summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-03-13Fix debian/NEWS entry for 1.6~beta1Julian Andres Klode
2018-02-26Release 1.6~beta11.6_beta1Julian Andres Klode
2018-02-23apt.conf.autoremove: Add linux-cloud-tools to listJulian Andres Klode
LP: #1698159
2018-02-19Merge branch 'pu/not-valid-before' into 'master'Julian Andres Klode
Check that Date of Release file is not in the future See merge request apt-team/apt!3
2018-02-19Check that Date of Release file is not in the futureJulian Andres Klode
By restricting the Date field to be in the past, an attacker cannot just create a repository from the future that would be accepted as a valid update for a repository. This check can be disabled by Acquire::Check-Date set to false. This will also disable Check-Valid-Until and any future date related checking, if any - the option means: "my computers date cannot be trusted." Modify the tests to allow repositories to be up to 10 hours in the future, so we can keep using hours there to simulate time changes.
2018-02-19tests: install aptitude for test-method-mirrorDavid Kalnischkies
This is an optional dependency for the test, but the skipping of the test is very noisy and checking that an unchanged aptitude isn't downright exploding with our libapt isn't a bad idea either. Gbp-Dch: Ignore
2018-02-19German manpage translation updateChris Leick
2018-02-19ensure correct file permissions for auxfilesDavid Kalnischkies
The interesting takeaway here is perhaps that 'chmod +w' is effected by the umask – obvious in hindsight of course. The usual setup helps with hiding that applying that recursively on all directories (and files) isn't correct. Ensuring files will not be stored with the wrong permissions even if in strange umask contexts is trivial in comparison. Fixing the test also highlighted that it wasn't bulletproof as apt will automatically fix the permissions of the directories it works with, so for this test we actually need to introduce a shortcut in the code. Reported-By: Ubuntu autopkgtest CI
2018-02-19tests: set debhelper compat 10 and R³ by defaultDavid Kalnischkies
The testpackages hardly need debhelper at all, so any version would do, and they build without root rights by definition, but declaring it explicitly can't hurt and in the case of debhelper it would be sad if our testcases break one day because the old compat level is removed. Gbp-Dch: Ignore
2018-02-19restore gcc visibility=hidden for apt-privateDavid Kalnischkies
This setting was lost in the transition to cmake. The private library has no public users and hence the default visibility of symbols changed early to hidden – something which should eventually be done for the public libraries as well, but one step at the time.
2018-02-19use a more standard approach to disable security for cdrom methodDavid Kalnischkies
It is sad that we can't wrap the cdrom method tighter at the moment, but due to its ability to mount drives into arbitrary places via an external suid binary we can't really do a lot better at the moment. What we can do is set the options in the configuration space through as it is standard in the other methods instead of doing it in main() which is assumed to be more boilerplatey than actually doing something. Gbp-Dch: Ignore
2018-02-19add apt-helper drop-privs command…David Kalnischkies
2018-02-19Work around test-method-mirror failure by setting umask at startJulian Andres Klode
This fixes a test failure on autopkgtest.
2018-02-19indexcopy: Copy uncompressed indices from cdrom againJulian Andres Klode
This was broken by a refactoring in 1adcf56bec7d2127d83aa423916639740fe8e586 which iterated over getCompressorExtensions() instead of the compressors and using their extension field. getCompressorExtensions() does not contain the empty extension for uncompressed files, though, and hence this was broken. LP: #1746807
2018-01-19allow the apt/lists/auxfiles/ directory to be missingDavid Kalnischkies
apt 1.6~alpha6 introduced aux requests to revamp the implementation of a-t-mirror. This already included the potential of running as non-root, but the detection wasn't complete resulting in errors or could produce spurious warnings along the way if the directory didn't exist yet. References: ef9677831f62a1554a888ebc7b162517d7881116 Closes: 887624
2018-01-18Release 1.6~alpha71.6_alpha7Julian Andres Klode
2018-01-18Point people to salsa.d.o instead of anonscm.d.o for gitJulian Andres Klode
2018-01-18French program translation updateJulien Patriarca
Closes: 887017
2018-01-18German program translation updateHolger Wansing
Closes: 886429
2018-01-18review and fix the three new apt-transport- manpagesJustin B Rye
References: https://lists.debian.org/debian-l10n-english/2018/01/msg00002.html
2018-01-18Merge branch 'inrelease-path' into 'master'Julian Andres Klode
Introduce inrelease-path option for sources.list See merge request apt-team/apt!2
2018-01-18Drop obsolete Suggests on python-aptJulian Andres Klode
This has not been used for a while. It was added for apt-mark in 7b4159cf2a4b7de10622c7e4e29247067358a3ab, but apt-mark has been rewritten in C++ quite some time ago. Closes: #887607
2018-01-17Introduce inrelease-path option for sources.listJulian Andres Klode
Allow specifying an alternative path to the InRelease file, so you can have multiple versions of a repository, for example. Enabling this option disables fallback to Release and Release.gpg, so setting it to InRelease can be used to ensure that only that will be tried. We add two test cases: One for checking that it works, and another for checking that the fallback does not happen. Closes: #886745
2018-01-10apt-compat.cron.daily: Correctly handle undetermined power statusJulian Andres Klode
If on_ac_power exits with 255 the script would fail at this point because set -e was set, but it should continue, as 255 means the power status could not be determined. LP: #1742378
2018-01-05dpkg status parsing: check if name is valid before useDavid Kalnischkies
The summary line sounds a bit much: what we end up doing is just adding two more guards before using results which should always be valid™. That these values aren't valid is likely a bug in itself somewhere, but that is no reason for crashing.
