From ad5051ef9da4e1f384237ecf1260e0cad95e0ea7 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 11 Oct 2013 13:07:01 +0200 Subject: truncating /dev/null to zero is always successful Calling truncate on /dev/null can happen by the download methods if they are instructed to download a file to /dev/null (as testcases are only interested in the status code, but do not support HEAD requests yet) So just ignore truncate calls on the /dev/null file as it is always empty anyway, so truncating to zero isn't a problem. Git-Dch: Ignore --- apt-pkg/contrib/fileutl.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index 3a6bdfe2e..7fbe4d604 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -1545,6 +1545,9 @@ bool FileFd::Skip(unsigned long long Over) /* */ bool FileFd::Truncate(unsigned long long To) { + // truncating /dev/null is always successful - as we get an error otherwise + if (To == 0 && FileName == "/dev/null") + return true; #if defined HAVE_ZLIB || defined HAVE_BZ2 if (d != NULL && (d->gz != NULL || d->bz2 != NULL)) return FileFdError("Truncating compressed files is not implemented (%s)", FileName.c_str()); -- cgit v1.2.3 From 93a99dac870584ed4ea78f1c2f262db8b5460962 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 11 Oct 2013 13:21:01 +0200 Subject: webserver: spurious newline after data confuses curl Webserver wrongly sends an additional newline after the data which causes curl to believe that the next request on this socket has no header data and so includes all headers in the data output. Git-Dch: Ignore --- test/interactive-helper/aptwebserver.cc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/test/interactive-helper/aptwebserver.cc b/test/interactive-helper/aptwebserver.cc index 4dae342dd..6c5634de6 100644 --- a/test/interactive-helper/aptwebserver.cc +++ b/test/interactive-helper/aptwebserver.cc @@ -137,21 +137,21 @@ bool sendFile(int const client, FileFd &data) /*{{{*/ { if (actual == 0) break; - if (Success == true) - Success &= FileFd::Write(client, buffer, actual); + Success &= FileFd::Write(client, buffer, actual); } - if (Success == true) - Success &= FileFd::Write(client, "\r\n", 2); + if (Success == false) + std::cerr << "SENDFILE: READ/WRITE ERROR to " << client << std::endl; return Success; } /*}}}*/ bool sendData(int const client, std::string const &data) /*{{{*/ { - bool Success = true; - Success &= FileFd::Write(client, data.c_str(), data.size()); - if (Success == true) - Success &= FileFd::Write(client, "\r\n", 2); - return Success; + if (FileFd::Write(client, data.c_str(), data.size()) == false) + { + std::cerr << "SENDDATA: WRITE ERROR to " << client << std::endl; + return false; + } + return true; } /*}}}*/ void sendError(int const client, int const httpcode, std::string const &request,/*{{{*/ -- cgit v1.2.3 From 23af9f40ecc41eb05d82d953cca9ec11eaff657c Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sun, 13 Oct 2013 19:23:30 +0200 Subject: tests: enhance https support in the testcases Git-Dch: Ignore --- test/integration/framework | 10 +++++++--- test/integration/test-partial-file-support | 12 +++++++----- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/test/integration/framework b/test/integration/framework index 20f3487cc..6a2a78c83 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -192,6 +192,7 @@ setupenvironment() { fi echo "DPKG::options:: \"--log=${TMPWORKINGDIRECTORY}/rootdir/var/log/dpkg.log\";" >> aptconfig.conf echo 'quiet::NoUpdate "true";' >> aptconfig.conf + echo "Acquire::https::CaInfo \"${TESTDIR}/apt.pem\";" > rootdir/etc/apt/apt.conf.d/99https export LC_ALL=C export PATH="${PATH}:/usr/local/sbin:/usr/sbin:/sbin" configcompression '.' 