Age | Commit message (Collapse) | Author |
|
By restricting the Date field to be in the past, an attacker cannot
just create a repository from the future that would be accepted as
a valid update for a repository.
This check can be disabled by Acquire::Check-Date set to false. This
will also disable Check-Valid-Until and any future date related checking,
if any - the option means: "my computers date cannot be trusted."
Modify the tests to allow repositories to be up to 10 hours in the
future, so we can keep using hours there to simulate time changes.
|
|
|
|
This reduces the number of syscalls to about 140 from about
350 or so, significantly reducing security risks.
Also change prepare-release to ignore the architecture lists
in the build dependencies when generating the build-depends
package for travis.
We might want to clean up things a bit more and/or move it
somewhere else.
|
|
|
|
|
|
The old curl based method is still available as 'curl',
'curl+http', and 'curl+https'.
|
|
|
|
The exception was made to give (script) users a one-release grace period
to adapt their setup to deal with apt enforcing signing of repositories.
As we are now at the start of a new release cycle its as good a time as
any to lift it now.
Removes-Exception: 952ee63b0af14a534c0aca00c11d1a99be6b22b2
|
|
|
|
|
|
|
|
Change the trust level check to allow downgrading an Untrusted
option to weak (APT::Hashes::SHA1::Weak "yes";), so it prints
a warning instead of an error; and change the default values
for SHA1 and RIPE-MD/160 from Weak to Untrusted.
|
|
This was only needed temporarily
Thanks: Axel Beckert for reporting
|
|
|
|
I find the per-binary overrides a bit confusing in their current
form, but let's tell the user the truth.
Closes: #812111
|
|
Reported-By: Mattia Rizzolo (on IRC)
Gbp-Dch: ignore
|
|
|
|
|
|
Git-Dch: ignore
|
|
|
|
|
|
|
|
[ David Kalnischkies ]
* apt-pkg/depcache.cc:
- add SetCandidateRelease() to set a candidate version and
the candidates of dependencies if needed to a specified
release (Closes: #572709)
* cmdline/apt-get.cc:
- if --print-uris is used don't setup downloader as we don't need
progress, lock nor the directories it would create otherwise
- show dependencies of essential packages which are going to remove
only if they cause the remove of this essential (Closes: #601961)
- keep not installed garbage packages uninstalled instead of showing
in the autoremove section and installing those (Closes: #604222)
- change pkg/release behavior to use the new SetCandidateRelease
so installing packages from experimental or backports is easier
- really do not show packages in the extra section if they were
requested on the commandline, e.g. with a modifier (Closes: #184730)
* debian/control:
- add Vcs-Browser now that loggerhead works again (Closes: #511168)
- depend on debhelper 7 to raise compat level
- depend on dpkg-dev (>= 1.15.8) to have c++ symbol mangling
* apt-pkg/contrib/fileutl.cc:
- add a RealFileExists method and check that your configuration files
are real files to avoid endless loops if not (Closes: #604401)
- ignore non-regular files in GetListOfFilesInDir (Closes: #594694)
* apt-pkg/contrib/weakptr.h:
- include stddefs.h to fix compile error (undefined NULL) with gcc-4.6
* methods/https.cc:
- fix CURLOPT_SSL_VERIFYHOST by really passing 2 to it if enabled
* deb/dpkgpm.cc:
- fix popen/fclose mismatch reported by cppcheck. Thanks to Petter
Reinholdtsen for report and patch! (Closes: #607803)
* doc/apt.conf.5.xml:
- fix multipl{y,e} spelling error reported by Jakub Wilk (Closes: #607636)
* apt-inst/contrib/extracttar.cc:
- let apt-utils work with encoded tar headers if uid/gid are large.
Thanks to Nobuhiro Hayashi for the patch! (Closes: #330162)
* apt-pkg/cacheiterator.h:
- do not segfault if cache is not build (Closes: #254770)
* doc/apt-get.8.xml:
- remove duplicated mentioning of --install-recommends
* doc/sources.list.5.xml:
- remove obsolete references to non-us (Closes: #594495)
* debian/rules:
- use -- instead of deprecated -u for dh_gencontrol
- remove shlibs.local creation and usage
- show differences in the symbol files, but never fail
* pre-build.sh:
- remove as it is not needed for a working 'bzr bd'
* debian/{apt,apt-utils}.symbols:
- ship experimental unmangled c++ symbol files
* methods/rred.cc:
- operate optional on gzip compressed pdiffs
* apt-pkg/acquire-item.cc:
- don't uncompress downloaded pdiff files before feeding it to rred
- try downloading clearsigned InRelease before trying Release.gpg
- change the internal handling of Extensions in pkgAcqIndex
- add a special uncompressed compression type to prefer those files
- download and use i18n/Index to choose which Translations to download
* cmdline/apt-key:
- don't set trustdb-name as non-root so 'list' and 'finger'
can be used without being root (Closes: #393005, #592107)
* apt-pkg/deb/deblistparser.cc:
- rewrite LoadReleaseInfo to cope with clearsigned Releasefiles
* ftparchive/writer.cc:
- add config option to search for more patterns in release command
- include Index files by default in the Release file
* methods/{gzip,bzip}.cc:
- print a good error message if FileSize() is zero
* apt-pkg/aptconfiguration.cc:
- remove the inbuilt Translation files whitelist
|
|
|
|
- add SetCandidateRelease() to set a candidate version and
the candidates of dependencies if needed to a specified
release (Closes: #572709)
- change pkg/release behavior to use the new SetCandidateRelease
so installing packages from experimental or backports is easier
|
|
- Read default configuration (Closes: #383257)
|
|
W: spelling-error-in-news-debian: informations -> information
|
|
#557674)
|
|
user-visible changes.
|
|
|
|
|
|
by debhelper and, so, installed.
|