summaryrefslogtreecommitdiff
path: root/apt-pkg/acquire-item.cc
AgeCommit message (Collapse)Author
2015-04-19unsigned Release files can expire, tooDavid Kalnischkies
Checking Valid-Until on an unsigned Release file doesn't give us any security brownie points as an attacker could just change the date and in practice repositories with unsigned Release files will very likely not have a Valid-Until date, but for symetry and the fact that being unsigned is currently just a warning, while expired is a fatal error.
2014-11-08guard const-ification API changesDavid Kalnischkies
Git-Dch: Ignore
2014-11-08replace ignore-deprecated #pragma dance with _PragmaDavid Kalnischkies
For compatibility we use/provide and fill quiet some deprecated methods and fields, which subsequently earns us a warning for using them. These warnings therefore have to be disabled for these codeparts and that is what this change does now in a slightly more elegant way. Git-Dch: Ignore
2014-11-08reenable patchsize limit option for pdiffsDavid Kalnischkies
One word: "doh!" Commit f6d4ab9ad8a2cfe52737ab620dd252cf8ceec43d disabled the check to prevent apt from downloading bigger patches than the index it tries to patch. Happens rarly of course, but still. Detected by scan-build complaining about a dead assignment. To make up for the mistake a test is included as well.
2014-11-06Merge remote-tracking branch 'upstream/debian/experimental' into ↵Michael Vogt
feature/no-more-acquire-guessing Conflicts: apt-pkg/acquire-item.cc
2014-11-04Call "Dequeue()" for items in AbortTransaction() to fix raceMichael Vogt
The pkgAcquire::Run() code works uses a while(ToFetch > 0) loop over the items queued for fetching. This means that we need to Deqeueue the item if we call AbortTransaction() to avoid a hang.
2014-10-29Only support Translation-* that are listed in the {In,}Release fileMichael Vogt
Handle Translation-* files exactly like Packages files (with the expection that it is ok if a download of them fails). Remove all "guessing" on apts side. This will elimimnate a bunch of errors releated to captive portals and similar. Its also more correct and removes another potential attack vector.
2014-10-26move permission changing from -item to -workerDavid Kalnischkies
The worker is the part closest to the methods, which will call the item methods according to what it gets back from the methods, it is therefore a better place to change permissions as it is very central and can do it now at the point the item is assigned to a method rather than then it is queued for download (and as before while dequeued via Done/Failure). Git-Dch: Ignore
2014-10-23chown finished partial files earlierDavid Kalnischkies
partial files are chowned by the Item baseclass to let the methods work with them. Now, this baseclass is also responsible for chowning the files back to root instead of having various deeper levels do this. The consequence is that all overloaded Failed() methods now call the Item::Failed base as their first step. The same is done for Done(). The effect is that even in partial files usually don't belong to _apt anymore, helping sneakernets and reducing possibilities of a bad method modifying files not belonging to them. The change is supported by the framework not only supporting being run as root, but with proper permission management, too, so that privilege dropping can be tested with them.
2014-10-20use c++ style instead of the last two c-arraysDavid Kalnischkies
Git-Dch: Ignore
2014-10-20aborted reverify restores file owner and permissionDavid Kalnischkies
If we get an IMS hit for an InRelease file we use the file we already have and pass it into reverification, but this changes the permissions and on abort of the transaction they weren't switched back. This is now done, additionally, every file in partial which hasn't failed gets permission and owner changed for root access as well, as it is very well possible that the next invocation will (re)use these files.
2014-10-20run acquire transactions only onceDavid Kalnischkies
Transactions are run and completed from multiple places, so it happens for unsigned repos that the Release file was commited even if it was previously aborted (due to --no-allow-insecure-repositories). The reason is simply that the "failure" of getting an InRelease/Release.gpg is currently ignored, so that the acquire process believes that nothing bad happened and commits the transaction even though the same transaction was previously aborted.
2014-10-20mark --allow-insecure-repositories message as translateableDavid Kalnischkies
Refactors a bit to ensure the same message is used in all three cases as well. Git-Dch: Ignore
2014-10-15ignore Acquire::GzipIndexes for cdrom sourcesDavid Kalnischkies
We do not support compressed indexes for cdrom sources as we rewrite some of them, so supporting it correctly could be hard. What we do instead in the meantime is probably disabling it for cdrom sources.
2014-10-15Merge branch 'debian/sid' into debian/experimentalDavid Kalnischkies
The acquire code changed completely, so this is more an import of the testcase and a new fix than the merge of an existent fix. Conflicts: apt-pkg/acquire-item.cc
2014-10-15don't cleanup cdrom files in apt-get updateDavid Kalnischkies
Regression from merging 801745284905e7962aa77a9f37a6b4e7fcdc19d0 and b0f4b486e6850c5f98520ccf19da71d0ed748ae4. While fine by itself, merged the part fixing the filename is skipped if a cdrom source is encountered, so that our list-cleanup removes what seems to be orphaned files. Closes: 765458
2014-10-13do not load filesize in pkgAcqIndexTrans explicitlyDavid Kalnischkies
The constructor is calling the baseclass pkgAcqIndex which does this already – and also does it correctly for compressed files which would overwise lead to the size of uncompressed files to be expected. Git-Dch: Ignore
2014-10-13fix compile and tests errorDavid Kalnischkies
I am pretty sure I did that before committing broken stuff… Git-Dch: Ignore
2014-10-13Fix backward compatiblity of the new pkgAcquireMethod::DropPrivsOrDie()Michael Vogt
Do not drop privileges in the methods when using a older version of libapt that does not support the chown magic in partial/ yet. To do this DropPrivileges() now will ignore a empty Apt::Sandbox::User. Cleanup all hardcoded _apt along the way.
