summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-01-02Support cleartext signed InRelease files with CRLF line endingsDavid Kalnischkies
Commit 89c4c588b275 ("fix from David Kalnischkies for the InRelease gpg verification code (LP: #784473)") amended verification of cleartext signatures by a check whether the file to be verified actually starts with "-----BEGIN PGP SIGNATURE-----\n". However cleartext signed InRelease files have been found in the wild which use \r\n as line ending for this armor header line, presumably generated by a Windows PGP client. Such files are incorrectly deemed unsigned and result in the following (misleading) error: Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) RFC 4880 specifies in 6.2 Forming ASCII Armor: That is to say, there is always a line ending preceding the starting five dashes, and following the ending five dashes. The header lines, therefore, MUST start at the beginning of a line, and MUST NOT have text other than whitespace following them on the same line. RFC 4880 does not seem to specify whether LF or CRLF is used as line ending for armor headers, but CR is generally considered whitespace (e.g. "man perlrecharclass"), hence using CRLF is legal even under the assumption that LF must be used. SplitClearSignedFile() is stripping whitespace (including CR) on lineend already before matching the string, so StartsWithGPGClearTextSignature() is adapted to use the same ignoring. As the earlier method is responsible for what apt will end up actually parsing nowadays as signed/unsigned this change has no implications for security. Thanks: Lukas Wunner for detailed report & initial patch! References: 89c4c588b275d098af33f36eeddea6fd75068342 Closes: 884922
2018-01-02apt.daily: fix several "shellcheck" annotationsChristian Göttsche
Various corrections, mostly quoting, which shouldn't be a problem for us as we tend to act in "sane" environments, but just to be sure. [commit message written by committer] References: Debian bugreport #849636
2018-01-02apt.daily: remove unused dbus signal for apt updateDavid Kalnischkies
The signal was introduced with the introduction of the script itself, but seems to have never got any user as all references to it I can find are references to other code appearing in the cronjob. It is also the wrong place nowadays as the cronjob is just one place an update can be triggered by, so if notifications about an update being run are desired it is better to use a hook which will be called by all update calls (script, cron, user, …). Removing this code solves also the problem of improving the check to avoid running into problems with security systems like SELinux. References: 0c1326826fd23ce859db8e923c37b7199c6da2c8 Closes: 849636
2018-01-01Italian program translation updateMilo Casagrande
Closes: 882850
2018-01-01unfuzzy Progress l10n change due to format modifierDavid Kalnischkies
References: 0b5e329a8ba2461ccb7017d3adfc972f9dccd830 Gbp-Dch: Ignore
2017-12-24do not remap current files if nullptrs in cache generationDavid Kalnischkies
If the cache needs to grow to make room to insert volatile files like deb files into the cache we were remapping null-pointers making them non-null-pointers in the process causing trouble later on. Only the current Releasefile pointer can currently legally be a nullpointer as volatile files have no release file they belong to, but for safety the pointer to the current Packages file is equally guarded. The option APT::Cache-Start can be used to workaround this problem. Reported-By: Mattia Rizzolo on IRC
2017-12-14remove pointless APT_PURE from void functionsDavid Kalnischkies
Earlier gcc versions used to complain that you should add them althrough there isn't a lot of point to it if you think about it, but now gcc (>= 8) complains about the attribute being present. warning: ‘pure’ attribute on function returning ‘void’ [-Wattributes] Reported-By: gcc -Wattributes Gbp-Dch: Ignore
2017-12-14relax test to accept various connection failuresDavid Kalnischkies
For the failure propagation testing we try to connect to a port which isn't open – you would think that this has a rather limited set of failure modes but it turns out that there are various ways this can fail, so instead of trying to guess all error message we just accept any. Reported-By: travis-ci Gbp-Dch: Ignore
2017-12-13Merge branch 'feature/altretries'David Kalnischkies
Generalizing the behaviour of retrying a download on the same server (if enabled via options) as well as retrying a download via a different alternative server from the acquire item responsible for deb files to the handling of items in general so that all are effected.
2017-12-13implement fallback to alternative URIs for all itemsDavid Kalnischkies
For deb files we always supported falling back from one server to the other if one failed to download the deb, but that was hardwired in the handling of this specific item. Moving this alongside the retry infrastructure we can implement it for all items and allow methods to use this as well by providing additional URIs in a redirect.
2017-12-13give the methods more metadata about the files to acquireDavid Kalnischkies
We have quite a bit of metadata available for the files we acquire, but the methods weren't told about it and got just the URI. That is indeed fine for most, but to avoid methods trying to parse the metadata out of the provided URIs (and fail horribly in edgecases) we can just as well be nice and tell them stuff directly.
2017-12-13implement Acquire::Retries support for all itemsDavid Kalnischkies
Moving the Retry-implementation from individual items to the worker implementation not only gives every file retry capability instead of just a selected few but also avoids needing to implement it in each item (incorrectly).
