summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-10-13Fix backward compatiblity of the new pkgAcquireMethod::DropPrivsOrDie()Michael Vogt
Do not drop privileges in the methods when using a older version of libapt that does not support the chown magic in partial/ yet. To do this DropPrivileges() now will ignore a empty Apt::Sandbox::User. Cleanup all hardcoded _apt along the way.
2014-10-13Document ↵Michael Vogt
Acquire{MaxReleaseFileSize,AllowInsecureRepositories,AllowDowngradeToInsecureRepositories} and --no-allow-insecure-repositories Document the new options to restrict loading unauthenticated data into our parsers.
2014-10-13trusted=yes sources are secure, we just don't know whyDavid Kalnischkies
Do not require a special flag to be present to update trusted=yes sources as this flag in the sources.list is obviously special enough. Note that this is just disabling the error message, the user will still be warned about all the (possible) failures the repository generated, it is just triggering the acceptance of the warnings on a source-by-source level. Similarily, the trusted=no flag doesn't require the user to pass additional flags to update, if the repository looks fine in the view of apt it will update just fine. The unauthenticated warnings will "just" be presented then the data is used. In case you wonder: Both was the behavior in previous versions, too.
2014-10-13do not inline virtual destructors with d-pointersDavid Kalnischkies
Reimplementing an inline method is opening a can of worms we don't want to open if we ever want to us a d-pointer in those classes, so we do the only thing which can save us from hell: move the destructors into the cc sources and we are good. Technically not an ABI break as the methods inline or not do the same (nothing), so a program compiled against the old version still works with the new version (beside that this version is still in experimental, so nothing really has been build against this library anyway). Git-Dch: Ignore
2014-10-13display a warning for unsigned reposDavid Kalnischkies
The same message is used for InRelease if fails in gpgv, but the Release/Release.gpg duo needs to handle the failing download case as well (InRelease just defers to the duo if download fails) and print a message accompaning the insecure error to provide a hint on what is going on.
2014-10-13make --allow-insecure-repositories message an errorDavid Kalnischkies
Not using this option, but using unsigned (and co) repositories will cause these repositories to be ignored and data acquiring from them fails, so this is very well in the realms of an error and helps in making 'apt-get update' fail with a non-zero error code as well.
2014-10-10remove useless pdiff filename outputDavid Kalnischkies
Looks like a leftover from debugging. Absolutely no need for it and destroys progess reporting completely. Closes: 764737
2014-10-08Only rename StatError files in AbortTransaction()Michael Vogt
This fixes a race that we see in travis when two copy operations finish at about the same time but the bad one first. This lead to a rename of the good one and triggers a error when apt tries to verify the good version but can no longer find it.
2014-10-08releasing package apt version 1.1~exp41.1.exp4Michael Vogt
2014-10-08prepare 1.1~exp4Michael Vogt
2014-10-08Fix ServerMethod::FindMaximumObjectSizeInQueue()Michael Vogt
Git-Dch: ignore
2014-10-08pkgAcqArchive::QueueNext(): change owner/permission of DestFileMichael Vogt
The code was using FinalFile before but we only test the existance of DestFile so we use that instead.
2014-10-08Merge branch 'debian/sid' into debian/experimentalMichael Vogt
Conflicts: debian/changelog
2014-10-08Merge remote-tracking branch 'mvo/feature/expected-size' into ↵Michael Vogt
debian/experimental
2014-10-08Merge remote-tracking branch 'mvo/feature/acq-trans' into debian/experimentalMichael Vogt
2014-10-08Fix http pipeline messup detectionMichael Vogt
The Maximum-Size protection breaks the http pipeline reorder code because it relies on that the object got fetched entirely so that it can compare the hash of the downloaded data. So instead of stopping when the Maximum-Size of the expected item is reached we only stop when the maximum size of the biggest item in the queue is reached. This way the pipeline reoder code keeps working.
2014-10-08Merge remote-tracking branch 'donkult/feature/acq-trans' into ↵Michael Vogt
feature/expected-size
2014-10-08fix http-pipeline-messup testcaseDavid Kalnischkies
The test generates failures if the created deb files have the same size, so we try a little harder to avoid having the same size for them. Git-Dch: Ignore
2014-10-07do not show IP in output of testcasesDavid Kalnischkies
On travis-ci connect.cc detects a rotation, triggering it store the IP which is later appended to the error message, which is all nice and great if we deal with a real server, but in the testcases it just triggers failures as strings do not match. Git-Dch: Ignore
2014-10-07Send "Fail-Reason: MaximumSizeExceeded" from the methodMichael Vogt
Communicate the fail reason from the methods to the parent and Rename() failed files.
2014-10-07set PR_SET_NO_NEW_PRIVS also if run as non-rootDavid Kalnischkies
Changing user and co works only as root, but can do some things for methods run as normal user as well to protect them from being able to call setuid binaries like sudo to elevate their privileges. Also uses a cheap trick now to build with old unsupporting kernels.
