Age | Commit message (Collapse) | Author |
|
Various small leaks here and there. Nothing particularily big, but still
good to fix. Found by the sanitizers while running our testcases.
Reported-By: gcc -fsanitize
Git-Dch: Ignore
|
|
Some of them modify the ABI, but given that we prepare a big one
already, these few hardly count for much.
Git-Dch: Ignore
|
|
At the moment we only have hashes for the uncompressed pdiff files, but
via the new '$HASH-Download' field in the .diff/Index hashes can be
provided for the .gz compressed pdiff file, which apt will pick up now
and use to verify the download. Now, we "just" need a buy in from the
creators of repositories…
|
|
Having every item having its own code to verify the file(s) it handles
is an errorprune process and easy to break, especially if items move
through various stages (download, uncompress, patching, …). With a giant
rework we centralize (most of) the verification to have a better
enforcement rate and (hopefully) less chance for bugs, but it breaks the
ABI bigtime in exchange – and as we break it anyway, it is broken even
harder.
It shouldn't effect most frontends as they don't deal with the acquire
system at all or implement their own items, but some do and will need to
be patched (might be an opportunity to use apt on-board material).
The theory is simple: Items implement methods to decide if hashes need to
be checked (in this stage) and to return the expected hashes for this
item (in this stage). The verification itself is done in worker message
passing which has the benefit that a hashsum error is now a proper error
for the acquire system rather than a Done() which is later revised to a
Failed().
|
|
Valid-Until protects us from long-living downgrade attacks, but not all
repositories have it and an attacker could still use older but still
valid files to downgrade us. While this makes it sounds like a security
improvement now, its a bit theoretical at best as an attacker with
capabilities to pull this off could just as well always keep us days
(but in the valid period) behind and always knows which state we have,
as we tell him with the If-Modified-Since header. This is also why this
is 'silently' ignored and treated as an IMSHit rather than screamed at
the user as this can at best be an annoyance for attackers.
An error here would 'regularily' be encountered by users by out-of-sync
mirrors serving a single run (e.g. load balancer) or in two consecutive
runs on the other hand, so it would just help teaching people ignore it.
That said, most of the code churn is caused by enforcing this additional
requirement. Crisscross from InRelease to Release.gpg is e.g. very
unlikely in practice, but if we would ignore it an attacker could
sidestep it this way.
|
|
Adding a new parameter (with a default) is an ABI break, but you can
overload a method, which is "just" an API break for everyone doing
references to this method (aka: nobody).
Git-Dch: Ignore
|
|
For compatibility we use/provide and fill quiet some deprecated methods
and fields, which subsequently earns us a warning for using them. These
warnings therefore have to be disabled for these codeparts and that is
what this change does now in a slightly more elegant way.
Git-Dch: Ignore
|
|
It is a very simple hashstring, which is why it isn't contributing to
the usability of a list of them, but it is also trivial to check and
calculate, so it doesn't hurt checking it either as it can combined even
with the simplest other hashes greatly complicate attacks on them as you
suddenly need a same-size hash collision, which is usually a lot harder
to achieve.
|
|
Do not require a special flag to be present to update trusted=yes
sources as this flag in the sources.list is obviously special enough.
Note that this is just disabling the error message, the user will still
be warned about all the (possible) failures the repository generated, it
is just triggering the acceptance of the warnings on a source-by-source
level.
Similarily, the trusted=no flag doesn't require the user to pass
additional flags to update, if the repository looks fine in the view of
apt it will update just fine. The unauthenticated warnings will "just" be
presented then the data is used.
In case you wonder: Both was the behavior in previous versions, too.
|
|
Reimplementing an inline method is opening a can of worms we don't want
to open if we ever want to us a d-pointer in those classes, so we do the
only thing which can save us from hell: move the destructors into the cc
sources and we are good.
Technically not an ABI break as the methods inline or not do the same
(nothing), so a program compiled against the old version still works
with the new version (beside that this version is still in experimental,
so nothing really has been build against this library anyway).
Git-Dch: Ignore
|
|
|
|
The by-hash can be configured on a per-hostname basis and a Release
file can indicate that it has by-hash support via a new flag.
The location of the hash now matches the AptByHash spec
|
|
This implements a apt update schema that get the indexfiles by the
hash instead of the name. The rational is that updates to the archive
servers/mirrors are not atomic so the client may have the previous
version of the Release file when the server updates to a new
Release file and new Packages/Sources/Translations indexes. By
keeping the files around by their hash we can still get the previous
indexfile without a hashsum mismatch.
Enable with APT::Acquire::By-Hash=1
|
|
It is not very extensible to have the supported Hashes hardcoded
everywhere and especially if it is part of virtual method names.
It is also possible that a method does not support the 'best' hash
(yet), so we might end up not being able to verify a file even though we
have a common subset of supported hashes. And those are just two of the
cases in which it is handy to have a more dynamic selection.
