| Age | Commit message (Collapse) | Author |
|---|
|
|
|
This adds support for Phased-Update-Percentage by pinning
upgrades that are not to be installed down to 1.
The output of policy has been changed to add the level of
phasing, and documentation has been improved to document
how phased updates work.
The patch detects if it is running in a chroot, and if so, always
includes phased updates, restoring classic apt behavior to avoid
behavioral changes on buildd chroots.
Various options are added to control this all:
* APT::Get::{Always,Never}-Include-Phased-Updates and their legacy
update-manager equivalents to always or never include phased updates
* APT::Machine-ID can be set to a UUID string to have all machines in a
fleet phase the same
* Dir::Etc::Machine-ID is weird in that it's default is sort of like
../machine-id, but not really, as ../machine-id would look up
$PWD/../machine-id and not relative to Dir::Etc; but it allows you to
override the path to machine-id (as opposed to the value)
* Dir::Bin::ischroot is the path to the ischroot(1) binary which is used
to detect whether we are running in a chroot.
|
|
Kernels clutter /boot and /boot is small size, so we need to take
extra care to remove kernels when possible.
|
|
|
|
This is a rework of !6 with additional stuff for the frontend
lock, so we can lock the frontend lock and then keep looping
over dpkg lock.
|
|
|
|
This is the first step. Next step will be to add warnings to
apt-get and then remove support there as well.
|
|
|
|
This avoids downgrade attacks where an attacker could inject
Location: http://private.example/
and then (having access to raw data to private.example, for example,
by opening a port there, or sniffing network traffic) read the credentials
for the private repository.
Closes: #945911
|
|
The value as shown in the NEWS file (not in the code) has a typo in
which just a "/" and ":" are swapped.
Closes: #917986
|
|
|
|
This avoids a lot of problems from local installations of
scripting languages and other stuff in /usr/local for which
maintainer scripts are not prepared.
[v3: Inherit PATH during tests, check overrides work]
[v2: Add testing]
|
|
Closes: 892792
|
|
Reported-By: codespell & spellintian
Gbp-Dch: Ignore
|
|
|
|
LP: #1732030
Closes: #890489
Fixes meefik/linuxdeploy#869
|
|
|
|
By restricting the Date field to be in the past, an attacker cannot
just create a repository from the future that would be accepted as
a valid update for a repository.
This check can be disabled by Acquire::Check-Date set to false. This
will also disable Check-Valid-Until and any future date related checking,
if any - the option means: "my computers date cannot be trusted."
Modify the tests to allow repositories to be up to 10 hours in the
future, so we can keep using hours there to simulate time changes.
|
|
|
|
This reduces the number of syscalls to about 140 from about
350 or so, significantly reducing security risks.
Also change prepare-release to ignore the architecture lists
in the build dependencies when generating the build-depends
package for travis.
We might want to clean up things a bit more and/or move it
somewhere else.
|
|
|
|
|
|
The old curl based method is still available as 'curl',
'curl+http', and 'curl+https'.
|
|
|
|
The exception was made to give (script) users a one-release grace period
to adapt their setup to deal with apt enforcing signing of repositories.
As we are now at the start of a new release cycle its as good a time as
any to lift it now.
Removes-Exception: 952ee63b0af14a534c0aca00c11d1a99be6b22b2
|
|
|
|
|
|
|
|
Change the trust level check to allow downgrading an Untrusted
option to weak (APT::Hashes::SHA1::Weak "yes";), so it prints
a warning instead of an error; and change the default values
for SHA1 and RIPE-MD/160 from Weak to Untrusted.
|
|
This was only needed temporarily
Thanks: Axel Beckert for reporting
|
|
|
|
I find the per-binary overrides a bit confusing in their current
form, but let's tell the user the truth.
