Age | Commit message (Collapse) | Author |
|
Some of them modify the ABI, but given that we prepare a big one
already, these few hardly count for much.
Git-Dch: Ignore
|
|
To have a chance to keep the ABI for a while we need all three to team
up. One of them missing and we might loose, so ensuring that they are
available is a very tedious but needed task once in a while.
Git-Dch: Ignore
|
|
Valid-Until protects us from long-living downgrade attacks, but not all
repositories have it and an attacker could still use older but still
valid files to downgrade us. While this makes it sounds like a security
improvement now, its a bit theoretical at best as an attacker with
capabilities to pull this off could just as well always keep us days
(but in the valid period) behind and always knows which state we have,
as we tell him with the If-Modified-Since header. This is also why this
is 'silently' ignored and treated as an IMSHit rather than screamed at
the user as this can at best be an annoyance for attackers.
An error here would 'regularily' be encountered by users by out-of-sync
mirrors serving a single run (e.g. load balancer) or in two consecutive
runs on the other hand, so it would just help teaching people ignore it.
That said, most of the code churn is caused by enforcing this additional
requirement. Crisscross from InRelease to Release.gpg is e.g. very
unlikely in practice, but if we would ignore it an attacker could
sidestep it this way.
|
|
Adding a new parameter (with a default) is an ABI break, but you can
overload a method, which is "just" an API break for everyone doing
references to this method (aka: nobody).
Git-Dch: Ignore
|
|
For compatibility we use/provide and fill quiet some deprecated methods
and fields, which subsequently earns us a warning for using them. These
warnings therefore have to be disabled for these codeparts and that is
what this change does now in a slightly more elegant way.
Git-Dch: Ignore
|
|
Do not require a special flag to be present to update trusted=yes
sources as this flag in the sources.list is obviously special enough.
Note that this is just disabling the error message, the user will still
be warned about all the (possible) failures the repository generated, it
is just triggering the acceptance of the warnings on a source-by-source
level.
Similarily, the trusted=no flag doesn't require the user to pass
additional flags to update, if the repository looks fine in the view of
apt it will update just fine. The unauthenticated warnings will "just" be
presented then the data is used.
In case you wonder: Both was the behavior in previous versions, too.
|
|
Reimplementing an inline method is opening a can of worms we don't want
to open if we ever want to us a d-pointer in those classes, so we do the
only thing which can save us from hell: move the destructors into the cc
sources and we are good.
Technically not an ABI break as the methods inline or not do the same
(nothing), so a program compiled against the old version still works
with the new version (beside that this version is still in experimental,
so nothing really has been build against this library anyway).
Git-Dch: Ignore
|
|
We are the only possible users of private methods, so we are also the
only users who can potentially export them via using them in inline
methods. The point is: We don't need these symbols exported if we don't
do this, so marking them as hidden removes some methods from the API
without breaking anything as nobody could have used them.
Git-Dch: Ignore
|
|
The by-hash can be configured on a per-hostname basis and a Release
file can indicate that it has by-hash support via a new flag.
The location of the hash now matches the AptByHash spec
|
|
It is not very extensible to have the supported Hashes hardcoded
everywhere and especially if it is part of virtual method names.
It is also possible that a method does not support the 'best' hash
(yet), so we might end up not being able to verify a file even though we
have a common subset of supported hashes. And those are just two of the
cases in which it is handy to have a more dynamic selection.
The downside is that this is a MAJOR API break, but the HashStringList
has a string constructor for compatibility, so with a bit of luck the
few frontends playing with the acquire system directly are okay.
|
|
progress information
|
|
Beside being a bit cleaner it hopefully also resolves oddball problems
I have with high levels of parallel jobs.
Git-Dch: Ignore
Reported-By: iwyu (include-what-you-use)
|
|
|
|
The breakage is just to big for now, so guard the change with
#ifndef APT_8_CLEANER_HEADERS and be nice to library users
|
|
|
|
|
|
size are pretty unlikely for now, but we need it for deb
packages which could become bigger than 4GB now (LP: #815895)
|
|
branch to prevent replay attacks better, thanks to Thomas Viehmann
for the initial patch! (Closes: #499897)
* doc/apt.conf.5.xml:
- document the new Valid-Until related options
* apt-pkg/contrib/strutl.cc:
- split StrToTime() into HTTP1.1 and FTP date parser methods and
use strptime() instead of some self-made scanf mangling
- use the portable timegm shown in his manpage instead of a strange
looking code copycat from wget
* ftparchive/writer.cc:
- add ValidTime option to generate a Valid-Until header in Release file
|
|
- backport forgotten Valid-Until patch from the obsolete experimental
branch to prevent replay attacks better, thanks to Thomas Viehmann
for the initial patch! (Closes: #499897)
|
|
- add a constant Exists check for MetaKeys
* apt-pkg/acquire-item.cc:
- do not try PDiff if it is not listed in the Meta file
|
|
and fallback
|
|
|
|
|
|
- apt-cdrom.cc seperated into frontend (cmdline/apt-cdrom.cc and library
apt-pkg/cdrom.{cc,h}) (Ubuntu #5668)
Patches applied:
* michael.vogt@ubuntu.com--2005/apt--auth-cdrom--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-51
* michael.vogt@ubuntu.com--2005/apt--auth-cdrom--0--patch-1
* added support for signed cdroms
* michael.vogt@ubuntu.com--2005/apt--auth-cdrom--0--patch-2
* merged with apt--main, seperated cmdline/apt-cdrom.cc into a library (apt-pkg/cdrom.{cc,h})
* michael.vogt@ubuntu.com--2005/apt--auth-cdrom--0--patch-3
* cleaned up the cmdline/apt-cdrom.cc code
|
|
Patches applied:
* apt@arch.ubuntu.com/apt--experimental--0.6--base-0
tag of apt@arch.ubuntu.com/apt--MAIN--0--patch-1190
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-1
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-2
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-3
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-4
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-5
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-6
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-7
Merge working copy of v0.6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-8
0.6.0 is headed for experimental, not unstable
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-9
Date
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-10
Update LIB_APT_PKG_MAJOR
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-11
- Fix a heap corruption bug in pkgSrcRecords::pkgSrcRec...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-12
Resynch
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-13
* Merge apt 0.5.17
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-14
* Rearrange Release file authentication code to be more...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-15
* Convert distribution "../project/experimental" to "ex...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-16
Merge 1.11
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-17
Merge 1.7
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-18
Merge 1.10
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-19
* Make a number of Release file errors into warnings; f...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-20
* Add space between package names when multiple unauthe...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-21
* Provide apt-key with a secret keyring and a trustdb, ...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-22
* Fix typo in apt-key(8) (standard input is '-', not '/')
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-23
0.6.2
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-24
Resynch
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-25
* Fix MetaIndexURI for flat ("foo/") sources
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-26
0.6.3
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-27
* Use the top-level Release file in LoadReleaseInfo, ra...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-28
0.6.4
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-29
Clarify
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-30
* Move the authentication check into a separate functio...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-31
* Fix display of unauthenticated packages when they are...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-32
* Move the authentication check into a separate functio...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-33
* Restore the ugly hack I removed from indexRecords::Lo...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-34
0.6.6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-35
* Forgot to revert part of the changes to tagfile in 0....
