summaryrefslogtreecommitdiff
path: root/apt-pkg/acquire-item.cc
AgeCommit message (Collapse)Author
2014-09-17Fix regression for file:/// uris from CVE-2014-0487Michael Vogt
Do not run ReverifyAfterIMS() for local file URIs as this will causes apt to mess around in the file:/// uri space. This is wrong in itself, but it will also cause a incorrect verification failure when the archive and the lists directory are on different partitions as rename().
2014-09-17merge 0.9.7.9+deb7u3Michael Vogt
2012-03-06add Debug::pkgAcqArchive::NoQueue to disable package downloadingDavid Kalnischkies
2012-03-04* apt-pkg/acquire-item.cc:David Kalnischkies
- remove 'old' InRelease file if we can't get a new one before proceeding with Release.gpg to avoid the false impression of a still trusted repository by a (still present) old InRelease file. Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214) Effected are all versions >= 0.8.11 Possible attack summary: - Attacker needs to find a user which has run at least one successful 'apt-get update' against an archive providing InRelease files. - Create a Packages file with his preferred content. - Attacker then prevents the download of InRelease, Release and Release.gpg (alternatively he creates a valid Release file and sends this, the other two files need to be missing either way). - User updates against this, getting the modified Packages file without any indication of being unsigned (beside the "Ign InRelease" and "Ign Release.gpg" in the output of 'apt-get update'). => deb files from this source are considered 'trusted' (and therefore the user isn't asked for an additional confirmation before install)
2012-02-18use pdiff for Translation-* files if available (Closes: #657902)David Kalnischkies
Beware: pdiffs for Translation-* are only acquired if their availability is advertised in the Release file.
2012-02-18* apt-pkg/acquire-item.cc:David Kalnischkies
- drop support for i18n/Index file (introduced in 0.8.11) and use the Release file instead to get the Translations (Closes: #649314) * ftparchive/writer.cc: - add 'Translation-*' to the default patterns i18n/Index was never used outside debian - and even here it isn't used consistently as only 'main' has such a file. As the Release file now includes the Translation-* files we therefore drop support for i18n/Index. A version supporting it was never part of a debian release and still supporting it would mean that we get 99% of the time a 404 as response to the request anyway and confuse archive maintainers who want to provide all files APT tries to acquire.
2011-12-17try to avoid direct usage of .Fd() if possible and do read()s and coDavid Kalnischkies
on the FileFd instead
2011-09-19use forward declaration in headers if possible instead of includesDavid Kalnischkies
2011-09-13merge with debian/sidDavid Kalnischkies
2011-09-13merge with debian/experimentalDavid Kalnischkies
2011-09-13reorder includes: add <config.h> if needed and include it at firstDavid Kalnischkies
2011-08-22* apt-pkg/acquire-item.cc:David Kalnischkies
- if no Release.gpg file is found try to verify with hashes, but do not fail if a hash can't be found
2011-08-15merged from the debian-sid branchMichael Vogt
2011-08-15merged fixes from lp:~mvo/apt/mvoMichael Vogt
2011-08-11cppcheck complains about some possible speed improvements which could beDavid Kalnischkies
done on the mirco-optimazation level, so lets fix them: (performance) Possible inefficient checking for emptiness. (performance) Prefer prefix ++/-- operators for non-primitive types.
2011-08-08fix crash when P.Arch() was used but the cache got remappedMichael Vogt
2011-08-08apt-pkg/acquire-item.cc: add more debug outputMichael Vogt
2011-08-05* test/integration/test-hashsum-verification:Michael Vogt
- add regression test for hashsum verification * apt-pkg/acquire-item.cc: - if no Release.gpg file is found, still load the hashes for verification (closes: #636314) and add test
2011-08-05* apt-pkg/acquire-item.cc:Michael Vogt
- if no Release.gpg file is found, still load the hashes for verification (closes: #636314) and add test
2011-08-05apt-pkg/acquire-item.cc: always init VerifyMichael Vogt
2011-08-05* apt-pkg/acquire-item.{cc,h}:Michael Vogt
- do not check for a "Package" tag in optional index targets like the translations index
2011-07-28* [ABI break] apt-pkg/acquire-item.{cc,h}:Michael Vogt
- cleanup around OptionalIndexTarget and SubIndexTarget
2011-07-15merged from http://bzr.debian.org/bzr/apt/apt/debian-sidMichael Vogt
2011-07-05* apt-pkg/acquire*.{cc,h}:David Kalnischkies
- try even harder to support really big files in the fetcher by converting (hopefully) everything to 'long long' (Closes: #632271)
2011-07-01apt-pkg/acquire-item.cc: improve error message for valid-untilMichael Vogt
2011-06-29merge lp:~mvo/apt/abi-breakMichael Vogt
2011-06-08merge lp:~mvo/apt/sha512-template to add support for sha512Michael Vogt
2011-05-31apt-pkg/acquire-item.cc: only test packages file for correctness if its not ↵Michael Vogt