Closes: #812111
|
|
Reported-By: Mattia Rizzolo (on IRC)
Gbp-Dch: ignore
|
|
|
|
|
|
Git-Dch: ignore
|
|
|
|
|
|
|
|
[ David Kalnischkies ]
* apt-pkg/depcache.cc:
- add SetCandidateRelease() to set a candidate version and
the candidates of dependencies if needed to a specified
release (Closes: #572709)
* cmdline/apt-get.cc:
- if --print-uris is used don't setup downloader as we don't need
progress, lock nor the directories it would create otherwise
- show dependencies of essential packages which are going to remove
only if they cause the remove of this essential (Closes: #601961)
- keep not installed garbage packages uninstalled instead of showing
in the autoremove section and installing those (Closes: #604222)
- change pkg/release behavior to use the new SetCandidateRelease
so installing packages from experimental or backports is easier
- really do not show packages in the extra section if they were
requested on the commandline, e.g. with a modifier (Closes: #184730)
* debian/control:
- add Vcs-Browser now that loggerhead works again (Closes: #511168)
- depend on debhelper 7 to raise compat level
- depend on dpkg-dev (>= 1.15.8) to have c++ symbol mangling
* apt-pkg/contrib/fileutl.cc:
- add a RealFileExists method and check that your configuration files
are real files to avoid endless loops if not (Closes: #604401)
- ignore non-regular files in GetListOfFilesInDir (Closes: #594694)
* apt-pkg/contrib/weakptr.h:
- include stddefs.h to fix compile error (undefined NULL) with gcc-4.6
* methods/https.cc:
- fix CURLOPT_SSL_VERIFYHOST by really passing 2 to it if enabled
* deb/dpkgpm.cc:
- fix popen/fclose mismatch reported by cppcheck. Thanks to Petter
Reinholdtsen for report and patch! (Closes: #607803)
* doc/apt.conf.5.xml:
- fix multipl{y,e} spelling error reported by Jakub Wilk (Closes: #607636)
* apt-inst/contrib/extracttar.cc:
- let apt-utils work with encoded tar headers if uid/gid are large.
Thanks to Nobuhiro Hayashi for the patch! (Closes: #330162)
* apt-pkg/cacheiterator.h:
- do not segfault if cache is not build (Closes: #254770)
* doc/apt-get.8.xml:
- remove duplicated mentioning of --install-recommends
* doc/sources.list.5.xml:
- remove obsolete references to non-us (Closes: #594495)
* debian/rules:
- use -- instead of deprecated -u for dh_gencontrol
- remove shlibs.local creation and usage
- show differences in the symbol files, but never fail
* pre-build.sh:
- remove as it is not needed for a working 'bzr bd'
* debian/{apt,apt-utils}.symbols:
- ship experimental unmangled c++ symbol files
* methods/rred.cc:
- operate optional on gzip compressed pdiffs
* apt-pkg/acquire-item.cc:
- don't uncompress downloaded pdiff files before feeding it to rred
- try downloading clearsigned InRelease before trying Release.gpg
- change the internal handling of Extensions in pkgAcqIndex
- add a special uncompressed compression type to prefer those files
- download and use i18n/Index to choose which Translations to download
* cmdline/apt-key:
- don't set trustdb-name as non-root so 'list' and 'finger'
can be used without being root (Closes: #393005, #592107)
* apt-pkg/deb/deblistparser.cc:
- rewrite LoadReleaseInfo to cope with clearsigned Releasefiles
* ftparchive/writer.cc:
- add config option to search for more patterns in release command
- include Index files by default in the Release file
* methods/{gzip,bzip}.cc:
- print a good error message if FileSize() is zero
* apt-pkg/aptconfiguration.cc:
- remove the inbuilt Translation files whitelist
|
|
|
|
- add SetCandidateRelease() to set a candidate version and
the candidates of dependencies if needed to a specified
release (Closes: #572709)
- change pkg/release behavior to use the new SetCandidateRelease
so installing packages from experimental or backports is easier
|
|
- Read default configuration (Closes: #383257)
|
|
W: spelling-error-in-news-debian: informations -> information
|
|
#557674)
|
|
user-visible changes.
|
|
|
|
|
|
by debhelper and, so, installed.
|
