Age | Commit message (Collapse) | Author |
|
Happy Eyeballs are coming, yay!
|
|
Try establishing connections in alternating address families in
rapid intervals of 250 ms, adding more connections to the wait
list until one succeeds (RFC 8305, happy eyeballs 2).
It is important that WaitAndCheckErrors() waits until it has
a successful connection, a time out, or all connections failed
- otherwise the timing between tries might be wrong, and the
final long wait might exit early because one connection failed
without trying the others. Timing wise, this only works correctly
on Linux, as select() counts down there. But we rely on that in
some other places too, so this is not the time to fix that.
Timeouts are only reported in the final long wait - the short
inner waits are expected to time out more often, and multiple
times, we do not want to report them.
Closes: #668948
LP: #1308200
Gbp-Dch: paragraph
|
|
Extracting the error checking method allows us to reuse it
in different places, so we can move the waiting and checking
out of DoConnect() eventually.
Gbp-Dch: ignore
|
|
There's no real point in storing the IP address while resolving
it - failure messages include the IP address in any case. Do this
when picking the connection for actual use instead.
|
|
This struct holds information about a connection attempt, like
the addrinfo, the resolved address, the fd for the connection,
and so on.
Gbp-Dch: ignore
|
|
As a first step to implementing Happy Eyeballs version 2, we
need to order the list of hosts getaddrinfo() gave us so it
alternates between preferred and other address families.
RFC: https://tools.ietf.org/html/rfc8305
Gbp-Dch: ignore
|
|
Commit 89c4c588b275 ("fix from David Kalnischkies for the InRelease gpg
verification code (LP: #784473)") amended verification of cleartext
signatures by a check whether the file to be verified actually starts
with "-----BEGIN PGP SIGNATURE-----\n".
However cleartext signed InRelease files have been found in the wild
which use \r\n as line ending for this armor header line, presumably
generated by a Windows PGP client. Such files are incorrectly deemed
unsigned and result in the following (misleading) error:
Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
RFC 4880 specifies in 6.2 Forming ASCII Armor:
That is to say, there is always a line ending preceding the
starting five dashes, and following the ending five dashes. The
header lines, therefore, MUST start at the beginning of a line, and
MUST NOT have text other than whitespace following them on the same
line.
RFC 4880 does not seem to specify whether LF or CRLF is used as line
ending for armor headers, but CR is generally considered whitespace
(e.g. "man perlrecharclass"), hence using CRLF is legal even under
the assumption that LF must be used.
SplitClearSignedFile() is stripping whitespace (including CR) on lineend
already before matching the string, so StartsWithGPGClearTextSignature() is
adapted to use the same ignoring. As the earlier method is responsible
for what apt will end up actually parsing nowadays as signed/unsigned this
change has no implications for security.
Thanks: Lukas Wunner for detailed report & initial patch!
References: 89c4c588b275d098af33f36eeddea6fd75068342
Closes: 884922
|
|
Various corrections, mostly quoting, which shouldn't be a problem for us
as we tend to act in "sane" environments, but just to be sure.
[commit message written by committer]
References: Debian bugreport #849636
|
|
The signal was introduced with the introduction of the script itself,
but seems to have never got any user as all references to it I can find
are references to other code appearing in the cronjob.
It is also the wrong place nowadays as the cronjob is just one place an
update can be triggered by, so if notifications about an update being
run are desired it is better to use a hook which will be called by all
update calls (script, cron, user, …).
Removing this code solves also the problem of improving the check to
avoid running into problems with security systems like SELinux.
References: 0c1326826fd23ce859db8e923c37b7199c6da2c8
Closes: 849636
|
|
Closes: 882850
|
|
References: 0b5e329a8ba2461ccb7017d3adfc972f9dccd830
Gbp-Dch: Ignore
|
|
If the cache needs to grow to make room to insert volatile files like
deb files into the cache we were remapping null-pointers making them
non-null-pointers in the process causing trouble later on.
Only the current Releasefile pointer can currently legally be a
nullpointer as volatile files have no release file they belong to, but
for safety the pointer to the current Packages file is equally guarded.
