Age | Commit message (Collapse) | Author |
|
It is kinda unlikely that apt will ever encounter a certificate for an
IP and a user actually using it, but the API documentation for
gnutls_server_name_set explicitly says that "IPv4 or IPv6 addresses are
not permitted to be set by this function.", so we should follow it.
[jak@d.o: Slightly rebased]
|
|
This makes more sense. If the handshake failed midway, we still
should run the gnutls bye stuff. The thinking here is to only
set the fd after the session setup, as we do not modify it
before, so if it fails in session setup, you retain a usable
file descriptor.
Gbp-Dch: ignore
|
|
This probably makes more sense if Verify-Peer is set to off.
|
|
This should make it easier to figure out what was
going on.
|
|
- Use a tmpfs for /tmp - not really a benefit here,
except for travis as it's writing less now.
- Use the fastly CDN - about twice as fast as ftp.de,
and seems more stable than cloudfront
- Run apt-get clean to keep container smaller - should
not be needed really, but let's just do it.
Gbp-Dch: ignore
|
|
This caused spurious test failures.
|
|
APT considered any response with a Content-Length to have a
body, even if the value of the header was 0. A 0 length body
however, is equal to no body.
|
|
We can actually just pass null as a hostname, so let's just
do that when Verify-Host is set to false.
|
|
|
|
Gbp-Dch: ignore
|
|
This makes no sense. We need both entries in the cache, as
we check FORCE_CURL in the test suite.
Gbp-Dch: ignore
|
|
Silently ignoring the options might be a security issue,
so produce an error instead.
|
|
If gnutls_session_bye() exited with an error, we never closed
the underlying file descriptor, causing the method to think the
connection was still open. This caused problems especially in
test-partial-file-support where we checked that a "complete"
file and an incomplete file work. The first GET returns a 416
with Connection: close, and the next GET request then accidentally
reads the body of the 416 as the header for its own request.
|
|
The old curl based method is still available as 'curl',
'curl+http', and 'curl+https'.
|
|
This runs parallel builds on docker, based on debian:testing
docker images, with ccache enabled and parallel running of the
test suite (ccache supports coverage builds these days, and
parallel testing just needs unbuffer to handle the stty stuff)
This is a huge step up from building on a mix of trusty, wily,
and xenial. Most importantly, coverage now correctly detects
partial covered lines instead of just reporting almost all of
them as fully covered.
We use ftp.de.debian.org as deb.debian.org backed by Amazon
503s too often.
Gbp-Dch: ignore
|
|
This makes it possible to write sensible auto detect scripts.
|
|
HTTPS proxies just require unwrapping the TLS layer at the proxy
connection, that's easy, and of course sending proxy-specific
headers that are sent on "http" proxies.
|
|
Proxying HTTPS traffic requires the proxy providing the
CONNECT method. This implements the client side of it,
although it is a bit hacky.
HTTP connect is a normal HTTP CONNECT request, followed
by a normal HTTP response, just that the body of the
response is the TCP stream of the target host.
We use a special wrapper in case there are data bytes
in the header packets - in that case, the bytes are
stored in a buffer and the buffer will be drained first,
afterwards the connection continues directly with the
TCP stream (with one more vcall).
Also: Do not send full URI to https destinations when proxying,
as we are directly interfacing with the destination data stream.
|
|
This is especially needed if we use an HTTPS proxy to CONNECT
to an HTTPS URI, as we run TLS-inside-TLS then.
|
|
When APT was trying multiple addresses, any later error
somewhere else would be reported with ConnectionRefused
or ConnectionTimedOut as the FailReason because that
was set by early connect attempts. This causes APT to
handle the failures differently, leading to some weirdly
breaking test cases (like the changed one).
Add debugging to the previously failing test case so
we can find out when something goes wrong there again.
|
|
|
|
This fixes a regression from ~alpha2.