2017-12-13report transient errors as transient errorsDavid Kalnischkies
The Fail method for acquire methods has a boolean parameter indicating the transient-nature of a reported error. The problem with this is that Fail is called very late at a point where it is no longer easily identifiable if an error is indeed transient or not, so some calls were and some weren't and the acquire system would later mostly ignore the transient flag and guess by using the FailReason instead. Introducing a tri-state enum we can pass the information about fatal or transient errors through the callstack to generate the correct fails.
2017-12-13mark some 500 HTTP codes as transient acquire errorsDavid Kalnischkies
If retries are enabled only transient errors are retried, which are very few errors. At least for some HTTP codes it could be beneficial to retry them through so adding them seems like a good idea if only to be more consistent in what we report.
2017-12-13support multiline values in LookupTagDavid Kalnischkies
LookupTag is a little helper to deal with rfc822-style strings we use in apt e.g. to pass acquire messages around for cases in which our usual rfc822 parser is too heavy. All the fields it had to deal with so far were single line, but if they aren't it should really produce the right output and not just return the first line. Error messages are a prime candidate for becoming multiline as at the moment they are stripped of potential newlines due to the previous insufficiency of LookupTag.
2017-12-13Merge branch 'feature/happy-gcc'David Kalnischkies
Fixing various real and imagined bugs reported by gcc warnings
2017-12-13deal with floats without old-style castDavid Kalnischkies
We have no speed problem with handling floats/doubles in our progress handling, but that shouldn't prevent us from cleaning up the handling slightly to avoid unclean casting to ints. Reported-By: gcc -Wdouble-promotion -Wold-style-cast
2017-12-13avoid some useless casts reported by -Wuseless-castDavid Kalnischkies
The casts are useless, but the reports show some where we can actually improve the code by replacing them with better alternatives like converting whatever int type into a string instead of casting to a specific one which might in the future be too small. Reported-By: gcc -Wuseless-cast
2017-12-13convert various c-style casts to C++-styleDavid Kalnischkies
gcc was warning about ignored type qualifiers for all of them due to the last 'const', so dropping that and converting to static_cast in the process removes the here harmless warning to avoid hidden real issues in them later on. Reported-By: gcc Gbp-Dch: Ignore
2017-12-13deprecate the single-line deprecation ignoring macroDavid Kalnischkies
gcc has problems understanding this construct and additionally thinks it would produce multiple lines and stuff, so to keep using it isn't really worth it for the few instances we have: We can just write the long form there which works better. Reported-By: gcc Gbp-Dch: Ignore
2017-12-13don't name unused parameter in apt-helper waitonlineDavid Kalnischkies
Reported-By: gcc -Wunused-parameter Gbp-Dch: Ignore
2017-12-13clearing object via constructor instead of memsetDavid Kalnischkies
Reported-By: gcc -Wclass-memaccess Gbp-Dch: Ignore
2017-12-13fix over-calculating dpkg commandline lengthDavid Kalnischkies
Mostly harmless as it just means that apt thinks that the dpkg commandline it is building is slightly longer than it actually is and we have various ways of avoiding generating very long lines nowadays, but calculating the right value can't hurt. Reported-By: gcc -Wmultistatement-macros
2017-12-13explicitly name token in auth.conf parsing errorDavid Kalnischkies
Reported-By: gcc -Wsign-promo
2017-12-13update libapt-pkg symbols fileDavid Kalnischkies
Beside adding the relatively new Item::Proxy method we are also slightly preparing for gcc-8.
2017-12-13use the newest available git-clang-format in PATHDavid Kalnischkies
Hardcoding a specific version is sad as default versions change over time, so instead of tying us to a specific clang version we let the script figure out a good version by looking at what is available in PATH. Gbp-Dch: Ignore
2017-12-13don't auto-switch candidate if installed is good enoughDavid Kalnischkies
If we perform candidate switching in requests like "apt install foo/bar" we should first check if the dependencies of foo from release bar are already satisfied by what is already installed before checking if the candidate (or switched candidate) would.
2017-12-13if insecure repo is allowed continue on all http errorsDavid Kalnischkies
If a InRelease file fails to download with a non-404 error we assumed there is some general problem with repository like a webportal or your are blocked from access (wrong auth, Tor, …). Turns out some server like S3 return 403 if a file doesn't exist. Allowing this in general seems like a step backwards as 403 is a reasonable response if auth failed, so failing here seems better than letting those users run into problems. What we can do is show our insecure warnings through and allow the failures for insecure repos: If the repo is signed it is easy to add an InRelease file and if not you are setup for trouble anyhow. References: cbbf185c3c55effe47f218a07e7b1f324973a8a6
2017-11-22tests: Improve handling profiling messages on CIJulian Andres Klode
We did not strip away profiling messages when we were diffing from stdin (-). Just always write temporary files and strip from them. We also had a problem when stripping ...profiling: from a line and the next line starts with profiling. Split the sed into two calls so we first remove complete profiling: lines before fixing the ...profiling: cases.
