From 081fbea14d12f79c8d91ce4fe1f1004c7bc08656 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 12 Apr 2017 17:39:06 +0200 Subject: error in update on Release information changes The value of Origin, Label, Codename and co can be used in user configuration from apts own pinning to unattended upgrades. A repository changing this values can therefore have serious effects on the behaviour of apt and other tools using these values. In a first step we will generate error messages for these changes now explaining the need for explicit confirmation and provide config options and commandline flags to accept them. --- apt-pkg/acquire-item.cc | 60 +++++++++++++++-- apt-pkg/deb/debmetaindex.cc | 19 +++++- apt-pkg/metaindex.cc | 32 ++++++++- apt-pkg/metaindex.h | 13 +++- apt-private/private-cmndline.cc | 11 +++- doc/apt-get.8.xml | 17 +++++ doc/apt-secure.8.xml | 42 ++++++++---- doc/examples/configure-index | 35 ++++++++-- .../test-apt-update-releaseinfo-changes | 77 ++++++++++++++++++++++ ...bug-841874-warning-for-mismatching-distribution | 12 ---- test/integration/test-policy-pinning | 2 +- 11 files changed, 277 insertions(+), 43 deletions(-) create mode 100755 test/integration/test-apt-update-releaseinfo-changes diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 574ef4939..f5ff8288b 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1605,13 +1605,63 @@ bool pkgAcqMetaBase::VerifyVendor(string const &) /*{{{*/ if (TransactionManager->MetaIndexParser->CheckDist(ExpectedDist) == false) _error->Warning(_("Conflicting distribution: %s (expected %s but got %s)"), Desc.Description.c_str(), ExpectedDist.c_str(), NowCodename.c_str()); - // might be okay, might be not + + // changed info potentially breaks user config like pinning if (TransactionManager->LastMetaIndexParser != nullptr) { - auto const LastCodename = TransactionManager->LastMetaIndexParser->GetCodename(); - if (LastCodename.empty() == false && NowCodename.empty() == false && LastCodename != NowCodename) - _error->Warning(_("Conflicting distribution: %s (expected %s but got %s)"), - Desc.Description.c_str(), LastCodename.c_str(), NowCodename.c_str()); + auto const AllowInfoChange = _config->FindB("Acquire::AllowReleaseInfoChange", false); + auto const quietInfoChange = _config->FindB("quiet::ReleaseInfoChange", false); + struct { + char const * const Type; + bool const Allowed; + decltype(&metaIndex::GetOrigin) const Getter; + } checkers[] = { + { "Origin", AllowInfoChange, &metaIndex::GetOrigin }, + { "Label", AllowInfoChange, &metaIndex::GetLabel }, + { "Version", true, &metaIndex::GetVersion }, // numbers change all the time, that is okay + { "Suite", AllowInfoChange, &metaIndex::GetSuite }, + { "Codename", AllowInfoChange, &metaIndex::GetCodename }, + { nullptr, false, nullptr } + }; + auto const CheckReleaseInfo = [&](char const * const Type, bool const AllowChange, decltype(checkers[0].Getter) const Getter) { + std::string const Last = (TransactionManager->LastMetaIndexParser->*Getter)(); + std::string const Now = (TransactionManager->MetaIndexParser->*Getter)(); + if (Last == Now) + return true; + auto const Allow = _config->FindB(std::string("Acquire::AllowReleaseInfoChange::").append(Type), AllowChange); + auto const msg = _("Repository '%s' changed its '%s' value from '%s' to '%s'"); + if (Allow == false) + _error->Error(msg, Desc.Description.c_str(), Type, Last.c_str(), Now.c_str()); + else if (_config->FindB(std::string("quiet::ReleaseInfoChange::").append(Type), quietInfoChange) == false) + _error->Notice(msg, Desc.Description.c_str(), Type, Last.c_str(), Now.c_str()); + return Allow; + }; + bool CRI = true; + for (short i = 0; checkers[i].Type != nullptr; ++i) + if (CheckReleaseInfo(checkers[i].Type, checkers[i].Allowed, checkers[i].Getter) == false) + CRI = false; + + { + auto const Last = TransactionManager->LastMetaIndexParser->GetDefaultPin(); + auto const Now = TransactionManager->MetaIndexParser->GetDefaultPin(); + if (Last != Now) + { + auto const Allow = _config->FindB("Acquire::AllowReleaseInfoChange::DefaultPin", AllowInfoChange); + auto const msg = _("Repository '%s' changed its default priority for %s from %hi to %hi."); + if (Allow == false) + _error->Error(msg, Desc.Description.c_str(), "apt_preferences(5)", Last, Now); + else if (_config->FindB("quiet::ReleaseInfoChange::DefaultPin", quietInfoChange) == false) + _error->Notice(msg, Desc.Description.c_str(), "apt_preferences(5)", Last, Now); + CRI &= Allow; + } + } + if (CRI == false) + { + // TRANSLATOR: %s is the name of the manpage in question, e.g. apt-secure(8) + _error->Notice(_("This must be accepted explicitly before updates for " + "this repository can be applied. See %s manpage for details."), "apt-secure(8)"); + return false; + } } return true; } diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index 8c82414cb..424ef08f6 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -393,6 +393,9 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro // FIXME: find better tag name SupportsAcquireByHash = Section.FindB("Acquire-By-Hash", false); + SetOrigin(Section.FindS("Origin")); + SetLabel(Section.FindS("Label")); + SetVersion(Section.FindS("Version")); Suite = Section.FindS("Suite"); Codename = Section.FindS("Codename"); { @@ -415,6 +418,20 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro else // e.g. security.debian.org uses this style d->SupportedComponents.push_back(comp.substr(pos + 1)); } + { + decltype(pkgCache::ReleaseFile::Flags) flags = 0; + Section.FindFlag("NotAutomatic", flags, pkgCache::Flag::NotAutomatic); + signed short defaultpin = 500; + if ((flags & pkgCache::Flag::NotAutomatic) == pkgCache::Flag::NotAutomatic) + { + Section.FindFlag("ButAutomaticUpgrades", flags, pkgCache::Flag::ButAutomaticUpgrades); + if ((flags & pkgCache::Flag::ButAutomaticUpgrades) == pkgCache::Flag::ButAutomaticUpgrades) + defaultpin = 100; + else + defaultpin = 1; + } + SetDefaultPin(defaultpin); + } bool FoundHashSum = false; bool FoundStrongHashSum = false; @@ -472,7 +489,6 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro if (CheckValidUntil == true) { - std::string const Label = Section.FindS("Label"); std::string const StrValidUntil = Section.FindS("Valid-Until"); // if we have a Valid-Until header in the Release file, use it as default @@ -485,6 +501,7 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro return false; } } + auto const Label = GetLabel(); // get the user settings for this archive and use what expires earlier time_t MaxAge = d->ValidUntilMax; if (MaxAge == 0) diff --git a/apt-pkg/metaindex.cc b/apt-pkg/metaindex.cc index 624c7c9c7..8765851d6 100644 --- a/apt-pkg/metaindex.cc +++ b/apt-pkg/metaindex.cc @@ -9,6 +9,16 @@ #include /*}}}*/ +class metaIndexPrivate /*{{{*/ +{ + public: + std::string Origin; + std::string Label; + std::string Version; + signed short DefaultPin; +}; + /*}}}*/ + std::string metaIndex::Describe() const { return "Release"; @@ -26,7 +36,7 @@ bool metaIndex::Merge(pkgCacheGenerator &Gen,OpProgress *) const metaIndex::metaIndex(std::string const &URI, std::string const &Dist, char const * const Type) -: d(NULL), Indexes(NULL), Type(Type), URI(URI), Dist(Dist), Trusted(TRI_UNSET), +: d(new metaIndexPrivate()), Indexes(NULL), Type(Type), URI(URI), Dist(Dist), Trusted(TRI_UNSET), Date(0), ValidUntil(0), SupportsAcquireByHash(false), LoadedSuccessfully(TRI_UNSET) { /* nothing */ @@ -43,6 +53,7 @@ metaIndex::~metaIndex() } for (auto const &E: Entries) delete E.second; + delete d; } // one line Getters for public fields /*{{{*/ @@ -51,8 +62,12 @@ APT_PURE std::string metaIndex::GetDist() const { return Dist; } APT_PURE const char* metaIndex::GetType() const { return Type; } APT_PURE metaIndex::TriState metaIndex::GetTrusted() const { return Trusted; } APT_PURE std::string metaIndex::GetSignedBy() const { return SignedBy; } +APT_PURE std::string metaIndex::GetOrigin() const { return