Closes: #866559
Gbp-Dch: Full
|
|
|
|
|
|
|
|
It turns out that curl only sets the system trust store if
the CaInfo option is not set, so let's do the same here.
|
|
stretch was the migration release for gpg->gpgv basically,
so let's demote it now.
|
|
The http method needs ca-certificates for TLS
support, so enable it.
|
|
Tell the user to install ca-certificates.
Closes: #866377
|
|
This typo exposes a bug in apt-listchanges that prevents commands like
`apt-listchanges --show-all apt_*.deb' from showing the changelog.
The bug will be fixed in next upload of apt-listchanges, but I think
it would be nice have the typo fixed as well.
Closes: 866358
|
|
An SRV record includes a portnumber to use with the host given, but apt
was ignoring the portnumber and instead used either the port given by
the user for the initial host or the default port for the service.
In practice the service usually runs on another host on the default
port, so it tends to work as intended and even if not and apt can't get
a connection there it will gracefully fallback to contacting the initial
host with the right port, so its a user invisible bug most of the time.
|
|
The apt-transport-tor package operates via simple symlinks which can
result in 'http' being called as 'tor+https', so it must pick up the
right configuration pieces and trigger https support also in plus names.
|
|
|
|
This should fix some issues with dpkg normalizing such
values. Suprisingly enough apt treats the Version: field
the same, even with epoch vs without, but not when searching,
and does not strip the 0: from the output.
|
|
|
|
If we have a user sitting around we can let 'apt' ask the user for a
confirmation rather than print errors at the end and require the user to
figure out which commandline flags are needed to confirm the changes
non-interactively.
|
|
Having messages being printed on the error stack and confirm them by
commandline flags is an okayish first step, but some frontends will
probably want to have a more interactive feeling here with a proper
question the user can just press yes/no for as for some frontends a
commandline flag makes no sense…
|
|
This gives the repository owner a chance to explain why this change was
needed – e.g. explaining the organisational changes or simply detailing
the changes in the new release made. Note that this URI is also shown
if the change is accepted, so it also draws attention to release notes
of minor updates (if users watch apt output closely).
|
|
The value of Origin, Label, Codename and co can be used in user
configuration from apts own pinning to unattended upgrades.
A repository changing this values can therefore have serious effects on
the behaviour of apt and other tools using these values.
In a first step we will generate error messages for these changes now
explaining the need for explicit confirmation and provide config options
and commandline flags to accept them.
|
|
The exception was made to give (script) users a one-release grace period
to adapt their setup to deal with apt enforcing signing of repositories.
As we are now at the start of a new release cycle its as good a time as
any to lift it now.
Removes-Exception: 952ee63b0af14a534c0aca00c11d1a99be6b22b2
|
|
|
|
The test keeps failing continously on Ubuntu, so let's
fix it for now.
|
|
As requested by Henrique de Moraes Holschuh, here comes
an option to disable TLS support. If the option is set
to false, the internal TLS layer is disabled.
|
|
Gbp-Dch: ignore
|
|
Gbp-Dch: ignore
|
|
GnuTLS can already have data pending in its buffers, we need
to to drain that first otherwise select() might block
indefinitely.
Gbp-Dch: ignore
|
|
This makes testing easier and prepares us for the
transition.
|
|
The http method will eventually replace the curl-based
https method, but for now, this is an opt-in experiment
that can be enabled by setting Dir::Bin::Methods::https
to "http".
Known issues:
- We do not support HTTPS proxies yet
- We do not support proxying HTTPS connections yet (CONNECT)
- IssuerCert and SslForceVersion are unsupported
Gbp-Dch: Full
|
|
Use std::unique_ptr<MethodFd> everywhere we used an
integer-based file descriptor before. This allows us
to implement stuff like TLS support easily.
Gbp-Dch: ignore
|
|
This will allow us to access ConfigFind() and stuff which makes
it possible for us to implement TLS support.
Gbp-Dch: ignore
|