summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-08-21Release 1.0.10.21.0.10.2Julian Andres Klode
2015-08-21Do not parse Status fields from remote sourcesJulian Andres Klode
This could allow an attacker to mark a package as installed in a remote package index, as long as the package was not listed in the dpkg status file. This way, an attacker could force the installation of a package during a dist-upgrade, by providing two packages in an index, an older marked as installed, and a newer - apt would "upgrade" to the newer version.
2015-08-03release 1.0.10.1 for gcc5 transition1.0.10.1David Kalnischkies
2015-08-03explicitly build-dep on g++ (>= 4:5.2) for gcc5 transitionDavid Kalnischkies
2015-08-03mark again deps of pkgs in APT::Never-MarkAuto-Sections as manualDavid Kalnischkies
In 50ef3344c3afaaf9943142906b2f976a0337d264 (and similar for other branches), while 'fixing' the edgecase of a package being in multiple sections (e.g. moved from libs to oldlibs in newer releases) I accidently broke the feature itself completely by operating on the package itself and no longer on its dependencies… The behaviour isn't ideal in multiple ways, which we are hopefully able to fix with new ideas as mentioned in the buglog, but until then the functionality of this "hack" should be restored. Reported-By: Raphaël Hertzog <hertzog@debian.org> Tested-By: Adam Conrad <adconrad@ubuntu.com> Closes: 793360 LP: 1479207 Thanks: Raphaël Hertzog and Adam Conrad for detailed reports and initial patches
2015-08-01hide first pdiff merge failure debug messageDavid Kalnischkies
The siblings of this message are all guarded as debug messages, just this one had it missing and subsequently causes display issues if triggered, which, given that clog is an alias for cerr, end up on stderr and therefore are reported as problems by tools only showing the stderr like our own cron script. [Backport of f4c7a238f4c29ac9b1e1172f103ab7dec5c5807d] Closes: 793444
2015-07-25release 1.0.10 for gcc5 transition1.0.10David Kalnischkies
2015-07-25update symbols file to use gcc5 abi manglingDavid Kalnischkies
Of course, the versions noted for the symbol are incorrect in sofar as there is no std::__cxx11::basic_string symbol in apt 0.8.0 – but there is also no libapt-pkg4.16 in that version. The version hence denotes the appearance of the function in the library, not of the mangled symbol so you can jugde by looking at the version if a backport would work out…
2015-07-25bump next-abi check above gcc5-abi bumpDavid Kalnischkies
Some of the 'simpler' abi changes are included in /sid already guarded behind #if's and now that we dumped the ABI fpr gcc5 they trigger. It would probably not hurt to have them trigger and it is an abi break anyway, but there isn't much point to it and it would be really annoying if one of them turns out to be a problem as these changes aren't as well tested as the 'old' abi. It is slightly incorrect to check for abi >= 17 as /experimental with this (and other changes) is abi = 15 currently, but writing the correct check would be just too insane for this dead ends branch. Final /experimental is probably better of increasing APT_PKG_MAJOR anyhow.
2015-07-25Italian manpage translation updateBeatrice Torracca
[ Commited in debian/experimental as 40bd06bdb5e6b90aa24762300567d0650dbda751 ] Closes: 776702
2015-07-25Italian program translation updateMilo Casagrande
[ Commited in debian/experimental as b55ec4203f7a99d380903911f8839aba2a65e27e ] Closes: 782122
2015-07-25Russian program translation updateYuri Kozlov
[ Commited in debian/experimental as 49ffc5949f18118f4f33e95604231bfe86b4f6fd ] Closes: 789709
2015-07-25fix apt-config test now that PATH changed in 8c617819David Kalnischkies
Which, in this cherrypick is actually 7491bed8. Git-Dch: Ignore
2015-07-25add BUILDDIRECTORY to PATH in the testsMichael Vogt
Git-Dch: Ignore
2015-07-25stop depending on copy-on-write for std::stringDavid Kalnischkies
In 66c3875df391b1120b43831efcbe88a78569fbfe we workaround/fixed a problem where the code makes the assumption that the compiler uses copy-on-write implementations for std::string. Turns out that for c++11 compatibility gcc >= 5 will stop doing this by default.
2015-07-25drop incorrect parameter implicitely converted to boolDavid Kalnischkies
The helper expects to be told if it should generate messages, not where these messages should be printed – as it isn't printing such messages, but puts them in _error. apt-get uses in other methods a helper specialisation which does also print stuff to a stream through, so this is likely a copy&paste error. Git-Dch: Ignore
2015-07-24Prepare new 1.0.10 release with gcc5 abi transitionMichael Vogt
2015-07-24updated for the gcc5 transitionMichael Vogt
2015-06-23Turkish translation update for aptMert Dirik
Closes: #789491 Conflicts: po/tr.po
2015-06-22po: Update Simplified Chinese programs translationZhou Mo
* fix a wrong translation. * update some translations.
