}" != "$interval" ] ; then + interval="${interval%s}" + elif [ "${interval%m}" != "$interval" ] ; then + interval="${interval%m}" + interval=$((interval*60)) + elif [ "${interval%h}" != "$interval" ] ; then + interval="${interval%h}" + interval=$((interval*60*60)) + else + interval="${interval%d}" + interval=$((interval*60*60*24)) + fi + debug_echo "check_stamp: interval=$interval, now=$now, stamp=$stamp, delta=$delta (sec)" # remove timestamps a day (or more) in the future and force re-check @@ -217,7 +235,9 @@ check_size_constraints() do_cache_backup() { BackupArchiveInterval="$1" - if [ $BackupArchiveInterval -eq 0 ]; then + if [ $BackupArchiveInterval = always ]; then + : + elif [ $BackupArchiveInterval -eq 0 ]; then return fi @@ -388,12 +408,19 @@ Debdelta=1 eval $(apt-config shell Debdelta APT::Periodic::Download-Upgradeable-Packages-Debdelta) # check if we actually have to do anything that requires locking the cache -if [ $UpdateInterval -eq 0 ] && - [ $DownloadUpgradeableInterval -eq 0 ] && - [ $UnattendedUpgradeInterval -eq 0 ] && - [ $BackupArchiveInterval -eq 0 ] && - [ $AutocleanInterval -eq 0 ] && - [ $CleanInterval -eq 0 ]; then +if [ $UpdateInterval = always ] || + [ $DownloadUpgradeableInterval = always ] || + [ $UnattendedUpgradeInterval = always ] || + [ $BackupArchiveInterval = always ] || + [ $AutocleanInterval = always ] || + [ $CleanInterval = always ] ; then + : +elif [ $UpdateInterval -eq 0 ] && + [ $DownloadUpgradeableInterval -eq 0 ] && + [ $UnattendedUpgradeInterval -eq 0 ] && + [ $BackupArchiveInterval -eq 0 ] && + [ $AutocleanInterval -eq 0 ] && + [ $CleanInterval -eq 0 ] ; then # check cache size check_size_constraints diff --git a/debian/changelog b/debian/changelog index f19355c35..e9ec2e230 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,100 @@ +apt (1.5~beta1) unstable; urgency=medium + + [ Julian Andres Klode ] + * Make Verify-Host and Verify-Peer independent again + * http: A response with Content-Length: 0 has no content + * Ignore download order in test-apt-update-failure-propagation + * tls: Add more details to error messages, and detect more errors + * Do not error out, only warn if ca certificates are not available + + [ David Kalnischkies ] + * don't set ip addresses as server names for SNI + + [ Алексей Шилин ] + * Russian translation update (Closes: #866749) + + -- Julian Andres Klode <jak@debian.org> Mon, 03 Jul 2017 16:57:59 +0200 + +apt (1.5~alpha4) experimental; urgency=medium + + * Reset failure reason when connection was successful + * Allow running the TLS stack on any lower connection + * http: Add support for CONNECT proxying to HTTPS locations + * http: Add support for https:// proxies + * Allow http(s) and socks5h for http and https in proxy auto detect + * Switch to 'http' as the default https method + * Improve closing the TLS connection + * TLS support: Error out on unsupported curl options + + -- Julian Andres Klode <jak@debian.org> Fri, 30 Jun 2017 18:18:09 +0200 + +apt (1.5~alpha3) experimental; urgency=medium + + * Don't read CaInfo if not specified (missing else) + This fixes a regression from ~alpha2. (Closes: #866559) + + -- Julian Andres Klode <jak@debian.org> Fri, 30 Jun 2017 09:50:13 +0200 + +apt (1.5~alpha2) experimental; urgency=medium + + [ David Kalnischkies ] + * support tor+https being handled by http + * use port from SRV record instead of initial port + + [ Robert Luberda ] + * fix a "critical" typo in old changelog entry (Closes: 866358) + + [ Julian Andres Klode ] + * Improve error message if system CA store is empty (Closes: #866377) + * Have apt Recommend ca-certificates + * Demote gnupg to Suggests + * http: Only use system CA store if CaInfo is not set + * Bump Standards-Version (and wrap-and-sort a bit) + * Build-Depend on debhelper (>= 10) to shut up lintian + + -- Julian Andres Klode <jak@debian.org> Thu, 29 Jun 2017 17:52:19 +0200 + +apt (1.5~alpha1) experimental; urgency=medium + + [ Julian Andres Klode ] + * pkgcache: Bump major version to 12 + * Squashed 'triehash/' changes from 565fde4e7..0ca66b761 + * methods: Add HTTPS support to http method, using GnuTLS. + The http method will eventually replace the curl-based + https method, but for now, this is an opt-in experiment + that can be enabled by setting Dir::Bin::Methods::https + to "http". + Known issues: + - We do not support HTTPS proxies yet + - We do not support proxying HTTPS connections yet (CONNECT) + - IssuerCert and SslForceVersion are