'gz' #'bz2' 'lzma' 'xz' @@ -799,6 +800,11 @@ rewritesourceslist() { } changetowebserver() { + if [ "$1" != '--no-rewrite' ]; then + rewritesourceslist 'http://localhost:8080/' + else + shift + fi local LOG='/dev/null' if test -x ${BUILDDIRECTORY}/aptwebserver; then cd aptarchive @@ -812,9 +818,6 @@ changetowebserver() { else msgdie 'You have to build aptwerbserver or install a webserver' fi - if [ "$1" != '--no-rewrite' ]; then - rewritesourceslist 'http://localhost:8080/' - fi } changetohttpswebserver() { @@ -826,6 +829,7 @@ changetohttpswebserver() { fi echo "pid = ${TMPWORKINGDIRECTORY}/aptarchive/stunnel.pid cert = ${TESTDIRECTORY}/apt.pem +output = /dev/null [https] accept = 4433 diff --git a/test/integration/test-partial-file-support b/test/integration/test-partial-file-support index 8d1c51ae0..b176cc15e 100755 --- a/test/integration/test-partial-file-support +++ b/test/integration/test-partial-file-support @@ -18,7 +18,7 @@ testdownloadfile() { rm -f "$DOWNLOG" msgtest "Testing download of file $2 with" "$1" if ! downloadfile "$2" "$3" > "$DOWNLOG"; then - cat "$DOWNLOG" + cat >&2 "$DOWNLOG" msgfail else msgpass @@ -40,21 +40,23 @@ testdownloadfile() { if [ "$EXPECTED" "$4" "$hash" ]; then msgpass else - cat "$DOWNLOG" + cat >&2 "$DOWNLOG" msgfail "expected: $EXPECTED ; got: $hash" fi done } testwebserverlaststatuscode() { - STATUS="$(mktemp)" + local DOWNLOG='download-testfile.log' + rm -f "$DOWNLOG" + local STATUS="$(mktemp)" addtrap "rm $STATUS;" msgtest 'Test last status code from the webserver was' "$1" - downloadfile "http://localhost:8080/_config/find/aptwebserver::last-status-code" "$STATUS" >/dev/null + downloadfile "http://localhost:8080/_config/find/aptwebserver::last-status-code" "$STATUS" > "$DOWNLOG" if [ "$(cat "$STATUS")" = "$1" ]; then msgpass else - cat download-testfile.log + cat >&2 "$DOWNLOG" msgfail "Status was $(cat "$STATUS")" fi } -- cgit v1.2.3 From eab3a9b2e233d7a142c0fa90bd1ed16a3c0e6cc6 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 16 Oct 2013 16:46:55 +0200 Subject: webserver: implement ~user access to ~user/public_html/ pretty much useless for the testcases, but handy to test the webserver itself in 'real world' environments Git-Dch: Ignore --- test/interactive-helper/aptwebserver.cc | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/test/interactive-helper/aptwebserver.cc b/test/interactive-helper/aptwebserver.cc index 6c5634de6..4ea1794bb 100644 --- a/test/interactive-helper/aptwebserver.cc +++ b/test/interactive-helper/aptwebserver.cc @@ -198,7 +198,17 @@ void sendRedirect(int const client, int const httpcode, std::string const &uri,/ addDataHeaders(headers, response); std::string location("Location: "); if (strncmp(uri.c_str(), "http://", 7) != 0) - location.append("http://").append(LookupTag(request, "Host")).append("/").append(uri); + { + location.append("http://").append(LookupTag(request, "Host")).append("/"); + if (strncmp("/home/", uri.c_str(), strlen("/home/")) == 0 && uri.find("/public_html/") != std::string::npos) + { + std::string homeuri = SubstVar(uri, "/home/", "~"); + homeuri = SubstVar(homeuri, "/public_html/", "/"); + location.append(homeuri); + } + else + location.append(uri); + } else location.append(uri); headers.push_back(location); @@ -381,6 +391,20 @@ bool parseFirstLine(int const client, std::string const &request, /*{{{*/ filename.erase(0, 1); if (filename.empty() == true) filename = "."; + // support ~user/ uris to refer to /home/user/public_html/ as a kind-of special directory + else if (filename[0] == '~') + { + // /home/user is actually not entirely correct, but good enough for now + size_t dashpos = filename.find('/'); + if (dashpos != std::string::npos) + { + std::string home = filename.substr(1, filename.find('/') - 1); + std::string pubhtml = filename.substr(filename.find('/') + 1); + filename = "/home/" + home + "/public_html/" + pubhtml; + } + else + filename = "/home/" + filename.substr(1) + "/public_html/"; + } return true; } /*}}}*/ -- cgit v1.2.3 From 3c16b5fe7950e32a0a13ad7544ed531ace535316 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 16 Oct 2013 18:43:21 +0200 Subject: webserver: add directoryIndex support defaulting to index.html Git-Dch: Ignore --- test/interactive-helper/aptwebserver.cc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/test/interactive-helper/aptwebserver.cc b/test/interactive-helper/aptwebserver.cc index 4ea1794bb..0e04826c5 100644 --- a/test/interactive-helper/aptwebserver.cc +++ b/test/interactive-helper/aptwebserver.cc @@ -277,7 +277,7 @@ void sendDirectoryListing(int const client, std::string const &dir, /*{{{*/ << "" << std::endl << "

Index of " << dir << "