2015-06-15po: update zh_CN translation slightlyZhou Mo
2015-05-25ExecFork: Use /proc/self/fd to determine which files to closeJulian Andres Klode
This significantly reduces the number of files that have to be closed and seems to be faster, despite the additional reads. On systems where /proc/self/fd is not available, we fallback to the old code that closes all file descriptors >= 3. Closes: #764204
2015-05-22Release 1.0.9.101.0.9.10Michael Vogt
2015-05-22Merge remote-tracking branch 'mvo/debian/sid' into debian/sidMichael Vogt
2015-05-22prepare release 1.0.9.10Michael Vogt
2015-05-22Update methods/https.cc now that ServerState::Size is renamedMichael Vogt
Git-Dch: ignore
2015-05-22Merge remote-tracking branch 'upstream/debian/jessie' into debian/sidMichael Vogt
Conflicts: apt-pkg/deb/dpkgpm.cc
2015-05-22parse arch-qualified Provides correctlyHelmut Grohne
The underlying problem is that libapt-pkg does not correctly parse these provides. Internally, it creates a version named "baz:i386" with architecture amd64. Of course, such a package name is invalid and thus this version is completely inaccessible. Thus, this bug should not cause apt to accept a broken situation as valid. Nevertheless, it prevents using architecture qualified depends. Closes: 777071
2015-05-22Add regression test for LP: #1445239Michael Vogt
Add a regression test that reproduced the hang of apt when a partial file is present. Git-Dch: ignore
2015-05-22Rename "Size" in ServerState to TotalFileSizeMichael Vogt
The variable "Size" was misleading and caused bug #1445239. To avoid similar issues in the future, rename it to make the meaning more obvious. git-dch: ignore
2015-05-22Fix endless loop in apt-get update that can cause disk fillupMichael Vogt
The apt http code parses Content-Length and Content-Range. For both requests the variable "Size" is used and the semantic for this Size is the total file size. However Content-Length is not the entire file size for partital file requests. For servers that send the Content-Range header first and then the Content-Length header this can lead to globbing of Size so that its less than the real file size. This may lead to a subsequent passing of a negative number into the CircleBuf which leads to a endless loop that writes data. Thanks to Anton Blanchard for the analysis and initial patch. LP: #1445239
2015-05-22Merge remote-tracking branch 'upstream/debian/sid' into debian/sidMichael Vogt
2015-04-28Move sysconf(_SC_OPEN_MAX); out of the for() loop to avoid unneeded syscallsMichael Vogt
2015-04-28releasing package apt version 1.0.9.91.0.9.9Michael Vogt
2015-04-22remove "first package seen is native package" assumptionDavid Kalnischkies
The fix for #777760 causes packages of foreign (and the native) architectures, to be created correctly, but invalidates (like the previously existing, but policy-forbidden architecture-less packages we had to support for some upgrade scenarios) the assumption that the first (and only) package in the cache for a single architecture system must be the package for the native architecture (as, where should the other architectures come from, right? Wrong.). Depending on the order of parsing sources more or less packages can be effected by this. The effects are strange (for apt it mostly effects simulation/debug output, but also apt-mark on these specific packages), which complicates debugging, but relatively harmless if understood as most actions do not need direct named access to packages. The problem is fixed by removing the single-arch special casing in the paths who had them (Cache.FindPkg), so they use the same code as multi-arch systems, which use them as a wrapper for Grp.FindPkg. Note that single-arch system code was using Grp.FindPkg before as well if a Grp structure was handily available, so we don't introduce new untested code here: We remove more brittle special cases which are less tested instead (this was planed to be done for Stretch anyhow). Note further that the method with the assumption itself isn't fixed. As it is a private method I opted for declaring it deprecated instead and remove all its call positions. As it is private no-one can call this method legally (thanks to how c++ works by default its still an exported symbol through) and fixing it basically means reimplementing code we already have in Grp.FindPkg. Removing rather than fixing seems hence like a good solution. Closes: 782777 Thanks: Axel Beckert for testing
2015-04-13Revert "HttpsMethod::Fetch(): Zero the FetchResult object when leaving due ↵Michael Vogt
to 404" This reverts commit 1296bc7c466181a7978c313c40a041b34ce3eaeb.