The option APT::Cache-Start can be used to workaround this problem.
Reported-By: Mattia Rizzolo on IRC
|
|
Earlier gcc versions used to complain that you should add them althrough
there isn't a lot of point to it if you think about it, but now gcc (>= 8)
complains about the attribute being present.
warning: ‘pure’ attribute on function returning ‘void’ [-Wattributes]
Reported-By: gcc -Wattributes
Gbp-Dch: Ignore
|
|
For the failure propagation testing we try to connect to a port which
isn't open – you would think that this has a rather limited set of
failure modes but it turns out that there are various ways this can
fail, so instead of trying to guess all error message we just accept
any.
Reported-By: travis-ci
Gbp-Dch: Ignore
|
|
Generalizing the behaviour of retrying a download on the same server (if
enabled via options) as well as retrying a download via a different
alternative server from the acquire item responsible for deb files to
the handling of items in general so that all are effected.
|
|
For deb files we always supported falling back from one server to the
other if one failed to download the deb, but that was hardwired in the
handling of this specific item. Moving this alongside the retry
infrastructure we can implement it for all items and allow methods to
use this as well by providing additional URIs in a redirect.
|
|
We have quite a bit of metadata available for the files we acquire, but
the methods weren't told about it and got just the URI. That is indeed
fine for most, but to avoid methods trying to parse the metadata out of
the provided URIs (and fail horribly in edgecases) we can just as well
be nice and tell them stuff directly.
|
|
Moving the Retry-implementation from individual items to the worker
implementation not only gives every file retry capability instead of
just a selected few but also avoids needing to implement it in each item
(incorrectly).
|
|
The Fail method for acquire methods has a boolean parameter indicating
the transient-nature of a reported error. The problem with this is that
Fail is called very late at a point where it is no longer easily
identifiable if an error is indeed transient or not, so some calls were
and some weren't and the acquire system would later mostly ignore the
transient flag and guess by using the FailReason instead.
Introducing a tri-state enum we can pass the information about fatal or
transient errors through the callstack to generate the correct fails.
|
|
If retries are enabled only transient errors are retried, which are very
few errors. At least for some HTTP codes it could be beneficial to retry
them through so adding them seems like a good idea if only to be more
consistent in what we report.
|
|
LookupTag is a little helper to deal with rfc822-style strings we use in
apt e.g. to pass acquire messages around for cases in which our usual
rfc822 parser is too heavy. All the fields it had to deal with so far
were single line, but if they aren't it should really produce the right
output and not just return the first line. Error messages are a prime
candidate for becoming multiline as at the moment they are stripped of
potential newlines due to the previous insufficiency of LookupTag.
|
|
Fixing various real and imagined bugs reported by gcc warnings
|
|
We have no speed problem with handling floats/doubles in our progress
handling, but that shouldn't prevent us from cleaning up the handling
slightly to avoid unclean casting to ints.
Reported-By: gcc -Wdouble-promotion -Wold-style-cast
|
|
The casts are useless, but the reports show some where we can actually
improve the code by replacing them with better alternatives like
converting whatever int type into a string instead of casting to a
specific one which might in the future be too small.
Reported-By: gcc -Wuseless-cast
|
|
gcc was warning about ignored type qualifiers for all of them due to the
last 'const', so dropping that and converting to static_cast in the
process removes the here harmless warning to avoid hidden real issues in
them later on.
Reported-By: gcc
Gbp-Dch: Ignore
|
|
gcc has problems understanding this construct and additionally thinks it
would produce multiple lines and stuff, so to keep using it isn't really
worth it for the few instances we have: We can just write the long form
there which works better.
Reported-By: gcc
Gbp-Dch: Ignore
|
|
Reported-By: gcc -Wunused-parameter
Gbp-Dch: Ignore
|
|
Reported-By: gcc -Wclass-memaccess
Gbp-Dch: Ignore
|
|
Mostly harmless as it just means that apt thinks that the dpkg
commandline it is building is slightly longer than it actually is and we
have various ways of avoiding generating very long lines nowadays, but
calculating the right value can't hurt.
