| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2019-11-27 | Remove failed trusted signature instead of index on IMS hit | David Kalnischkies | |
| While passing the combi Release and Release.gpg to the gpgv method for verification the filename of Release is placed where usually Release.gpg is assumed in the rest of the code. The "usual" cases like passing verification and failing verification ending in an error are taking care of this, but the code path dealing with a failed verification, but ignoring said failure (e.g. due to trusted=yes) was not which results in the wrong file being removed later on (in case the index happens to be unmodified since the last update call) leading us into the abyss of strange failures (fixed in the previous commit) were nothing should have changed. This is not a security issue in this form as the repository needs to fail verification & the user forcing apt to ignore the failure and carry on anyhow. It does show however how complicated the code and its various interconnected paths can become. Reported-By: Val "pinkieval" Lorentz on IRC | |||
| 2019-11-27 | Use correct filename on IMS-hit reverify for indices | David Kalnischkies | |
| If we have no old Release file, but old indices we can't compare hashsums with the new Release file and hence must request the indices again and have to react to IMS hits if they didn't change. We used to symlink the old index file to the partial directory, but that usually meant that we linked an uncompressed file to a compressed file, which not all uncompressors can deal with transparently resulting in strange failures. We could do without the symlink, but that would require changes in the codepaths dealing with failure as they would rename the file to FAILED. | |||
 |
index : apt.git | |
| Saurik's version of apt managed for tvOS/ARM64 | Sam Bingner |
| summaryrefslogtreecommitdiff |