2018-01-04Turkish program translation updateMert Dirik
Closes: 886250
2018-01-04simplify translating "lists directory missing" msgDavid Kalnischkies
The appended "partial" should not be translated, but some translations got this wrong and now that there is also "auxfiles" we can just fix that problem by hiding these untranslatables from the translators. Gbp-Dch: Ignore
2018-01-03Release 1.6~alpha61.6_alpha6Julian Andres Klode
2018-01-03Merge branch 'feature/amtshilfe' into 'master'Julian Klode
reimplement mirror method See merge request apt-team/apt!1
2018-01-03add apt-transport-mirror manpageDavid Kalnischkies
The mirror method is undocumented since 0.7.24, now with the reimplementation it is high time to get something written about it.
2018-01-03add a testcase for the mirror methodDavid Kalnischkies
Gbp-Dch: Ignore
2018-01-03non-local mirrorlists shouldn't redirect to localDavid Kalnischkies
A mirror list we get from an non-local source like http shouldn't be able to include e.g. file sources and even with other online sources we need to be careful: They also shouldn't include prefixed methods like 'tor+http'. So apply magic based on how the method is called: mirror+file will be allowed to redirect to any source while tor+mirror+file allows all, but sends them to their tor+ variant.
2018-01-03add tag-based control over mirror choices from the listDavid Kalnischkies
The old implementation used to construct a query string including the release(s) the mirrorlist should be for, but that is hard to deal with as this rules out that partial mirrors are included in the list and it turns out that nobody ended up implementing it on the server side. Controlling this on the client side allows partial mirrors to be included and as a bonus prevents that we tell the mirrorlist server (this rather generic) user information.
2018-01-03require methods to request AuxRequest capability at startupDavid Kalnischkies
Allowing a method to request work from other methods is a powerful capability which could be misused or exploited, so to slightly limited the surface let method opt-in into this capability on startup.
2018-01-03reimplement and simplify mirror:// methodDavid Kalnischkies
Embedding an entire acquire stack and HTTP logic in the mirror method made it rather heavy weight and fragile. This reimplement goes the other way by doing only the bare minimum in the method itself and instead redirect the actual download of files to their proper methods. The reimplementation drops the (in the real world) unused query-string feature as it isn't really implementable in the new architecture.
2018-01-03allow a method to request auxiliary filesDavid Kalnischkies
If a method needs a file to operate like e.g. mirror needs to get a list of mirrors before it can redirect the the actual requests to them. That could easily be solved by moving the logic into libapt directly, but by allowing a method to request other methods to do something we can keep this logic contained in the method and allow e.g. also methods which perform binary patching or similar things. Previously they would need to implement their own acquire system inside the existing one which in all likelyhood will not support the same features and methods nor operate with similar security compared to what we have already running 'above' the requesting method. That said, to avoid methods producing conflicts with "proper" files we are downloading a new directory is introduced to keep the auxiliary files in. [The message magic number 351 is a tribute to the german Grundgesetz article 35 paragraph 1 which defines that all authorities of the state(s) help each other on request.]
2018-01-03refactor message generation for methodsDavid Kalnischkies
The format isn't too hard to get right, but it gets funny with multiline fields (which we don't really have yet) and its just easier to deal with it once and for all which can be reused for more messages later.
2018-01-03document https options in new apt-transport-https manpageDavid Kalnischkies
Same reasoning as with the previous commit for http with the added benefit of moving the hard to discover and untranslated example config into a manpage which could be translated.
2018-01-03document http options in new apt-transport-http manpageDavid Kalnischkies
We had documentation for the http transport in our "catch-all" apt.conf manpage, but it seems benefitial to document transports in their own manpage instead of pushing them all into one.
