Age | Commit message (Collapse) | Author |
|
Checking Valid-Until on an unsigned Release file doesn't give us any
security brownie points as an attacker could just change the date and in
practice repositories with unsigned Release files will very likely not
have a Valid-Until date, but for symetry and the fact that being
unsigned is currently just a warning, while expired is a fatal error.
|
|
Git-Dch: Ignore
|
|
For compatibility we use/provide and fill quiet some deprecated methods
and fields, which subsequently earns us a warning for using them. These
warnings therefore have to be disabled for these codeparts and that is
what this change does now in a slightly more elegant way.
Git-Dch: Ignore
|
|
One word: "doh!" Commit f6d4ab9ad8a2cfe52737ab620dd252cf8ceec43d
disabled the check to prevent apt from downloading bigger patches
than the index it tries to patch. Happens rarly of course, but still.
Detected by scan-build complaining about a dead assignment.
To make up for the mistake a test is included as well.
|
|
feature/no-more-acquire-guessing
Conflicts:
apt-pkg/acquire-item.cc
|
|
The pkgAcquire::Run() code works uses a while(ToFetch > 0) loop
over the items queued for fetching. This means that we need to
Deqeueue the item if we call AbortTransaction() to avoid a hang.
|
|
Handle Translation-* files exactly like Packages files (with the
expection that it is ok if a download of them fails). Remove all
"guessing" on apts side. This will elimimnate a bunch of errors
releated to captive portals and similar. Its also more correct
and removes another potential attack vector.
|
|
The worker is the part closest to the methods, which will call the item
methods according to what it gets back from the methods, it is therefore
a better place to change permissions as it is very central and can do it
now at the point the item is assigned to a method rather than then it is
queued for download (and as before while dequeued via Done/Failure).
Git-Dch: Ignore
|
|
partial files are chowned by the Item baseclass to let the methods work
with them. Now, this baseclass is also responsible for chowning the
files back to root instead of having various deeper levels do this.
The consequence is that all overloaded Failed() methods now call the
Item::Failed base as their first step. The same is done for Done().
The effect is that even in partial files usually don't belong to
_apt anymore, helping sneakernets and reducing possibilities of a bad
method modifying files not belonging to them.
The change is supported by the framework not only supporting being run
as root, but with proper permission management, too, so that privilege
dropping can be tested with them.
|
|
Git-Dch: Ignore
|
|
If we get an IMS hit for an InRelease file we use the file we already
have and pass it into reverification, but this changes the permissions
and on abort of the transaction they weren't switched back.
This is now done, additionally, every file in partial which hasn't
failed gets permission and owner changed for root access as well, as it
is very well possible that the next invocation will (re)use these files.
|
|
Transactions are run and completed from multiple places, so it happens
for unsigned repos that the Release file was commited even if it was
previously aborted (due to --no-allow-insecure-repositories). The reason
is simply that the "failure" of getting an InRelease/Release.gpg is
currently ignored, so that the acquire process believes that nothing bad
happened and commits the transaction even though the same transaction
was previously aborted.
|
|
Refactors a bit to ensure the same message is used in all three cases as
well.
Git-Dch: Ignore
|
|
We do not support compressed indexes for cdrom sources as we rewrite
some of them, so supporting it correctly could be hard. What we do
instead in the meantime is probably disabling it for cdrom sources.
|
|
The acquire code changed completely, so this is more an import of the
testcase and a new fix than the merge of an existent fix.
Conflicts:
apt-pkg/acquire-item.cc
|
|
Regression from merging 801745284905e7962aa77a9f37a6b4e7fcdc19d0 and
b0f4b486e6850c5f98520ccf19da71d0ed748ae4. While fine by itself, merged
the part fixing the filename is skipped if a cdrom source is
encountered, so that our list-cleanup removes what seems to be orphaned
files.
Closes: 765458
|
|
The constructor is calling the baseclass pkgAcqIndex which does this
already – and also does it correctly for compressed files which would
overwise lead to the size of uncompressed files to be expected.
Git-Dch: Ignore
|
|
I am pretty sure I did that before committing broken stuff…
Git-Dch: Ignore
|
|
Do not drop privileges in the methods when using a older version of
libapt that does not support the chown magic in partial/ yet. To
do this DropPrivileges() now will ignore a empty Apt::Sandbox::User.
Cleanup all hardcoded _apt along the way.
|
|
Do not require a special flag to be present to update trusted=yes
sources as this flag in the sources.list is obviously special enough.
Note that this is just disabling the error message, the user will still
be warned about all the (possible) failures the repository generated, it
is just triggering the acceptance of the warnings on a source-by-source
level.
Similarily, the trusted=no flag doesn't require the user to pass
additional flags to update, if the repository looks fine in the view of
apt it will update just fine. The unauthenticated warnings will "just" be
presented then the data is used.
In case you wonder: Both was the behavior in previous versions, too.
|
|
The same message is used for InRelease if fails in gpgv, but the
Release/Release.gpg duo needs to handle the failing download case as
well (InRelease just defers to the duo if download fails) and print a
message accompaning the insecure error to provide a hint on what is
going on.
|
|
Not using this option, but using unsigned (and co) repositories will
cause these repositories to be ignored and data acquiring from them
fails, so this is very well in the realms of an error and helps in
making 'apt-get update' fail with a non-zero error code as well.
|
|
Looks like a leftover from debugging. Absolutely no need for it and
destroys progess reporting completely.
Closes: 764737
|
|
This fixes a race that we see in travis when two copy operations
finish at about the same time but the bad one first. This lead to
a rename of the good one and triggers a error when apt tries to
verify the good version but can no longer find it.
|
|
The code was using FinalFile before but we only test the existance
of DestFile so we use that instead.
|
|
Communicate the fail reason from the methods to the parent
and Rename() failed files.
|
|
This option controls the maximum size of Release/Release.gpg/InRelease
files. The rational is that we do not know the size of these files in
advance and we want to protect against a denial of service attack
where someone sends us endless amounts of data until the disk is full
(we do know the size all other files (Packages/Sources/debs)).
|
|
feature/acq-trans
Conflicts:
apt-pkg/acquire-item.cc
|
|
changeOwnerAndPermissionOfFile->ChangeOwnerAndPermissionOfFile
preparePartialFile->GetPartialFileName
preparePartialFileFromURI->GetPartialFileNameFromURI
Git-Dch: ignore
|
|
consistently using Item::Failed in all specializec classes helps setting
up some information bits otherwise unset, so some errors had an empty
reason as an error. Ign is upgraded to display the error message we
ignored to further help in understanding what happens.
|
|
Using a different user for calling methods is intended to protect us
from methods running amok (via remotely exploited bugs) by limiting what
can be done by them. By using root:root for the final directories and
just have the files in partial writeable by the methods we enhance this
in sofar as a method can't modify already verified data in its parent
directory anymore.
As a side effect, this also clears most of the problems you could have
if the final directories are shared without user-sharing or if these
directories disappear as they are now again root owned and only the
partial directories contain _apt owned files (usually none if apt isn't
running) and the directory itself is autocreated with the right
permissions.
|
|
Git-Dch: Ignore
|
|
|
|
|
|
|
|
|
|
|
|
Move common code out but do not use subclassing for ::Done
to make it easier to understand what each class is doing when
its done
|
|
AcqMetaBase::TransactionStageRemoval/AcqMetaBase::TransactionStageCopy
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|