summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-12-13if insecure repo is allowed continue on all http errorsDavid Kalnischkies
If a InRelease file fails to download with a non-404 error we assumed there is some general problem with repository like a webportal or your are blocked from access (wrong auth, Tor, …). Turns out some server like S3 return 403 if a file doesn't exist. Allowing this in general seems like a step backwards as 403 is a reasonable response if auth failed, so failing here seems better than letting those users run into problems. What we can do is show our insecure warnings through and allow the failures for insecure repos: If the repo is signed it is easy to add an InRelease file and if not you are setup for trouble anyhow. References: cbbf185c3c55effe47f218a07e7b1f324973a8a6
2017-11-22tests: Improve handling profiling messages on CIJulian Andres Klode
We did not strip away profiling messages when we were diffing from stdin (-). Just always write temporary files and strip from them. We also had a problem when stripping ...profiling: from a line and the next line starts with profiling. Split the sed into two calls so we first remove complete profiling: lines before fixing the ...profiling: cases.
2017-11-20Translate shared documentation parts againJulian Andres Klode
We accidentally did not translate the entity file, but should have. This makes apt.ent translatable again. This generates the target multiple times, but surprisingly, that works just fine, so let's just keep it that way, as it's clean code otherwise.
2017-11-20allow apt_auth.conf(5) to be translatedDavid Kalnischkies
Adding manpages is really hard it seems. References: ea408c560ed85bb4ef7cf8f72f8463653501332c, ea7581c9aaaaebf844d00935a1cdf8c8fee7f7f3, 90bfc5b057d3f9136ffe34089b6e56d59593797c
2017-11-19support COLUMNS environment variable in apt toolsDavid Kalnischkies
apt usually gets the width of the window from the terminal or failing that has a default value, but especially for testing it can be handy to control the size as you can't be sure that variable sized content will always be linebreaked as expected in the testcases.
2017-11-19allow multivalue fields in deb822 sources to be foldedDavid Kalnischkies
The documentation said "spaces", but there is no real reason to be so strict and only allow spaces to separate values as that only leads to very long lines if e.g. multiple URIs are specified which are again hard to deal with from a user PoV which the deb822 format is supposed to avoid. It also deals with multiple consecutive spaces and strange things like tabs users will surely end up using in the real world. The old behviour on encountering folded lines is the generation of URIs which end up containing all these whitespace characters which tends to mess really bad with output and further processing. Closes: 881875
2017-11-19Run wrap-and-sortJulian Andres Klode
Clean up the control file a bit.
2017-11-19Also look at https_proxy for https URLsJulian Andres Klode
We accidentally regressed here in 1.5 when replacing the https method.
2017-11-16Add Breaks: aptitude (<< 0.8.10) for gzip method removalJulian Andres Klode
aptitude used to use gzip:// for changelog URLs, but is now fixed to use store.
2017-11-12Release 1.6~alpha51.6_alpha5Julian Andres Klode
2017-11-12Dutch manpage translation updateFrans Spiesschaert
Closes: #881402
2017-11-12Do not attempt seccomp under qemu-user and drop EFAULT workaroundJulian Andres Klode
qemu-user passes prctl()-based seccomp through to the kernel, umodified. That's bad, as it blocks the wrong syscalls. We ignored EFAULT which fixed the problem for targets with different pointer sizes from the host, but was a bad hack. In order to identify qemu we can rely on the fact that qemu-user prints its version and exits with 0 if QEMU_VERSION is set to an unsupported value. If we run a command that should fail in such an environment, and it exits with 0, then we are running in qemu-user. apt-helper is an obvious command to run. The tests ensure it exits with 1, and it only prints usage information. We also could not use /bin/false because apt might just as well be from a foreign arch while /bin/false is not. Closes: #881519
2017-11-05[amend] Use a versioned breaks for a-t-https in apt1.6_alpha4Julian Andres Klode
We need to use a versioned breaks again, otherwise the transitional package would not be installable. Gbp-Dch: ignore
2017-11-05Release 1.6~alpha4Julian Andres Klode
2017-11-05Add ${misc:Depends} to apt-transport-https dependsJulian Andres Klode
Makes lintian happy, but is basically useless Gbp-Dch: ignore
2017-11-05Re-introduce a transitional apt-transport-httpsJulian Andres Klode
This fixes issues with debootstrap. The package will disappear after the release of buster.
2017-10-29debian: Bump Standards-Version to 4.1.1Julian Andres Klode
No further changes required.