2018-01-03Correctly report transient errors againJulian Andres Klode
Commit 47c0bdc310c8cd62374ca6e6bb456dd183bdfc07 ("report transient errors as transient error") accidentally changed some connection failures to become non-transient, because the result of the error checks where being ignored and then fatal error was returned if an error was pending - even if that error was trivial. After the merge of pu/happy-eyeballs2a this becomes a lot clearer, and easy to fix. Gbp-Dch: ignore Regression-Of: 47c0bdc310c8cd62374ca6e6bb456dd183bdfc07
2018-01-03Merge branch 'pu/happy-eyeballs2a'Julian Andres Klode
Happy Eyeballs are coming, yay!
2018-01-03Add rapid "happy eyeballs" connection fallback (RFC 8305)Julian Andres Klode
Try establishing connections in alternating address families in rapid intervals of 250 ms, adding more connections to the wait list until one succeeds (RFC 8305, happy eyeballs 2). It is important that WaitAndCheckErrors() waits until it has a successful connection, a time out, or all connections failed - otherwise the timing between tries might be wrong, and the final long wait might exit early because one connection failed without trying the others. Timing wise, this only works correctly on Linux, as select() counts down there. But we rely on that in some other places too, so this is not the time to fix that. Timeouts are only reported in the final long wait - the short inner waits are expected to time out more often, and multiple times, we do not want to report them. Closes: #668948 LP: #1308200 Gbp-Dch: paragraph
2018-01-03connect: Extract Connection::CheckError() methodJulian Andres Klode
Extracting the error checking method allows us to reuse it in different places, so we can move the waiting and checking out of DoConnect() eventually. Gbp-Dch: ignore
2018-01-03connect: Store the IP used when picking a connectionJulian Andres Klode
There's no real point in storing the IP address while resolving it - failure messages include the IP address in any case. Do this when picking the connection for actual use instead.
2018-01-03connect: Extract a Connection structJulian Andres Klode
This struct holds information about a connection attempt, like the addrinfo, the resolved address, the fd for the connection, and so on. Gbp-Dch: ignore
2018-01-03connect: Alternate address families for addressesJulian Andres Klode
As a first step to implementing Happy Eyeballs version 2, we need to order the list of hosts getaddrinfo() gave us so it alternates between preferred and other address families. RFC: https://tools.ietf.org/html/rfc8305 Gbp-Dch: ignore
2018-01-02Support cleartext signed InRelease files with CRLF line endingsDavid Kalnischkies
Commit 89c4c588b275 ("fix from David Kalnischkies for the InRelease gpg verification code (LP: #784473)") amended verification of cleartext signatures by a check whether the file to be verified actually starts with "-----BEGIN PGP SIGNATURE-----\n". However cleartext signed InRelease files have been found in the wild which use \r\n as line ending for this armor header line, presumably generated by a Windows PGP client. Such files are incorrectly deemed unsigned and result in the following (misleading) error: Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) RFC 4880 specifies in 6.2 Forming ASCII Armor: That is to say, there is always a line ending preceding the starting five dashes, and following the ending five dashes. The header lines, therefore, MUST start at the beginning of a line, and MUST NOT have text other than whitespace following them on the same line. RFC 4880 does not seem to specify whether LF or CRLF is used as line ending for armor headers, but CR is generally considered whitespace (e.g. "man perlrecharclass"), hence using CRLF is legal even under the assumption that LF must be used. SplitClearSignedFile() is stripping whitespace (including CR) on lineend already before matching the string, so StartsWithGPGClearTextSignature() is adapted to use the same ignoring. As the earlier method is responsible for what apt will end up actually parsing nowadays as signed/unsigned this change has no implications for security. Thanks: Lukas Wunner for detailed report & initial patch! References: 89c4c588b275d098af33f36eeddea6fd75068342 Closes: 884922
2018-01-02apt.daily: fix several "shellcheck" annotationsChristian Göttsche
Various corrections, mostly quoting, which shouldn't be a problem for us as we tend to act in "sane" environments, but just to be sure. [commit message written by committer] References: Debian bugreport #849636
2018-01-02apt.daily: remove unused dbus signal for apt updateDavid Kalnischkies
The signal was introduced with the introduction of the script itself, but seems to have never got any user as all references to it I can find are references to other code appearing in the cronjob. It is also the wrong place nowadays as the cronjob is just one place an update can be triggered by, so if notifications about an update being run are desired it is better to use a hook which will be called by all update calls (script, cron, user, …). Removing this code solves also the problem of improving the check to avoid running into problems with security systems like SELinux. References: 0c1326826fd23ce859db8e923c37b7199c6da2c8 Closes: 849636
2018-01-01Italian program translation updateMilo Casagrande
Closes: 882850