d->Origin; } +APT_PURE std::string metaIndex::GetLabel() const { return d->Label; } +APT_PURE std::string metaIndex::GetVersion() const { return d->Version; } APT_PURE std::string metaIndex::GetCodename() const { return Codename; } APT_PURE std::string metaIndex::GetSuite() const { return Suite; } +APT_PURE signed short metaIndex::GetDefaultPin() const { return d->DefaultPin; } APT_PURE bool metaIndex::GetSupportsAcquireByHash() const { return SupportsAcquireByHash; } APT_PURE time_t metaIndex::GetValidUntil() const { return ValidUntil; } APT_PURE time_t metaIndex::GetDate() const { return this->Date; } @@ -104,11 +119,19 @@ std::vector metaIndex::MetaKeys() const /*{{{*/ /*}}}*/ void metaIndex::swapLoad(metaIndex * const OldMetaIndex) /*{{{*/ { - std::swap(Entries, OldMetaIndex->Entries); + std::swap(SignedBy, OldMetaIndex->SignedBy); + std::swap(Suite, OldMetaIndex->Suite); + std::swap(Codename, OldMetaIndex->Codename); std::swap(Date, OldMetaIndex->Date); std::swap(ValidUntil, OldMetaIndex->ValidUntil); std::swap(SupportsAcquireByHash, OldMetaIndex->SupportsAcquireByHash); + std::swap(Entries, OldMetaIndex->Entries); std::swap(LoadedSuccessfully, OldMetaIndex->LoadedSuccessfully); + + OldMetaIndex->SetOrigin(d->Origin); + OldMetaIndex->SetLabel(d->Label); + OldMetaIndex->SetVersion(d->Version); + OldMetaIndex->SetDefaultPin(d->DefaultPin); } /*}}}*/ @@ -136,3 +159,8 @@ bool metaIndex::HasSupportForComponent(std::string const &component) const/*{{{* return true; } /*}}}*/ + +void metaIndex::SetOrigin(std::string const &origin) { d->Origin = origin; } +void metaIndex::SetLabel(std::string const &label) { d->Label = label; } +void metaIndex::SetVersion(std::string const &version) { d->Version = version; } +void metaIndex::SetDefaultPin(signed short const defaultpin) { d->DefaultPin = defaultpin; } diff --git a/apt-pkg/metaindex.h b/apt-pkg/metaindex.h index 531143bcb..eeeb9d807 100644 --- a/apt-pkg/metaindex.h +++ b/apt-pkg/metaindex.h @@ -25,6 +25,8 @@ class IndexTarget; class pkgCacheGenerator; class OpProgress; +class metaIndexPrivate; + class metaIndex { public: @@ -43,7 +45,7 @@ public: TRI_YES, TRI_DONTCARE, TRI_NO, TRI_UNSET }; private: - void * const d; + metaIndexPrivate * const d; protected: std::vector *Indexes; // parsed from the sources.list @@ -70,8 +72,12 @@ public: TriState GetTrusted() const; std::string GetSignedBy() const; + std::string GetOrigin() const; + std::string GetLabel() const; + std::string GetVersion() const; std::string GetCodename() const; std::string GetSuite() const; + signed short GetDefaultPin() const; bool GetSupportsAcquireByHash() const; time_t GetValidUntil() const; time_t GetDate() const; @@ -112,6 +118,11 @@ public: bool IsArchitectureSupported(std::string const &arch) const; bool IsArchitectureAllSupportedFor(IndexTarget const &target) const; bool HasSupportForComponent(std::string const &component) const; + // FIXME: should be members of the class on abi break + APT_HIDDEN void SetOrigin(std::string const &origin); + APT_HIDDEN void SetLabel(std::string const &label); + APT_HIDDEN void SetVersion(std::string const &version); + APT_HIDDEN void SetDefaultPin(signed short const defaultpin); }; #endif diff --git a/apt-private/private-cmndline.cc b/apt-private/private-cmndline.cc index 06683ae61..b035d99f0 100644 --- a/apt-private/private-cmndline.cc +++ b/apt-private/private-cmndline.cc @@ -203,6 +203,15 @@ static bool addArgumentsAPTGet(std::vector &Args, char const else if (CmdMatches("update")) { addArg(0, "list-cleanup", "APT::Get::List-Cleanup", 0); + addArg(0, "allow-insecure-repositories", "Acquire::AllowInsecureRepositories", 0); + addArg(0, "allow-weak-repositories", "Acquire::AllowWeakRepositories", 0); + addArg(0, "allow-releaseinfo-change", "Acquire::AllowReleaseInfoChange", 0); + addArg(0, "allow-releaseinfo-change-origin", "Acquire::AllowReleaseInfoChange::Origin", 0); + addArg(0, "allow-releaseinfo-change-label", "Acquire::AllowReleaseInfoChange::Label", 