2017-10-29debian: Set Rules-Requires-Root: noJulian Andres Klode
We don't need fakeroot for building!
2017-10-28Release 1.6~alpha31.6_alpha3Julian Andres Klode
2017-10-28use store: instead of gzip: to open local changelogsDavid Kalnischkies
Regression-Of: cc1f94c95373670fdfdb8e2d6cf9125181f7df0c
2017-10-28Also use FindULL for checking if the size tags is validJulian Andres Klode
It used FindI() > 0, but if it is too big, FindI() would cause an error "Cannot convert %s to integer: out of range", so let's also use FindULL() here. Gbp-Dch: ignore
2017-10-28Prevent overflow in Installed-Size (and Size) in apt showJulian Andres Klode
Installed-Size for linux-image-4.13.0-1-amd64-dbg and friends are larger than 4 GB, but read as a signed integer - that's fine so far, as the value is in KB, but it's multiplied with 1024 which overflows. So let's read it as unsigned long long instead. While we're at it, also use unsigned long long for Size, in case that is bigger than 2 GB.
2017-10-27seccomp: Allow clock_nanosleep() and nanosleep() syscallsJulian Andres Klode
We sleep in http.cc, so we should allow the sleeping syscalls.
2017-10-26Drop unused gzip, lzma, bzip2, and xz symlinks of storeJulian Andres Klode
The store method replaced them all, the symlinks where mostly for partial upgrades or whatever, they should not be needed any longer.
2017-10-26seccomp: Allow ipc() for fakeroot, and allow sysinfo() for sortJulian Andres Klode
Sorting apparently calls sysconf() which calls sysinfo() to get free pages or whatever. Closes: #879814, #879826
2017-10-26debian/tests/control: Add dpkg so we get triggered by itJulian Andres Klode
We do want to get our autopkgtests triggered by dpkg uploads in Ubuntu, but this does not happen because we don't have an explicit dependency on it. Add one.
2017-10-26Release 1.6~alpha21.6_alpha2Julian Andres Klode
2017-10-26CMake: Get rid of some debugging messagesJulian Andres Klode
This fixes a regression introduced in commit 43b9eb5bac15666fdc0346aca7031fab0fa5e064 CMake: methods: Cleanup link libraries, use OBJECT libraries Gbp-Dch: ignore
2017-10-26Print syscall number and arch to stderr when trapped by seccompJulian Andres Klode
This should help debugging crashes. The signal handler is a C++11 lambda, yay! Special care has been taken to only use signal handler -safe functions inside there.
2017-10-25Only warn about seccomp() EINVAL (normal) and EFAULT (qemu) errorsJulian Andres Klode
If seccomp is disabled, we fallback to running without it. Qemu fails in the seccomp() call, returning ENOSYS and libseccomp falls back to prctl() without adjusting the pointer, causing the EFAULT. I hope qemu gets fixed at some point to return EINVAL for seccomp via prctl. Bug-Qemu: https://bugs.launchpad.net/qemu/+bug/1726394
2017-10-25Don't segfault if receiving a method warning on empty queueJulian Andres Klode
We would like to issue a warning about seccomp support in Configuration(), but since the queue is empty, there is no current item to show the URL for and we get a segfault. Show the protocol instead.
2017-10-25methods: Enable additional syscalls (SYSV IPC) in fakerootJulian Andres Klode
If FAKED_MODE is set, enable SYSV IPC so we don't crash when running in fakeroot. Closes: #879662
2017-10-23CMake: methods: Cleanup link libraries, use OBJECT librariesJulian Andres Klode
Use OBJECT libraries for http and connect stuff, and move the seccomp link expression into a global link_libraries() call. This also fixes a bug where only the http target pulled in the gnutls header arguments despite gnutls being used in connect.cc, and thus by mirror and ftp as well. Adjust translation support to ignore TARGET_OBJECTS sources and add the OBJECT libraries to the translated files.
2017-10-23seccomp: Conditionalize statx() whitelistingJulian Andres Klode
statx was introduced in 4.11, so it fails to build in stretch if we just unconditionally use it.
2017-10-23Release 1.6~alpha11.6_alpha1Julian Andres Klode
2017-10-23seccomp: Add missing syscalls for ppc64el, i386, and othersJulian Andres Klode
These are a few overlooked syscalls. Also add readv(), writev(), renameat2(), and statx() in case libc uses them. Gbp-Dch: ignore
2017-10-22Sandbox methods with seccomp-BPF; except cdrom, gpgv, rshJulian Andres Klode
This reduces the number of syscalls to about 140 from about 350 or so, significantly reducing security risks. Also change prepare-release to ignore the architecture lists in the build dependencies when generating the build-depends package for travis. We might want to clean up things a bit more and/or move it somewhere else.