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-36
* Add a config option and corresponding command line option
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-37
0.6.8
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-38
hopefully avoid more segfaults
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-39
XXX
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-40
* Another tagfile workaround
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-41
* Use "Codename" (woody, sarge, etc.) to supply the val...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-42
* Support IMS requests of Release.gpg and Release
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-43
* Have pkgAcquireIndex calculate an MD5 sum if one is n...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-44
* Merge 0.5.18
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-45
apt (0.6.13) experimental; urgency=low
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-46
0.6.13
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-47
Merge 0.5.20
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-48
The source list works a bit differently in 0.6; fix the...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-49
* s/Debug::Acquire::gpg/&v/
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-50
* Honor the [vendor] syntax in sources.list again (thou...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-51
* Don't ship vendors.list(5) since it isn't used yet
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-52
* Revert change from 0.6.10; it was right in the first ...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-53
* Fix some cases where the .gpg file could be left in p...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-54
Print a warning if gnupg is not installed
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-55
* Handle more IMS stuff correctly
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-56
0.6.17
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-57
* Merge 0.5.21
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-58
* Add new Debian Archive Automatic Signing Key to the d...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-59
0.6.18
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-60
* Merge 0.5.22
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-61
* Convert apt-key(8) to docbook XML
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-62
Merge 0.5.23
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-63
Remove bogus partial 0.5.22 changelog entry
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-64
Make the auth warning a bit less redundant
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-65
* Merge 0.5.24
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-66
* Make the unauthenticated packages prompt more intuiti...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-67
Merge 0.5.25
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-68
* Remove obsolete pkgIterator::TargetVer() (Closes: #230159)
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-69
* Reverse test in CheckAuth to match new prompt (Closes...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-70
Update version
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-71
Fix backwards sense of CheckAuth prompt
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-72
0.6.24
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-73
Close bug
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-74
* Fix handling of two-part sources for sources.list deb...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-75
0.6.25
* apt@packages.debian.org/apt--authentication--0--base-0
tag of apt@arch.ubuntu.com/apt--experimental--0.6--patch-75
* apt@packages.debian.org/apt--authentication--0--patch-1
Michael Vogt's merge of apt--experimental--0 onto apt--main--0
* apt@packages.debian.org/apt--authentication--0--patch-2
Merge from apt--main--0
* apt@packages.debian.org/apt--authentication--0--patch-3
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-4
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-5
Update version number in configure.in
* apt@packages.debian.org/apt--authentication--0--patch-6
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-7
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-8
Merge from mvo's branch
* apt@packages.debian.org/apt--authentication--0--patch-9
Merge from mvo's tree
* apt@packages.debian.org/apt--authentication--0--patch-10
Merge from mvo
* apt@packages.debian.org/apt--authentication--0--patch-11
Fix permissions AGAIN
* michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--base-0
tag of michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12
* michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--patch-1
* star-merged matt's changes (bz2 support for data-members in debs)
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-1
tag of apt@packages.debian.org/apt--authentication--0--base-0
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-2
merged "tla apply-delta -A foo@ apt@arch.ubuntu.com/apt--MAIN--0--patch-1190 apt@arch.ubuntu.com/apt--MAIN--0--patch-1343" and cleaned up conflicts
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-3
* missing bits from the merge added
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-4
* star-merged with apt@packages.debian.org/apt--main--0
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-5
* tree-synced to the apt--authentication tree
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-6
* use the ubuntu-key in this version
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-7
* imported the patches from mdz
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-8
* apt-get update --print-uris works now as before (fallback to 0.5.x behaviour)
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-9
* fix for the "if any source unauthenticated, all other sources are unauthenticated too" problem
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-10
* reworked the "--print-uris" patch. it no longer uses: "APT::Get::Print-URIs" in the library
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-11
* version of the library set to 3.6
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12
* changelog finallized, will upload to people.ubuntulinux.org/~mvo/apt-authentication
* michael.vogt@canonical.com--2004/apt--main-authentication--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-22
* michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-1
* star-merge from apt--experimental--0.6
* michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-2
* compile failure fix for methods/http.cc, po-file fixes
|