0); + addArg(0, "allow-releaseinfo-change-version", "Acquire::AllowReleaseInfoChange::Version", 0); + addArg(0, "allow-releaseinfo-change-codename", "Acquire::AllowReleaseInfoChange::Codename", 0); + addArg(0, "allow-releaseinfo-change-suite", "Acquire::AllowReleaseInfoChange::Suite", 0); + addArg(0, "allow-releaseinfo-change-defaultpin", "Acquire::AllowReleaseInfoChange::DefaultPin", 0); } else if (CmdMatches("source")) { @@ -273,8 +282,6 @@ static bool addArgumentsAPTGet(std::vector &Args, char const addArg(0,"remove","APT::Get::Remove",0); addArg(0,"only-source","APT::Get::Only-Source",0); addArg(0,"allow-unauthenticated","APT::Get::AllowUnauthenticated",0); - addArg(0,"allow-insecure-repositories","Acquire::AllowInsecureRepositories",0); - addArg(0,"allow-weak-repositories","Acquire::AllowWeakRepositories",0); addArg(0,"install-recommends","APT::Install-Recommends",CommandLine::Boolean); addArg(0,"install-suggests","APT::Install-Suggests",CommandLine::Boolean); addArg(0,"fix-policy","APT::Get::Fix-Policy-Broken",0); diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml index 931a4f313..a38a14e0c 100644 --- a/doc/apt-get.8.xml +++ b/doc/apt-get.8.xml @@ -575,6 +575,23 @@ Configuration Item: Acquire::AllowInsecureRepositories. + + Allow the update command to continue downloading + data from a repository which changed its information of the release + contained in the repository indicating e.g a new major release. + APT will fail at the update command for such repositories until the + change is confirmed to ensure the user is prepared for the change. + See also &apt-secure; for details on the concept and configuration. + + Specialist options + (--allow-releaseinfo-changes-field) + exist to allow changes only for certain fields like origin, + label, codename, suite, + version and defaultpin. See also &apt-preferences;. + + Configuration Item: Acquire::AllowReleaseInfoChanges. + + Show user friendly progress information in the terminal window when packages are installed, upgraded or diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml index 8ad249d7c..4f5d491f3 100644 --- a/doc/apt-secure.8.xml +++ b/doc/apt-secure.8.xml @@ -13,7 +13,7 @@ &apt-email; &apt-product; - 2016-08-06T00:00:00Z + 2017-04-12T00:00:00Z @@ -50,9 +50,19 @@ that data like packages in the archive can't be modified by people who have no access to the Release file signing key. Starting with version 1.1 APT requires repositories to provide recent authentication - information for unimpeded usage of the repository. + information for unimpeded usage of the repository. Since version 1.5 changes + in the information contained in the Release file about the repository need to be + confirmed before APT continues to apply updates from this repository. + + Note: All APT-based package management front-ends like &apt-get;, &aptitude; + and &synaptic; support this authentication feature, so this manpage uses + APT to refer to them all for simplicity only. + + + + Unsigned Repositories If an archive has an unsigned Release file or no Release file at all current APT versions will refuse to download data from them by default @@ -83,16 +93,9 @@ to true or for Individual repositories with the &sources-list; option allow-downgrade-to-insecure=yes. - - - Note: All APT-based package management front-ends like &apt-get;, &aptitude; - and &synaptic; support this authentication feature, so this manpage uses - APT to refer to them all for simplicity only. - - Trusted Repositories - + Signed Repositories The chain of trust from an APT archive to the end user is made up of several steps. apt-secure is the last step in @@ -162,7 +165,22 @@ this mechanism can complement a per-package signature. - User Configuration +Information changes + + A Release file contains beside the checksums for the files in the repository + also general information about the repository like the origin, codename or + version number of the