2014-10-13trusted=yes sources are secure, we just don't know whyDavid Kalnischkies
Do not require a special flag to be present to update trusted=yes sources as this flag in the sources.list is obviously special enough. Note that this is just disabling the error message, the user will still be warned about all the (possible) failures the repository generated, it is just triggering the acceptance of the warnings on a source-by-source level. Similarily, the trusted=no flag doesn't require the user to pass additional flags to update, if the repository looks fine in the view of apt it will update just fine. The unauthenticated warnings will "just" be presented then the data is used. In case you wonder: Both was the behavior in previous versions, too.
2014-10-13display a warning for unsigned reposDavid Kalnischkies
The same message is used for InRelease if fails in gpgv, but the Release/Release.gpg duo needs to handle the failing download case as well (InRelease just defers to the duo if download fails) and print a message accompaning the insecure error to provide a hint on what is going on.
2014-10-13make --allow-insecure-repositories message an errorDavid Kalnischkies
Not using this option, but using unsigned (and co) repositories will cause these repositories to be ignored and data acquiring from them fails, so this is very well in the realms of an error and helps in making 'apt-get update' fail with a non-zero error code as well.
2014-10-10remove useless pdiff filename outputDavid Kalnischkies
Looks like a leftover from debugging. Absolutely no need for it and destroys progess reporting completely. Closes: 764737
2014-10-08Only rename StatError files in AbortTransaction()Michael Vogt
This fixes a race that we see in travis when two copy operations finish at about the same time but the bad one first. This lead to a rename of the good one and triggers a error when apt tries to verify the good version but can no longer find it.
2014-10-08pkgAcqArchive::QueueNext(): change owner/permission of DestFileMichael Vogt
The code was using FinalFile before but we only test the existance of DestFile so we use that instead.
2014-10-07Send "Fail-Reason: MaximumSizeExceeded" from the methodMichael Vogt
Communicate the fail reason from the methods to the parent and Rename() failed files.
2014-10-07Add new Acquire::MaxReleaseFileSize=10*1000*1000 optionMichael Vogt
This option controls the maximum size of Release/Release.gpg/InRelease files. The rational is that we do not know the size of these files in advance and we want to protect against a denial of service attack where someone sends us endless amounts of data until the disk is full (we do know the size all other files (Packages/Sources/debs)).
2014-10-07Merge remote-tracking branch 'upstream/debian/experimental' into ↵Michael Vogt
feature/acq-trans Conflicts: apt-pkg/acquire-item.cc
2014-10-07UpperCase some functions for consistencyMichael Vogt
changeOwnerAndPermissionOfFile->ChangeOwnerAndPermissionOfFile preparePartialFile->GetPartialFileName preparePartialFileFromURI->GetPartialFileNameFromURI Git-Dch: ignore
2014-10-07display errortext for all Err as well as Ign logsDavid Kalnischkies
consistently using Item::Failed in all specializec classes helps setting up some information bits otherwise unset, so some errors had an empty reason as an error. Ign is upgraded to display the error message we ignored to further help in understanding what happens.
2014-10-07use _apt:root only for partial directoriesDavid Kalnischkies
Using a different user for calling methods is intended to protect us from methods running amok (via remotely exploited bugs) by limiting what can be done by them. By using root:root for the final directories and just have the files in partial writeable by the methods we enhance this in sofar as a method can't modify already verified data in its parent directory anymore. As a side effect, this also clears most of the problems you could have if the final directories are shared without user-sharing or if these directories disappear as they are now again root owned and only the partial directories contain _apt owned files (usually none if apt isn't running) and the directory itself is autocreated with the right permissions.
2014-10-07fixup foldmarkers in acquire-item.ccDavid Kalnischkies
Git-Dch: Ignore
2014-10-06fix warningsMichael Vogt
2014-10-06rename StopAuthentication -> CheckStopAuthentication and make it protectedMichael Vogt
2014-10-06rename AuthDone() -> CheckAuthDone()Michael Vogt
2014-10-06cleanup pkgAcq*::Failed()Michael Vogt
2014-10-06add missing TransactionStageCopy() in pkgAcqDiffIndex::Done()Michael Vogt
2014-10-06Rework pkgAcqMeta{Index,Sig,ClearSig}::Done() for readabilityMichael Vogt
Move common code out but do not use subclassing for ::Done to make it easier to understand what each class is doing when its done
2014-10-06fix incorrect docstrings for ↵Michael Vogt
AcqMetaBase::TransactionStageRemoval/AcqMetaBase::TransactionStageCopy
2014-10-06add new "SetActiveSubprocess()Michael Vogt
2014-10-03really do not download Release if InRelease does not verifyMichael Vogt
2014-10-02cleanup around pkgAcqMetaSig and improved testsMichael Vogt
2014-10-02add a bunch of docstrings etcMichael Vogt
2014-10-02fix crashMichael Vogt
2014-10-02donkults fixesMichael Vogt
2014-10-02Cleanup pkgAcqIndexMichael Vogt
2014-10-01refactor and add pkgAcqIndex::ValidateFile()Michael Vogt
2014-10-01fix leftover files from Acquire::GzipIndexMichael Vogt
2014-10-01hack around test-apt-update-unauth failureMichael Vogt
2014-10-01update test/integration/test-releasefile-verificationMichael Vogt