The downside is that this is a MAJOR API break, but the HashStringList
has a string constructor for compatibility, so with a bit of luck the
few frontends playing with the acquire system directly are okay.
|
|
progress information
|
|
Git-Dch: Ignore
Reported-By: gcc -Wsuggest-attribute={pure,const,noreturn}
|
|
Beside being a bit cleaner it hopefully also resolves oddball problems
I have with high levels of parallel jobs.
Git-Dch: Ignore
Reported-By: iwyu (include-what-you-use)
|
|
Git-Dch: Ignore
Reported-By: gcc -Wuseless-cast
|
|
|
|
Release files are basically one big Section, so we might safe some
Resize circles by starting with the filesize.
Git-Dch: Ignore
|
|
The file we read will always be a Release file as the clearsign is
stripped earlier in this method, so this check is just wasting CPU
Its also removing the risk that this could ever be part of a valid
section, even if I can't imagine how that should be valid.
Git-Dch: Ignore
|
|
|
|
apt-pkg/deb/deblistparser.cc:
- use OpenMaybeClearSignedFile to be free from detecting and
skipping clearsigning metadata in dsc and Release files
We can't write a "clean" file to disk as not all acquire methods copy
Release files before checking them (e.g. cdrom), so this reverts recombining,
but uses the method we use for dsc files also in the two places we
deal with Release files
|
|
- support '\r' in the Release file
|
|
- do not create empty Entries as a sideeffect of Lookup()
|
|
|
|
|
|
|
|
size are pretty unlikely for now, but we need it for deb
packages which could become bigger than 4GB now (LP: #815895)
|
|
|
|
* doc/apt.conf.5.xml:
- reword Acquire::Max-ValidTime documentation to make clear
that it doesn't provide the new Min-ValidTime functionality
|
|
- fix Acquire::Max-ValidTime option by interpreting it really
as seconds as specified in the manpage and not as days
|
|
* apt-pkg/deb/deblistparser.cc:
- rewrite LoadReleaseInfo to cope with clearsigned Releasefiles
|
|
branch to prevent replay attacks better, thanks to Thomas Viehmann
for the initial patch! (Closes: #499897)
* doc/apt.conf.5.xml:
- document the new Valid-Until related options
* apt-pkg/contrib/strutl.cc:
- split StrToTime() into HTTP1.1 and FTP date parser methods and
use strptime() instead of some self-made scanf mangling
- use the portable timegm shown in his manpage instead of a strange
looking code copycat from wget
* ftparchive/writer.cc:
- add ValidTime option to generate a Valid-Until header in Release file
|
|
|
|
provides a setting in the configuration prefer the date which is
earlier.
|
|
method and allow for better translations of the error messages
|
|
- backport forgotten Valid-Until patch from the obsolete experimental
branch to prevent replay attacks better, thanks to Thomas Viehmann
for the initial patch! (Closes: #499897)
|
|
- add a constant Exists check for MetaKeys
* apt-pkg/acquire-item.cc:
- do not try PDiff if it is not listed in the Meta file
|
|
* add hook for MarkInstall and MarkDelete (closes: #470035)
* add the various foldmarkers in apt-pkg & cmdline (no code change)
* versions with a pin of -1 shouldn't be a candidate (Closes: #355237)
* prefer mmap as memory allocator in MMap instead of a static char
array which can (at least in theory) grow dynamic
* eliminate (hopefully all) segfaults in pkgcachegen.cc and mmap.cc
which can arise if cache doesn't fit into the mmap (Closes: #535218)
* display warnings instead of errors if the parts dirs doesn't exist
* honor the dpkg hold state in new Marker hooks (closes: #64141)
|
|
|
|
- fix some i18n issues
* apt-pkg/contrib/strutl.h:
- add new strprintf() function to make i18n strings easier
|
|
and fallback
|
|
|
|
- apt-cdrom.cc seperated into frontend (cmdline/apt-cdrom.cc and library
apt-pkg/cdrom.{cc,h}) (Ubuntu #5668)
Patches applied:
* michael.vogt@ubuntu.com--2005/apt--auth-cdrom--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-51
* michael.vogt@ubuntu.com--2005/apt--auth-cdrom--0--patch-1
* added support for signed cdroms
* michael.vogt@ubuntu.com--2005/apt--auth-cdrom--0--patch-2
* merged with apt--main, seperated cmdline/apt-cdrom.cc into a library (apt-pkg/cdrom.{cc,h})
* michael.vogt@ubuntu.com--2005/apt--auth-cdrom--0--patch-3
* cleaned up the cmdline/apt-cdrom.cc code
|
|
Patches applied:
* apt@arch.ubuntu.com/apt--experimental--0.6--base-0
tag of apt@arch.ubuntu.com/apt--MAIN--0--patch-1190
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-1
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-2
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-3
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-4
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-5
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-6
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-7
Merge working copy of v0.6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-8
0.6.0 is headed for experimental, not unstable
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-9
Date
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-10
Update LIB_APT_PKG_MAJOR
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-11
- Fix a heap corruption bug in pkgSrcRecords::pkgSrcRec...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-12
Resynch
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-13
* Merge apt 0.5.17
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-14
* Rearrange Release file authentication code to be more...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-15
* Convert distribution "../project/experimental" to "ex...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-16
Merge 1.11
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-17
Merge 1.7
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-18
Merge 1.10
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-19
* Make a number of Release file errors into warnings; f...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-20
* Add space between package names when multiple unauthe...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-21
* Provide apt-key with a secret keyring and a trustdb, ...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-22
* Fix typo in apt-key(8) (standard input is '-', not '/')
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-23
0.6.2
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-24
Resynch
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-25
* Fix MetaIndexURI for flat ("foo/") sources
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-26
0.6.3
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-27
* Use the top-level Release file in LoadReleaseInfo, ra...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-28
0.6.4
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-29
Clarify
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-30
* Move the authentication check into a separate functio...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-31
* Fix display of unauthenticated packages when they are...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-32
* Move the authentication check into a separate functio...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-33
* Restore the ugly hack I removed from indexRecords::Lo...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-34
0.6.6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-35
* Forgot to revert part of the changes to tagfile in 0....