empty (its ok to have empty packages files)
2011-05-30Reject files known to be invalid (LP: #346386) (Closes: #627642)Julian Andres Klode
2011-05-30apt-pkg/acquire-item.cc: Reject files known to be invalid (LP: #346386) ↵Julian Andres Klode
(Closes: #195301) This commit deals with the following cases: - First section of index file (Packages,Sources,Translation) without Package field - Signed release files without GPG data (NODATA) - i18n/Index files without hash sums Handling unsigned Release files is more complicated, and the example code using indexRecords is disabled as it can reject correct Release files without hashes. How we can reliably check unsigned Release files is another question, and not urgent anyway, as it should have no dramatic effect (we could check that it is a valid RFC-822 section, but that's a bit too long to write)
2011-04-26* apt-pkg/acquire-item.cc:Ben Finney
- apply fix for poorly worded 'locate file' error message from Ben Finney, thanks! (Closes: #623171)
2011-04-16apt-pkg/acquire-item.cc: Only try to rename existing Release files (Closes: ↵Julian Andres Klode
#622912)
2011-04-08* apt-pkg/acquire-item.cc:Julian Andres Klode
- Use Release files even if they cannot be verified (LP: #704595)
2011-04-04merged from lp:~donkult/apt/sidMichael Vogt
2011-04-02apt-pkg/acquire-item.cc: Use stat buffer if stat was0.8.13.1Julian Andres Klode
successful, not if it failed (Closes: #620546)
2011-03-16* apt-pkg/vendor.cc, apt-pkg/vendorlist.cc:David Kalnischkies
- mark them as deprecated as they are unused
2011-03-14apt-pkg/acquire-item.cc: add some more missing Fail-IgnoreMichael Vogt
2011-03-14apt-pkg/acquire-item.{cc,h}: mark InRelease with Fail-Ignore to ensure the ↵Michael Vogt
mirror methods does not retry on each mirror
2011-03-11* apt-pkg/acquire-item.cc:Michael Vogt
- mark pkgAcqIndexTrans as Index-File to avoid asking the user to insert the CD on each apt-get update
2011-02-25add sha512 support in the client now as wellMichael Vogt
2011-02-08merged from lp:~donkult/apt/sidMichael Vogt
2011-01-28 - download and use i18n/Index to choose which Translations to downloadDavid Kalnischkies
* apt-pkg/aptconfiguration.cc: - remove the inbuilt Translation files whitelist
2011-01-26 - change the internal handling of Extensions in pkgAcqIndexDavid Kalnischkies
- add a special uncompressed compression type to prefer those files * methods/{gzip,bzip}.cc: - print a good error message if FileSize() is zero
2011-01-20 - try downloading clearsigned InRelease before trying Release.gpgDavid Kalnischkies
* apt-pkg/deb/deblistparser.cc: - rewrite LoadReleaseInfo to cope with clearsigned Releasefiles
2011-01-15* methods/rred.cc:David Kalnischkies
- operate optional on gzip compressed pdiffs * apt-pkg/acquire-item.cc: - don't uncompress downloaded pdiff files before feeding it to rred
2010-09-09Fix missing space after dot in a message from apt-pkgbubulle@debian.org
Translations unfuzzied. Thanks to Holger Wansing.
2010-09-09* apt-pkg/acquire-item.cc:David Kalnischkies
- use also unsigned Release files again (Closes: #596189)
2010-08-21* apt-pkg/acquire-item.cc:David Kalnischkies
- don't use ReadOnlyGzip mode for PDiffs as this mode doesn't work in combination with the AddFd methods of our hashclasses Add also 2 testcases: one to test pdiffs in general and one to test the handling of compressed indexes.
2010-07-11mark all "Hash Sum mismatch" strings as translateableDavid Kalnischkies
2010-07-11[ Martin Pitt ]David Kalnischkies
* debian/rules: - Make DEB_BUILD_OPTIONS=noopt actually work by passing the right CXXFLAGS. * apt-pkg/contrib/fileutl.{h,cc}: - Add support for reading of gzipped files with the new "ReadOnlyGzip" OpenMode. (Closes: #188407) - Link against zlib (in apt-pkg/makefile) and add zlib build dependency. - [ABI BREAK] This adds a new private member to FileFd, but its initialization is in the public header file. * configure.in: - Check for zlib library and headers. * apt-pkg/acquire-item.cc, apt-pkg/deb/debindexfile.cc, apt-pkg/deb/debrecords.cc, apt-pkg/deb/debsrcrecords.h, cmdline/apt-cache.cc: - Open Packages, Sources, and Translations indexes in "ReadOnlyGzip" mode. * apt-pkg/deb/debindexfile.cc: - If we do not find uncompressed package/source/translation indexes, look for gzip compressed ones. * apt-pkg/acquire-item.cc: - If the Acquire::GzipIndexes option is true and we download a gzipped index file, keep it as it is (and rename to .gz) instead of uncompressing it. * doc/apt.conf.5.xml: - Document the new Acquire::GzipIndexes option. * doc/po/apt-doc.pot, doc/po/de.po: - German translation of new Acquire::GzipIndexes option. * Add test/test-indexes.sh: - Test behaviour of index retrieval and usage, in particular with uncompressed and gzip compressed indexes. * methods/gzip.cc: With FileFd now being able to read gzipped files, there is no need for the gzip method any more to spawn an external gzip process. Rewrite it to use FileFd directly, which makes the code a lot simpler, and also using less memory and overhead.