release. + + This information is shown in various places so a repository owner should always + ensure correctness. Further more user configuration like &apt-preferences; + can depend and make use of this information. Since version 1.5 the user must + therefore explicitly confirm changes to signal that the user is sufficently + prepared e.g. for the new major release of the distribution shipped in the + repository (as e.g. indicated by the codename). + + + +User Configuration apt-key is the program that manages the list of keys used by APT to trust repositories. It can be used to add or remove keys as well @@ -183,7 +201,7 @@ -Archive Configuration +Repository Configuration If you want to provide archive signatures in an archive under your maintenance you have to: diff --git a/doc/examples/configure-index b/doc/examples/configure-index index a48d4cb99..8adef26a9 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -29,10 +29,20 @@ and the syntax of configuration files and commandline options! */ -quiet ""; -quiet::NoUpdate ""; // never update progress information - included in -q=1 -quiet::NoProgress ""; // disables the 0% → 100% progress on cache generation and stuff -quiet::NoStatistic ""; // no "42 kB downloaded" stats in update +quiet "" { + NoUpdate ""; // never update progress information - included in -q=1 + NoProgress ""; // disables the 0% → 100% progress on cache generation and stuff + NoStatistic ""; // no "42 kB downloaded" stats in update + ReleaseInfoChange "" // don't even print the notices if the info change is allowed + { + Origin ""; + Label ""; + Version ""; + Codename ""; + Suite ""; + DefaultPin ""; + }; +}; // Options for APT in general APT @@ -221,6 +231,20 @@ Acquire SameMirrorForAllIndexes ""; // use the mirror serving the Release file for Packages & co + AllowInsecureRepositories ""; + AllowWeakRepositories ""; + AllowDowngradeToInsecureRepositories ""; + // allow repositories to change information potentally breaking user config like pinning + AllowReleaseInfoChange "" + { + Origin ""; + Label ""; + Version ""; // allowed by default + Codename ""; + Suite ""; + DefaultPin ""; + }; + // HTTP method configuration http { @@ -686,9 +710,6 @@ acquire::cdrom::mount ""; acquire::maxreleasefilesize ""; acquire::queuehost::limit ""; acquire::max-pipeline-depth ""; -acquire::allowinsecurerepositories ""; -acquire::allowweakrepositories ""; -acquire::allowdowngradetoinsecurerepositories ""; acquire::progress::diffpercent ""; acquire::gzipindexes ""; acquire::indextargets::randomized ""; diff --git a/test/integration/test-apt-update-releaseinfo-changes b/test/integration/test-apt-update-releaseinfo-changes new file mode 100755 index 000000000..822ae7ce7 --- /dev/null +++ b/test/integration/test-apt-update-releaseinfo-changes @@ -0,0 +1,77 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' + +insertpackage 'earth' 'human' 'all' '1' + +getoriginfromsuite() { echo -n 'Earth'; } +getlabelfromsuite() { echo -n 'Blue Planet'; } +getcodenamefromsuite() { echo -n 'home'; } +getreleaseversionfromsuite() { echo -n '1.0'; } +getnotautomaticfromsuite() { echo -n 'yes'; } +getbutautomaticupgradesfromsuite() { echo -n 'yes'; } +setupaptarchive --no-update +testsuccess aptget update + +cp -a aptarchive/dists aptarchive/dists.bak +cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists.bak +APTARCHIVE="$(readlink -f './aptarchive')" + +sed -i -e 's#^Origin: Earth#Origin: Mars#' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Origin' value from 'Earth' to 'Mars' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update +testfailure apt update --allow-releaseinfo-change-label +testsuccesswithnotice apt update --allow-releaseinfo-change +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Origin' value from 'Earth' to 'Mars'" tail -n 2 rootdir/tmp/testsuccesswithnotice.output + +rm -rf rootdir/var/lib/apt/lists +cp -a rootdir/var/lib/apt/lists.bak rootdir/var/lib/apt/lists +sed -i -e 's#^Label: Blue#Label: Red#' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Origin' value from 'Earth' to 'Mars' +E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Label' value from 'Blue Planet' to 'Red Planet' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update +testfailure apt update --allow-releaseinfo-change-label +testfailuremsg "N: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Origin' value from 'Earth' to 'Mars' +E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Label' value from 'Blue Planet' to 'Red Planet' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update --allow-releaseinfo-change-origin +testsuccess apt update --allow-releaseinfo-change-origin --allow-releaseinfo-change-label -o quiet::ReleaseInfoChange=true + +# version changes are allowed by default +sed -i -e 's#^Version: 1#Version: 2#' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Version' value from '1.0' to '2.0' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update --no-allow-releaseinfo-change-version +testsuccesswithnotice apt update +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Version' value from '1.0' to '2.0'" tail -n 2 rootdir/tmp/testsuccesswithnotice.output + +sed -i -e 's#^Codename: home#Codename: colony#' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Codename' value from 'home' to 'colony' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update --no-allow-releaseinfo-change-codename +testsuccesswithnotice apt update --allow-releaseinfo-change-codename +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Codename' value from 'home' to 'colony'" tail -n 2 rootdir/tmp/testsuccesswithnotice.output + +sed -i -e '/^ButAutomaticUpgrades: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 100 to 1. +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update +testsuccesswithnotice apt update --allow-releaseinfo-change +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 100 to 1." tail -n 2 rootdir/tmp/testsuccesswithnotice.output + +sed -i -e '/^NotAutomatic: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 1 to 500. +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update +testsuccesswithnotice apt update --allow-releaseinfo-change-defaultpin +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 1 to 500." tail -n 2 rootdir/tmp/testsuccesswithnotice.output diff --git a/test/integration/test-bug-841874-warning-for-mismatching-distribution b/test/integration/test-bug-841874-warning-for-mismatching-distribution index 6cc8e3173..7502eefc3 100755 --- a/test/integration/test-bug-841874-warning-for-mismatching-distribution +++ b/test/integration/test-bug-841874-warning-for-mismatching-distribution @@ -47,15 +47,3 @@ testfailure apt show foo ln -s "${APTARCHIVE}/dists/testing" "${APTARCHIVE}/dists/buster" testsuccess apt update testsuccess apt show foo - -# changing codenames gets a warning, too -rm -rf rootdir/var/lib/apt/lists -sed -i -e 's#buster#testing#g' rootdir/etc/apt/sources.list.d/* -testsuccess apt update -testsuccess apt show foo -sed -i -e 's#^Codename: buster#Codename: zurg#g' $(find ./aptarchive -name 'Release') -signreleasefiles -testwarningmsg "W: Conflicting distribution: file:$APTARCHIVE testing/updates InRelease (expected buster/updates but got zurg/updates)" apt update -testsuccess apt show foo -testsuccess apt update -testsuccess apt show foo diff --git a/test/integration/test-policy-pinning b/test/integration/test-policy-pinning index 30238bd87..5676d1457 100755 --- a/test/integration/test-policy-pinning +++ b/test/integration/test-policy-pinning @@ -238,7 +238,7 @@ testequalpolicycoolstuff "2.0~bpo1" "2.0~bpo1" 990 500 990 "" -o Test=ButAutomat rm incoming/backports.main.pkglist incoming/backports.main.srclist buildsimplenativepackage "coolstuff" "all" "2.0~bpo2" "backports" -setupaptarchive +setupaptarchive --no-update sed -i aptarchive/dists/backports/Release -e 1i"NotAutomatic: yes" signreleasefiles -- cgit v1.2.3