2017-11-20Translate shared documentation parts againJulian Andres Klode
We accidentally did not translate the entity file, but should have. This makes apt.ent translatable again. This generates the target multiple times, but surprisingly, that works just fine, so let's just keep it that way, as it's clean code otherwise.
2017-11-20allow apt_auth.conf(5) to be translatedDavid Kalnischkies
Adding manpages is really hard it seems. References: ea408c560ed85bb4ef7cf8f72f8463653501332c, ea7581c9aaaaebf844d00935a1cdf8c8fee7f7f3, 90bfc5b057d3f9136ffe34089b6e56d59593797c
2017-11-19support COLUMNS environment variable in apt toolsDavid Kalnischkies
apt usually gets the width of the window from the terminal or failing that has a default value, but especially for testing it can be handy to control the size as you can't be sure that variable sized content will always be linebreaked as expected in the testcases.
2017-11-19allow multivalue fields in deb822 sources to be foldedDavid Kalnischkies
The documentation said "spaces", but there is no real reason to be so strict and only allow spaces to separate values as that only leads to very long lines if e.g. multiple URIs are specified which are again hard to deal with from a user PoV which the deb822 format is supposed to avoid. It also deals with multiple consecutive spaces and strange things like tabs users will surely end up using in the real world. The old behviour on encountering folded lines is the generation of URIs which end up containing all these whitespace characters which tends to mess really bad with output and further processing. Closes: 881875
2017-11-19Run wrap-and-sortJulian Andres Klode
Clean up the control file a bit.
2017-11-19Also look at https_proxy for https URLsJulian Andres Klode
We accidentally regressed here in 1.5 when replacing the https method.
2017-11-16Add Breaks: aptitude (<< 0.8.10) for gzip method removalJulian Andres Klode
aptitude used to use gzip:// for changelog URLs, but is now fixed to use store.
2017-11-12Release 1.6~alpha51.6_alpha5Julian Andres Klode
2017-11-12Dutch manpage translation updateFrans Spiesschaert
Closes: #881402
2017-11-12Do not attempt seccomp under qemu-user and drop EFAULT workaroundJulian Andres Klode
qemu-user passes prctl()-based seccomp through to the kernel, umodified. That's bad, as it blocks the wrong syscalls. We ignored EFAULT which fixed the problem for targets with different pointer sizes from the host, but was a bad hack. In order to identify qemu we can rely on the fact that qemu-user prints its version and exits with 0 if QEMU_VERSION is set to an unsupported value. If we run a command that should fail in such an environment, and it exits with 0, then we are running in qemu-user. apt-helper is an obvious command to run. The tests ensure it exits with 1, and it only prints usage information. We also could not use /bin/false because apt might just as well be from a foreign arch while /bin/false is not. Closes: #881519
2017-11-05[amend] Use a versioned breaks for a-t-https in apt1.6_alpha4Julian Andres Klode
We need to use a versioned breaks again, otherwise the transitional package would not be installable. Gbp-Dch: ignore
2017-11-05Release 1.6~alpha4Julian Andres Klode
2017-11-05Add ${misc:Depends} to apt-transport-https dependsJulian Andres Klode
Makes lintian happy, but is basically useless Gbp-Dch: ignore
2017-11-05Re-introduce a transitional apt-transport-httpsJulian Andres Klode
This fixes issues with debootstrap. The package will disappear after the release of buster.
2017-10-29debian: Bump Standards-Version to 4.1.1Julian Andres Klode
No further changes required.
2017-10-29debian: Set Rules-Requires-Root: noJulian Andres Klode
We don't need fakeroot for building!
2017-10-28Release 1.6~alpha31.6_alpha3Julian Andres Klode
2017-10-28use store: instead of gzip: to open local changelogsDavid Kalnischkies
Regression-Of: cc1f94c95373670fdfdb8e2d6cf9125181f7df0c
2017-10-28Also use FindULL for checking if the size tags is validJulian Andres Klode
It used FindI() > 0, but if it is too big, FindI() would cause an error "Cannot convert %s to integer: out of range", so let's also use FindULL() here. Gbp-Dch: ignore
2017-10-28Prevent overflow in Installed-Size (and Size) in apt showJulian Andres Klode
Installed-Size for linux-image-4.13.0-1-amd64-dbg and friends are larger than 4 GB, but read as a signed integer - that's fine so far, as the value is in KB, but it's multiplied with 1024 which overflows. So let's read it as unsigned long long instead. While we're at it, also use unsigned long long for Size, in case that is bigger than 2 GB.
2017-10-27seccomp: Allow clock_nanosleep() and nanosleep() syscallsJulian Andres Klode
We sleep in http.cc, so we should allow the sleeping syscalls.