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-36
* Add a config option and corresponding command line option
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-37
0.6.8
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-38
hopefully avoid more segfaults
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-39
XXX
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-40
* Another tagfile workaround
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-41
* Use "Codename" (woody, sarge, etc.) to supply the val...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-42
* Support IMS requests of Release.gpg and Release
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-43
* Have pkgAcquireIndex calculate an MD5 sum if one is n...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-44
* Merge 0.5.18
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-45
apt (0.6.13) experimental; urgency=low
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-46
0.6.13
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-47
Merge 0.5.20
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-48
The source list works a bit differently in 0.6; fix the...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-49
* s/Debug::Acquire::gpg/&v/
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-50
* Honor the [vendor] syntax in sources.list again (thou...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-51
* Don't ship vendors.list(5) since it isn't used yet
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-52
* Revert change from 0.6.10; it was right in the first ...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-53
* Fix some cases where the .gpg file could be left in p...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-54
Print a warning if gnupg is not installed
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-55
* Handle more IMS stuff correctly
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-56
0.6.17
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-57
* Merge 0.5.21
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-58
* Add new Debian Archive Automatic Signing Key to the d...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-59
0.6.18
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-60
* Merge 0.5.22
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-61
* Convert apt-key(8) to docbook XML
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-62
Merge 0.5.23
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-63
Remove bogus partial 0.5.22 changelog entry
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-64
Make the auth warning a bit less redundant
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-65
* Merge 0.5.24
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-66
* Make the unauthenticated packages prompt more intuiti...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-67
Merge 0.5.25
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-68
* Remove obsolete pkgIterator::TargetVer() (Closes: #230159)
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-69
* Reverse test in CheckAuth to match new prompt (Closes...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-70
Update version
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-71
Fix backwards sense of CheckAuth prompt
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-72
0.6.24
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-73
Close bug
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-74
* Fix handling of two-part sources for sources.list deb...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-75
0.6.25
* apt@packages.debian.org/apt--authentication--0--base-0
tag of apt@arch.ubuntu.com/apt--experimental--0.6--patch-75
* apt@packages.debian.org/apt--authentication--0--patch-1
Michael Vogt's merge of apt--experimental--0 onto apt--main--0
* apt@packages.debian.org/apt--authentication--0--patch-2
Merge from apt--main--0
* apt@packages.debian.org/apt--authentication--0--patch-3
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-4
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-5
Update version number in configure.in
* apt@packages.debian.org/apt--authentication--0--patch-6
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-7
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-8
Merge from mvo's branch
* apt@packages.debian.org/apt--authentication--0--patch-9
Merge from mvo's tree
* apt@packages.debian.org/apt--authentication--0--patch-10
Merge from mvo
* apt@packages.debian.org/apt--authentication--0--patch-11
Fix permissions AGAIN
* michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--base-0
tag of michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12
* michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--patch-1
* star-merged matt's changes (bz2 support for data-members in debs)
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-1
tag of apt@packages.debian.org/apt--authentication--0--base-0
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-2
merged "tla apply-delta -A foo@ apt@arch.ubuntu.com/apt--MAIN--0--patch-1190 apt@arch.ubuntu.com/apt--MAIN--0--patch-1343" and cleaned up conflicts
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-3
* missing bits from the merge added
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-4
* star-merged with apt@packages.debian.org/apt--main--0
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-5
* tree-synced to the apt--authentication tree
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-6
* use the ubuntu-key in this version
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-7
* imported the patches from mdz
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-8
* apt-get update --print-uris works now as before (fallback to 0.5.x behaviour)
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-9
* fix for the "if any source unauthenticated, all other sources are unauthenticated too" problem
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-10
* reworked the "--print-uris" patch. it no longer uses: "APT::Get::Print-URIs" in the library
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-11
* version of the library set to 3.6
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12
* changelog finallized, will upload to people.ubuntulinux.org/~mvo/apt-authentication
* michael.vogt@canonical.com--2004/apt--main-authentication--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-22
* michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-1
* star-merge from apt--experimental--0.6
* michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-2
* compile failure fix for methods/http.cc, po-file fixes
|