2015-04-13release 1.0.9.8David Kalnischkies
2015-04-12parse specific-arch dependencies correctly on single-arch systemsDavid Kalnischkies
On single-arch the parsing was creating groupnames like 'apt:amd64' even through it should be 'apt' and a package in it belonging to architecture amd64. The result for foreign architectures was as expected: The dependency isn't satisfiable, but for native architecture it means the wrong package (ala apt:amd64:amd64) is linked so this is also not satisfiable, which is very much not expected. No longer excluding single-arch from this codepath allows the generation of the correct links, which still link to non-exisiting packages for foreign dependencies, but natives link to the expected native package just as if no architecture was given. For negative arch-specific dependencies ala Conflicts this matter was worse as apt will believe there isn't a Conflict to resolve, tricking it into calculating a solution dpkg will refuse. Architecture specific positive dependencies are rare in jessie – the only one in amd64 main is foreign –, negative dependencies do not even exist. Neither class has a native specimen, so no package in jessie is effected by this bug, but it might be interesting for stretch upgrades. This also means the regression potential is very low. Closes: 777760
2015-04-07keyids in "apt-key del" should be case-insensitiveDavid Kalnischkies
gnupg is case-insensitive about keyids, so back then apt-key called it directly any keyid was accepted, but now that we work more with the keyid ourself we regressed to require uppercase keyids by accident. This is also inconsistent with other apt-key commands which still use gnupg directly. A single case-insensitive grep and we are fine again. Closes: 781696
2015-04-07demote VectorizeString gcc attribute from const to pureDavid Kalnischkies
g++-5 generates a slightly broken libapt which doesn't split architecture configurations correctly resulting in e.g. Packages files requested for the bogus architecture 'amd64,i386' instead of for amd64 and i386. The reason is an incorrectly applied attribute marking the function as const, while functions with pointer arguments are not allowed to be declared as such (note that char& is a char* in disguise). Demoting the attribute to pure fixes this issue – better would be dropping the & from char but that is an API change… Neither earlier g++ versions nor clang use this attribute to generate broken code, so we don't need a rebuild of dependencies or anything and g++-5 isn't even included in jessie, but the effect is so strange and apt popular enough to consider avoiding this problem anyhow.
2015-04-07fix crash in order writing in pkgDPkgPM::WriteApportReport()Michael Vogt
libapt can be configured to write various bits of information to a file creating a report via apport. This is disabled by default in Debian and apport residing only in /experimental so far, but Ubuntu and other derivatives have this (in some versions) enabled by default and there is no regression potentially here. The crash is caused by a mismatch of operations vs. strings for operations, so adding the missing strings for these operations solves the problem. [commit message by David Kalnischkies] LP: #1436626
2015-04-07avoid depends on std::string implementation for pkgAcquire::Item::ModeDavid Kalnischkies
In /experimental this is resolved by deprecating Mode and moving to a new std::string, but that breaks ABI of course, so that was out of question. We can't change to a malloc/free style c-string either as Mode is public and hence a library user could be setting this as well. std::string implementors actually helped us out here with copy-on-write which means that while the variable "obviously" runs out of scope here, in reality you get the correct result as the string we work with here comes from the configuration in which it is still valid. Such a dependency on magic is bad of course, but its still interesting that only python3 seems to have an issue with it… With some silly explicit if-else assigning we can sidestep this issue while retaining the same output for 99.99% of all users (= noone actually configures additional compression algorithms which are also provided by repositories…), but even for these 0.01% its just a small change in the display as Mode can not be used for anything else. Example: apt/aptitude uses it in its 'update' implementations in the one-line progress at the bottom for specific items. Closes: 781858
2015-04-07properly handle expected filesize in httpsDavid Kalnischkies
The worker expects that the methods tell him when they start or finish downloading a file. Various information pieces are passed along in this report including the (expected) filesize. https is using a "global" struct for reporting which made it 'reuse' incorrect values in some cases like a non-existent InRelease fallbacking to Release{,.gpg} resulting in an incorrect size-mismatch warning scaring and desensitizing users as well as being subject to a race between the write_data and progress callbacks generating incorrect progress reporting and potentially the same error message. Other branches as well as the bugreports contain 'better' fixes making the struct local and other sensible changes, but are larger as a result, so in this version we opted for short diff with minimal effect above else instead. Closes: 777565, 781509 Thanks: Robert Edmonds and Anders Kaseorg for initial patchs
2015-04-07fix another d(e)select-upgrade typoDavid Kalnischkies
You would think one instance of this is enough, but 80e8d923ebc8d5f3f84eb3f922b28ca309c25026 wasn't as globally applied as the commit message suggested… LP: #1399037
2015-04-07HttpsMethod::Fetch(): Zero the FetchResult object when leaving due to 404Robert Edmonds
2015-04-07Fix crash in pkgDPkgPM::WriteApportReport(() (LP: #1436626)Michael Vogt
2015-03-20test/integration/test-apt-download-progress: fix test failure on fast hardwareMichael Vogt
2015-02-23releasing package apt version 1.0.9.71.0.9.7Michael Vogt
2015-02-23Fix crash in the apt-transport-https when Owner is NULLTomasz Buchert
Do not crash in ServerState::HeaderLine if there is no Owner. Closes: #778375
2015-01-16releasing package apt version 1.0.9.6Michael Vogt