2014-10-07fix foldmarkers in fileutl.ccDavid Kalnischkies
Git-Dch: Ignore
2014-10-07don't show ErrorText for Ign by defaultDavid Kalnischkies
Some distributions (or repositories) do not have as much "Ign-discipline" as I would like to, so that could be pretty distracting for our users if enabled by default. It is handy for testcases though. Git-Dch: Ignore
2014-10-07Add new Acquire::MaxReleaseFileSize=10*1000*1000 optionMichael Vogt
This option controls the maximum size of Release/Release.gpg/InRelease files. The rational is that we do not know the size of these files in advance and we want to protect against a denial of service attack where someone sends us endless amounts of data until the disk is full (we do know the size all other files (Packages/Sources/debs)).
2014-10-07Merge branch 'feature/acq-trans' into feature/expected-sizeMichael Vogt
2014-10-07make expected-size a maximum-size check as this is what we want at this pointMichael Vogt
2014-10-07Merge remote-tracking branch 'upstream/debian/experimental' into ↵Michael Vogt
feature/acq-trans Conflicts: apt-pkg/acquire-item.cc
2014-10-07UpperCase some functions for consistencyMichael Vogt
changeOwnerAndPermissionOfFile->ChangeOwnerAndPermissionOfFile preparePartialFile->GetPartialFileName preparePartialFileFromURI->GetPartialFileNameFromURI Git-Dch: ignore
2014-10-07Ignore EINVAL from prctl(PR_SET_NO_NEW_PRIVS)Michael Vogt
Ignore a EINVAL error here as it means that the kernel is too old to understand this option. We should not fail hard in this case but just ignore the error. closes: 764066
2014-10-07Rename DropPrivs() to DropPrivileges()Michael Vogt
Git-Dch: ignore
2014-10-07fix test-cve-2013-1051-InRelease-parsing (fails now in the method)Michael Vogt
2014-10-07add ftp expected size checkMichael Vogt
2014-10-07methods/https.cc: use File->Tell() here tooMichael Vogt
2014-10-07display errortext for all Err as well as Ign logsDavid Kalnischkies
consistently using Item::Failed in all specializec classes helps setting up some information bits otherwise unset, so some errors had an empty reason as an error. Ign is upgraded to display the error message we ignored to further help in understanding what happens.
2014-10-07use _apt:root only for partial directoriesDavid Kalnischkies
Using a different user for calling methods is intended to protect us from methods running amok (via remotely exploited bugs) by limiting what can be done by them. By using root:root for the final directories and just have the files in partial writeable by the methods we enhance this in sofar as a method can't modify already verified data in its parent directory anymore. As a side effect, this also clears most of the problems you could have if the final directories are shared without user-sharing or if these directories disappear as they are now again root owned and only the partial directories contain _apt owned files (usually none if apt isn't running) and the directory itself is autocreated with the right permissions.
2014-10-07ensure partial dirs are 0700 and owned by _apt:rootDavid Kalnischkies
Reworks the API involved in creating and setting up the fetcher to be a bit more pleasent to look at and work with as e.g. an empty string for no lock isn't very nice. With the lock we can also stop creating all our partial directories "just in case". This way we can also be a bit more aggressive with the partial directory itself as with a lock, we know we will gone need it.
2014-10-07fixup foldmarkers in acquire-item.ccDavid Kalnischkies
Git-Dch: Ignore
2014-10-06make http size check workMichael Vogt
2014-10-06[l10n] Updated Czech translation of aptMiroslav Kure
Closes: #764055
2014-10-06fix warningsMichael Vogt
2014-10-06rename StopAuthentication -> CheckStopAuthentication and make it protectedMichael Vogt
2014-10-06fix testMichael Vogt
2014-10-06rename AuthDone() -> CheckAuthDone()Michael Vogt
2014-10-06cleanup pkgAcq*::Failed()Michael Vogt
2014-10-06add missing TransactionStageCopy() in pkgAcqDiffIndex::Done()Michael Vogt
2014-10-06Rework pkgAcqMeta{Index,Sig,ClearSig}::Done() for readabilityMichael Vogt
Move common code out but do not use subclassing for ::Done to make it easier to understand what each class is doing when its done
2014-10-06fix incorrect docstrings for ↵Michael Vogt
AcqMetaBase::TransactionStageRemoval/AcqMetaBase::TransactionStageCopy
2014-10-06add new "SetActiveSubprocess()Michael Vogt
2014-10-06update testMichael Vogt
2014-10-03apt-get: Create the temporary downloaded changelog inside tmpdirGuillem Jover
The code is creating a secure temporary directory, but then creates the changelog alongside the tmpdir in the same base directory. This defeats the secure tmpdir creation, making the filename predictable. Inject a '/' between the tmpdir and the changelog filename.