Reported-By: gcc -Wmultistatement-macros
|
|
Reported-By: gcc -Wsign-promo
|
|
Beside adding the relatively new Item::Proxy method we are also slightly
preparing for gcc-8.
|
|
Hardcoding a specific version is sad as default versions change over
time, so instead of tying us to a specific clang version we let the
script figure out a good version by looking at what is available in
PATH.
Gbp-Dch: Ignore
|
|
If we perform candidate switching in requests like "apt install foo/bar"
we should first check if the dependencies of foo from release bar are
already satisfied by what is already installed before checking if the
candidate (or switched candidate) would.
|
|
If a InRelease file fails to download with a non-404 error
we assumed there is some general problem with repository like
a webportal or your are blocked from access (wrong auth, Tor, …).
Turns out some server like S3 return 403 if a file doesn't exist.
Allowing this in general seems like a step backwards as 403 is a
reasonable response if auth failed, so failing here seems better
than letting those users run into problems.
What we can do is show our insecure warnings through and allow the
failures for insecure repos: If the repo is signed it is easy to add
an InRelease file and if not you are setup for trouble anyhow.
References: cbbf185c3c55effe47f218a07e7b1f324973a8a6
|
|
We did not strip away profiling messages when we were diffing
from stdin (-). Just always write temporary files and strip from
them.
We also had a problem when stripping ...profiling: from a line
and the next line starts with profiling. Split the sed into two
calls so we first remove complete profiling: lines before fixing
the ...profiling: cases.
|
|
We accidentally did not translate the entity file, but should
have. This makes apt.ent translatable again. This generates the
target multiple times, but surprisingly, that works just fine, so
let's just keep it that way, as it's clean code otherwise.
|
|
Adding manpages is really hard it seems.
References: ea408c560ed85bb4ef7cf8f72f8463653501332c,
ea7581c9aaaaebf844d00935a1cdf8c8fee7f7f3,
90bfc5b057d3f9136ffe34089b6e56d59593797c
|
|
apt usually gets the width of the window from the terminal or failing
that has a default value, but especially for testing it can be handy
to control the size as you can't be sure that variable sized content
will always be linebreaked as expected in the testcases.
|
|
The documentation said "spaces", but there is no real reason to be so
strict and only allow spaces to separate values as that only leads to
very long lines if e.g. multiple URIs are specified which are again hard
to deal with from a user PoV which the deb822 format is supposed to
avoid. It also deals with multiple consecutive spaces and strange things
like tabs users will surely end up using in the real world.
The old behviour on encountering folded lines is the generation of URIs
which end up containing all these whitespace characters which tends to
mess really bad with output and further processing.
Closes: 881875
|
|
Clean up the control file a bit.
|
|
We accidentally regressed here in 1.5 when replacing the https
method.
|
|
aptitude used to use gzip:// for changelog URLs, but is now
fixed to use store.
|
|
|
|
Closes: #881402
|
|
qemu-user passes prctl()-based seccomp through to the kernel,
umodified. That's bad, as it blocks the wrong syscalls.
We ignored EFAULT which fixed the problem for targets with different
pointer sizes from the host, but was a bad hack. In order to identify
qemu we can rely on the fact that qemu-user prints its version and
exits with 0 if QEMU_VERSION is set to an unsupported value. If we
run a command that should fail in such an environment, and it exits
with 0, then we are running in qemu-user.
apt-helper is an obvious command to run. The tests ensure it exits
with 1, and it only prints usage information. We also could not use
/bin/false because apt might just as well be from a foreign arch
while /bin/false is not.
Closes: #881519
|
|
We need to use a versioned breaks again, otherwise the
transitional package would not be installable.
Gbp-Dch: ignore
|
|
|
|
Makes lintian happy, but is basically useless
Gbp-Dch: ignore
|
|
This fixes issues with debootstrap. The package will disappear
after the release of buster.
|
|
No further changes required.
|