2017-10-22methods/basehttp.cc: Remove proxy autodetect debugging codeJulian Andres Klode
This was a left over from the autodetect move. Gbp-Dch: ignore
2017-10-22methods/mirror: Enable sandboxing and other aptMethod featuresJulian Andres Klode
Sandboxing was turned off because we called pkgAcqMethod's Configuration() instead of aptMethod's.
2017-10-22Run the ProxyAutoDetect script in the sandbox againJulian Andres Klode
The previous change moved running the proxy detection program from the method to the main process, so it runs as root and not as _apt. This brings it back into the sandbox. Gbp-Dch: ignore
2017-10-22Run Proxy-Auto-Detect script from main processJulian Andres Klode
This avoids running the Proxy-Auto-Detect script inside the untrusted (well, less trusted for now) sandbox. This will allow us to restrict the http method from fork()ing or exec()ing via seccomp.
2017-10-20Fix testsuite for and add new fields from dpkg 1.19Julian Andres Klode
tagfile-order.c: Add missing fields from dpkg 1.19 For binary packages, this is Build-Essential; for source packages, it is Description. test-bug-718329-...: Ignore control.tar.*, changes in dpkg 1.19 test-apt-extracttemplates: Fix for dpkg 1.19
2017-10-20Dutch program translation updateFrans Spiesschaert
Closes: #879137
2017-10-08zh_CN.po: Update Simplified Chinese programs translationMo Zhou
2017-10-05avoid using NULL in varadic function for cmdline parsingDavid Kalnischkies
cppcheck reports: (portability) Passing NULL after the last typed argument to a variadic function leads to undefined behaviour. We don't ship on any platform which has this as undefined behaviour through – or it would be pretty well defined "bad" behaviour which always works, so even through UB is a trigger word, its hardly noteworthy as a change (and as a bonus the scanners of gcc/clang don't consider it UB). The commonly accepted method of fixing that seems to be (const char*)NULL, but it is in fact much simpler to just switch to the varadic functions C++ provides resolving the warning and reducing code. Reported-By: cppcheck Gbp-Dch: Ignore
2017-10-05remove pointless va_copy to avoid cleanup danceDavid Kalnischkies
A va_copy call needs to be closed in all branches with va_end, so these functions would need to be reworked slightly, but we don't actually need to copy the va_list as we don't work on it, we just push it forward, so dropping the copy and everyone is happy. Reported-By: cppcheck Gbp-Dch: Ignore
2017-10-05ignore unsupported key formats in apt-keyDavid Kalnischkies
gpg2 generates keyboxes by default and users end up putting either those or armored files into the trusted.gpg.d directory which apt tools neither expect nor can really work with without fortifying backward compatibility (at least under the ".gpg" extension). A (short) discussion about how to deal with keyboxes happened in https://lists.debian.org/deity/2017/07/msg00083.html As the last message in that thread is this changeset lets go ahead with it and see how it turns out. The idea is here simply that we check the first octal of a gpg file to have one of three accepted values. Testing on my machines has always produced just one of these, but running into those values on invalid files is reasonabily unlikely to not worry too much. Closes: #876508
2017-10-05send the hashes for alternative file correctlyDavid Kalnischkies
This isn't really used by the acquire system at all at the moment and the only method potentially sending this information is file://, but that used to be working correctly before broken in 2013, so better fix it now and worry about maybe using the data some day later. Regression-Of: b3501edb7091ca3aa6c2d6d96dc667b8161dd2b9
2017-09-26use pkgTagSection::Key in srcRecords parserDavid Kalnischkies
Using hardcoded array-indexes in the build-dependency parsing is efficient, but less discoverable and easier to break. We can avoid this by making it even more efficient (not that it would be noticeable) allowing us to do explicitly named comparisons instead. Gbp-Dch: Ignore
2017-09-26allow empty build-dependency fields in the parserDavid Kalnischkies
APT used to parse only wellformed files produced by repository creation tools which removed empty files as pointless before apt would see them. Now that apt can be told to parse e.g. debian/control files directly, it needs to be a little more accepting through: We had this with comments already, now let it deal with the far more trivial empty fields. Closes: #875363