summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-11-12Do not attempt seccomp under qemu-user and drop EFAULT workaroundJulian Andres Klode
qemu-user passes prctl()-based seccomp through to the kernel, umodified. That's bad, as it blocks the wrong syscalls. We ignored EFAULT which fixed the problem for targets with different pointer sizes from the host, but was a bad hack. In order to identify qemu we can rely on the fact that qemu-user prints its version and exits with 0 if QEMU_VERSION is set to an unsupported value. If we run a command that should fail in such an environment, and it exits with 0, then we are running in qemu-user. apt-helper is an obvious command to run. The tests ensure it exits with 1, and it only prints usage information. We also could not use /bin/false because apt might just as well be from a foreign arch while /bin/false is not. Closes: #881519
2017-11-05[amend] Use a versioned breaks for a-t-https in apt1.6_alpha4Julian Andres Klode
We need to use a versioned breaks again, otherwise the transitional package would not be installable. Gbp-Dch: ignore
2017-11-05Release 1.6~alpha4Julian Andres Klode
2017-11-05Add ${misc:Depends} to apt-transport-https dependsJulian Andres Klode
Makes lintian happy, but is basically useless Gbp-Dch: ignore
2017-11-05Re-introduce a transitional apt-transport-httpsJulian Andres Klode
This fixes issues with debootstrap. The package will disappear after the release of buster.
2017-10-29debian: Bump Standards-Version to 4.1.1Julian Andres Klode
No further changes required.
2017-10-29debian: Set Rules-Requires-Root: noJulian Andres Klode
We don't need fakeroot for building!
2017-10-28Release 1.6~alpha31.6_alpha3Julian Andres Klode
2017-10-28use store: instead of gzip: to open local changelogsDavid Kalnischkies
Regression-Of: cc1f94c95373670fdfdb8e2d6cf9125181f7df0c
2017-10-28Also use FindULL for checking if the size tags is validJulian Andres Klode
It used FindI() > 0, but if it is too big, FindI() would cause an error "Cannot convert %s to integer: out of range", so let's also use FindULL() here. Gbp-Dch: ignore
2017-10-28Prevent overflow in Installed-Size (and Size) in apt showJulian Andres Klode
Installed-Size for linux-image-4.13.0-1-amd64-dbg and friends are larger than 4 GB, but read as a signed integer - that's fine so far, as the value is in KB, but it's multiplied with 1024 which overflows. So let's read it as unsigned long long instead. While we're at it, also use unsigned long long for Size, in case that is bigger than 2 GB.
2017-10-27seccomp: Allow clock_nanosleep() and nanosleep() syscallsJulian Andres Klode
We sleep in http.cc, so we should allow the sleeping syscalls.
2017-10-26Drop unused gzip, lzma, bzip2, and xz symlinks of storeJulian Andres Klode
The store method replaced them all, the symlinks where mostly for partial upgrades or whatever, they should not be needed any longer.
2017-10-26seccomp: Allow ipc() for fakeroot, and allow sysinfo() for sortJulian Andres Klode
Sorting apparently calls sysconf() which calls sysinfo() to get free pages or whatever. Closes: #879814, #879826
2017-10-26debian/tests/control: Add dpkg so we get triggered by itJulian Andres Klode
We do want to get our autopkgtests triggered by dpkg uploads in Ubuntu, but this does not happen because we don't have an explicit dependency on it. Add one.
2017-10-26Release 1.6~alpha21.6_alpha2Julian Andres Klode
2017-10-26CMake: Get rid of some debugging messagesJulian Andres Klode
This fixes a regression introduced in commit 43b9eb5bac15666fdc0346aca7031fab0fa5e064 CMake: methods: Cleanup link libraries, use OBJECT libraries Gbp-Dch: ignore
2017-10-26Print syscall number and arch to stderr when trapped by seccompJulian Andres Klode
This should help debugging crashes. The signal handler is a C++11 lambda, yay! Special care has been taken to only use signal handler -safe functions inside there.