unsupported + * Allow building without curl + * Introduce Acquire::AllowTLS to turn off TLS support + * Skip test-apt-download-progress + * Strip 0: epochs from the version hash + + [ David Kalnischkies ] + * schedule the correct side of the conflict for removal. + Thanks to Michael Biebl for helping find this with countless tests + * don't show incorrect 'How odd' error in no-download mode (Closes: 863635) + * Show permission error if ProxyAutoDetect cmd can't be executed + (Closes: 857885) + * Avoid chdir in acquire clean with unlinkat (Closes: 860738) + * ident a CD without changing directory + * clean archives without changing directory + * avoid changing directory in mirror method + * warn if an expected file can't be acquired + * show .diff/Index properly as ignored if we fallback + * fail InRelease on non-404 HTTP errorcodes + * deal with 3xx httpcodes as required by HTTP/1.1 spec + * fail instead of warn on insecure repositories in apt-get + * error in update on Release information changes + * show a Release-Notes URI if infos were changed + * allow frontends to override releaseinfo change behaviour + * ask for releaseinfo change interactively in apt + + -- Julian Andres Klode <jak@debian.org> Wed, 28 Jun 2017 19:52:24 +0200 + apt (1.4.6) unstable; urgency=medium * apt.systemd.daily: Do not pass -d to unattended-upgrade for the download @@ -3330,7 +3427,7 @@ apt (0.9.7.9~exp1) experimental; urgency=low -- Michael Vogt <mvo@debian.org> Fri, 22 Mar 2013 21:57:08 +0100 -apt (0.9.7.8) unstable; urgency=criticial +apt (0.9.7.8) unstable; urgency=critical * SECURITY UPDATE: InRelease verification bypass - CVE-2013-1051 diff --git a/debian/control b/debian/control index 96bbef348..896f98783 100644 --- a/debian/control +++ b/debian/control @@ -5,18 +5,19 @@ Maintainer: APT Development Team <deity@lists.debian.org> Uploaders: Michael Vogt <mvo@debian.org>, Julian Andres Klode <jak@debian.org>, David Kalnischkies <donkult@debian.org> -Standards-Version: 3.9.8 +Standards-Version: 4.0.0 Build-Depends: cmake (>= 3.4), - debhelper (>= 9.20160709~), + debhelper (>= 10), dh-systemd, docbook-xml, docbook-xsl, dpkg-dev (>= 1.17.14), gettext (>= 0.12), + googletest <!nocheck> | libgtest-dev <!nocheck>, libbz2-dev, libcurl4-gnutls-dev (>= 7.19.4~), libdb-dev, - googletest <!nocheck> | libgtest-dev <!nocheck>, + libgnutls28-dev (>= 3.4.6), liblz4-dev (>= 0.0~r126), liblzma-dev, pkg-config, @@ -35,12 +36,14 @@ Depends: adduser, ${apt:keyring}, ${misc:Depends}, ${shlibs:Depends} -Replaces: apt-utils (<< 1.3~exp2~) -Breaks: apt-utils (<< 1.3~exp2~) -Recommends: gnupg | gnupg2 | gnupg1 +Replaces: apt-utils (<< 1.3~exp2~), apt-transport-https (<< 1.5~alpha4~) +Breaks: apt-utils (<< 1.3~exp2~), apt-transport-https (<< 1.5~alpha4~) +Provides: apt-transport-https (= ${binary:Version}) +Recommends: ca-certificates Suggests: apt-doc, aptitude | synaptic | wajig, dpkg-dev (>= 1.17.2), + gnupg | gnupg2 | gnupg1, powermgmt-base, python-apt Description: commandline package manager @@ -146,10 +149,10 @@ Description: package management related utility programs Package: apt-transport-https Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends} +Depends: ${misc:Depends}, ${shlibs:Depends}, apt (>= 1.5~alpha4~) Recommends: ca-certificates Priority: optional -Description: https download transport for APT +Description: Transitional package: curl-https download transport for APT This package enables the usage of 'deb https://foo distro main' lines in the /etc/apt/sources.list so that all package managers using the libapt-pkg library can access metadata and packages available in sources @@ -157,3 +160,7 @@ Description: https download transport for APT . This transport supports server as well as client authentication with certificates. + . + This package is no longer needed, https support was integrated into apt, + and is only provided as a fallback if some bugs are found in apt's native + https support. diff --git a/debian/rules b/debian/rules index ede9591d1..d4e9600a2 100755 --- a/debian/rules +++ b/debian/rules @@ -22,7 +22,7 @@ override_dh_install-indep: override_dh_install-arch: dh_install -papt-utils -X/dump - dh_install -papt -Xmethods/https + dh_install -papt -Xmethods/curl -Xmethods/curl+https -Xmethods/curl+http dh_install --remaining --list-missing install -m 644 debian/apt.conf.autoremove debian/apt/etc/apt/apt.conf.d/01autoremove install -m 755 debian/apt.auto-removal.sh debian/apt/etc/kernel/postinst.d/apt-auto-removal |