2017-10-25Only warn about seccomp() EINVAL (normal) and EFAULT (qemu) errorsJulian Andres Klode
If seccomp is disabled, we fallback to running without it. Qemu fails in the seccomp() call, returning ENOSYS and libseccomp falls back to prctl() without adjusting the pointer, causing the EFAULT. I hope qemu gets fixed at some point to return EINVAL for seccomp via prctl. Bug-Qemu: https://bugs.launchpad.net/qemu/+bug/1726394
2017-10-25Don't segfault if receiving a method warning on empty queueJulian Andres Klode
We would like to issue a warning about seccomp support in Configuration(), but since the queue is empty, there is no current item to show the URL for and we get a segfault. Show the protocol instead.
2017-10-25methods: Enable additional syscalls (SYSV IPC) in fakerootJulian Andres Klode
If FAKED_MODE is set, enable SYSV IPC so we don't crash when running in fakeroot. Closes: #879662
2017-10-23CMake: methods: Cleanup link libraries, use OBJECT librariesJulian Andres Klode
Use OBJECT libraries for http and connect stuff, and move the seccomp link expression into a global link_libraries() call. This also fixes a bug where only the http target pulled in the gnutls header arguments despite gnutls being used in connect.cc, and thus by mirror and ftp as well. Adjust translation support to ignore TARGET_OBJECTS sources and add the OBJECT libraries to the translated files.
2017-10-23seccomp: Conditionalize statx() whitelistingJulian Andres Klode
statx was introduced in 4.11, so it fails to build in stretch if we just unconditionally use it.
2017-10-23Release 1.6~alpha11.6_alpha1Julian Andres Klode
2017-10-23seccomp: Add missing syscalls for ppc64el, i386, and othersJulian Andres Klode
These are a few overlooked syscalls. Also add readv(), writev(), renameat2(), and statx() in case libc uses them. Gbp-Dch: ignore
2017-10-22Sandbox methods with seccomp-BPF; except cdrom, gpgv, rshJulian Andres Klode
This reduces the number of syscalls to about 140 from about 350 or so, significantly reducing security risks. Also change prepare-release to ignore the architecture lists in the build dependencies when generating the build-depends package for travis. We might want to clean up things a bit more and/or move it somewhere else.
2017-10-22methods/basehttp.cc: Remove proxy autodetect debugging codeJulian Andres Klode
This was a left over from the autodetect move. Gbp-Dch: ignore
2017-10-22methods/mirror: Enable sandboxing and other aptMethod featuresJulian Andres Klode
Sandboxing was turned off because we called pkgAcqMethod's Configuration() instead of aptMethod's.
2017-10-22Run the ProxyAutoDetect script in the sandbox againJulian Andres Klode
The previous change moved running the proxy detection program from the method to the main process, so it runs as root and not as _apt. This brings it back into the sandbox. Gbp-Dch: ignore
2017-10-22Run Proxy-Auto-Detect script from main processJulian Andres Klode
This avoids running the Proxy-Auto-Detect script inside the untrusted (well, less trusted for now) sandbox. This will allow us to restrict the http method from fork()ing or exec()ing via seccomp.
2017-10-20Fix testsuite for and add new fields from dpkg 1.19Julian Andres Klode
tagfile-order.c: Add missing fields from dpkg 1.19 For binary packages, this is Build-Essential; for source packages, it is Description. test-bug-718329-...: Ignore control.tar.*, changes in dpkg 1.19 test-apt-extracttemplates: Fix for dpkg 1.19
2017-10-20Dutch program translation updateFrans Spiesschaert
Closes: #879137
2017-10-08zh_CN.po: Update Simplified Chinese programs translationMo Zhou
2017-10-05avoid using NULL in varadic function for cmdline parsingDavid Kalnischkies
cppcheck reports: (portability) Passing NULL after the last typed argument to a variadic function leads to undefined behaviour. We don't ship on any platform which has this as undefined behaviour through – or it would be pretty well defined "bad" behaviour which always works, so even through UB is a trigger word, its hardly noteworthy as a change (and as a bonus the scanners of gcc/clang don't consider it UB). The commonly accepted method of fixing that seems to be (const char*)NULL, but it is in fact much simpler to just switch to the varadic functions C++ provides resolving the warning and reducing code. Reported-By: cppcheck Gbp-Dch: Ignore
2017-10-05remove pointless va_copy to avoid cleanup danceDavid Kalnischkies
A va_copy call needs to be closed in all branches with va_end, so these functions would need to be reworked slightly, but we don't actually need to copy the va_list as we don't work on it, we just push it forward, so dropping the copy and everyone is happy. Reported-By: cppcheck Gbp-Dch: Ignore
2017-10-05ignore unsupported key formats in apt-keyDavid Kalnischkies
gpg2 generates keyboxes by default and users end up putting either those or armored files into the trusted.gpg.d directory which apt tools neither expect nor can really work with without fortifying backward compatibility (at least under the ".gpg" extension). A (short) discussion about how to deal with keyboxes happened in https://lists.debian.org/deity/2017/07/msg00083.html As the last message in that thread is this changeset lets go ahead with it and see how it turns out. The idea is here simply that we check the first octal of a gpg file to have one of three accepted values. Testing on my machines has always produced just one of these, but running into those values on invalid files is reasonabily unlikely to not worry too much. Closes: #876508
2017-10-05send the hashes for alternative file correctlyDavid Kalnischkies
This isn't really used by the acquire system at all at the moment and the only method potentially sending this information is file://, but that used to be working correctly before broken in 2013, so better fix it now and worry about maybe using the data some day later. Regression-Of: b3501edb7091ca3aa6c2d6d96dc667b8161dd2b9
2017-09-26use pkgTagSection::Key in srcRecords parserDavid Kalnischkies
Using hardcoded array-indexes in the build-dependency parsing is efficient, but less discoverable and easier to break. We can avoid this by making it even more efficient (not that it would be noticeable) allowing us to do explicitly named comparisons instead. Gbp-Dch: Ignore
2017-09-26allow empty build-dependency fields in the parserDavid Kalnischkies
APT used to parse only wellformed files produced by repository creation tools which removed empty files as pointless before apt would see them. Now that apt can be told to parse e.g. debian/control files directly, it needs to be a little more accepting through: We had this with comments already, now let it deal with the far more trivial empty fields. Closes: #875363
2017-09-26proper error reporting for v3 onion servicesDavid Kalnischkies
APT connects just fine to any .onion address given, only if the connect fails somehow it will perform checks on the sanity of which in this case is checking the length as they are well defined and as the strings are arbitrary a user typing them easily mistypes which apt should can be slightly more helpful in figuring out by saying the onion hasn't the required length.
2017-09-24Drop curl method and apt-transport-https packageJulian Andres Klode
This automatically removes any old apt-transport-https, as apt now Breaks it unversioned.
2017-09-24Drop obsolute Testsuite: autopkgtest headerJulian Andres Klode
2017-09-24Drop obsolete dh-systemd build-depJulian Andres Klode
2017-09-24Bump Standards-Version to 4.1.0Julian Andres Klode
2017-09-24Release 1.51.5Julian Andres Klode
2017-09-13Fix translator comment location for legacy target warningJulian Andres Klode
In commit Do not warn about duplicate "legacy" targets, we we added an if, that changed the .po files...
2017-09-13Release 1.5~rc41.5_rc4Julian Andres Klode
2017-09-11apt-daily: Do not Wants=network-online, and add some more After=Julian Andres Klode
We now wait for being online ourselves, so all we need to wait on is for services we are using to be online first. This avoids severe boot slowdowns by other services having specified an After=network-online.target without a Wants=. Gbp-Dch: Full
2017-09-10Release 1.5~rc31.5_rc3Julian Andres Klode
2017-09-10clang-format: Set ContinuationIndentWidth: 3Julian Andres Klode
This fixes the indentation of struct members, for example, which were previously indented by 4 spaces. Gbp-Dch: ignore