" << std::endl << "" << std::endl; - if (dir != ".") + if (dir != "./") listing << ""; for (int i = 0; i < counter; ++i) { struct stat fs; @@ -390,7 +390,7 @@ bool parseFirstLine(int const client, std::string const &request, /*{{{*/ // nuke the first character which is a / as we assured above filename.erase(0, 1); if (filename.empty() == true) - filename = "."; + filename = "./"; // support ~user/ uris to refer to /home/user/public_html/ as a kind-of special directory else if (filename[0] == '~') { @@ -405,6 +405,17 @@ bool parseFirstLine(int const client, std::string const &request, /*{{{*/ else filename = "/home/" + filename.substr(1) + "/public_html/"; } + + // if no filename is given, but a valid directory see if we can use an index or + // have to resort to a autogenerated directory listing later on + if (DirectoryExists(filename) == true) + { + std::string const directoryIndex = _config->Find("aptwebserver::directoryindex"); + if (directoryIndex.empty() == false && directoryIndex == flNotDir(directoryIndex) && + RealFileExists(filename + directoryIndex) == true) + filename += directoryIndex; + } + return true; } /*}}}*/ @@ -543,6 +554,7 @@ int main(int const argc, const char * argv[]) _config->CndSet("aptwebserver::response-header::Server", "APT webserver"); _config->CndSet("aptwebserver::response-header::Accept-Ranges", "bytes"); + _config->CndSet("aptwebserver::directoryindex", "index.html"); std::vector messages; int client; @@ -693,7 +705,7 @@ int main(int const argc, const char * argv[]) } else if (DirectoryExists(filename) == true) { - if (filename == "." || filename[filename.length()-1] == '/') + if (filename[filename.length()-1] == '/') sendDirectoryListing(client, filename, *m, sendContent); else sendRedirect(client, 301, filename.append("/"), *m, sendContent); -- cgit v1.2.3 From d23bda42456bd092751deb24d8295c27a15721e8 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 16 Oct 2013 22:43:01 +0200 Subject: webserver: strip parameters from filename Again, not (currently) used by the tests itself, but in interactive usage of the webserver itself. Git-Dch: Ignore --- test/interactive-helper/aptwebserver.cc | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/test/interactive-helper/aptwebserver.cc b/test/interactive-helper/aptwebserver.cc index 0e04826c5..94f63bb39 100644 --- a/test/interactive-helper/aptwebserver.cc +++ b/test/interactive-helper/aptwebserver.cc @@ -308,7 +308,7 @@ void sendDirectoryListing(int const client, std::string const &dir, /*{{{*/ } /*}}}*/ bool parseFirstLine(int const client, std::string const &request, /*{{{*/ - std::string &filename, bool &sendContent, + std::string &filename, std::string ¶ms, bool &sendContent, bool &closeConnection) { if (strncmp(request.c_str(), "HEAD ", 5) == 0) @@ -375,6 +375,14 @@ bool parseFirstLine(int const client, std::string const &request, /*{{{*/ sendError(client, 400, request, sendContent, "Request is absolutePath, but configured to not accept that"); return false; } + + size_t paramspos = filename.find('?'); + if (paramspos != std::string::npos) + { + params = filename.substr(paramspos + 1); + filename.erase(paramspos); + } + filename = DeQuoteString(filename); // this is not a secure server, but at least prevent the obvious … -- cgit v1.2.3 From 575fe03ee310c740bfa2950aa55b3358e8a60eee Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 16 Oct 2013 22:45:37 +0200 Subject: webserver: use pthreads to handle multiple clients Clients like browsers prefer to open many connections and keep them open for a while, so that pages with lot of subelements would take a while to load (if at all), by using threads as all servers do some way or another we can resolve this. libapt is not intended to be pthread-safe and stuff like the storage of the last return code doesn't make too much sense if multiple clients interact with us, but it is good enough for now and an other interesting (mis)use of libapt in general. Git-Dch: Ignore --- test/interactive-helper/aptwebserver.cc | 362 ++++++++++++++++++-------------- test/interactive-helper/makefile | 2 +- 2 files changed, 201 insertions(+), 163 deletions(-) diff --git a/test/interactive-helper/aptwebserver.cc b/test/interactive-helper/aptwebserver.cc index 94f63bb39..7d3589c9d 100644 --- a/test/interactive-helper/aptwebserver.cc +++ b/test/interactive-helper/aptwebserver.cc @@ -112,7 +112,7 @@ bool sendHead(int const client, int const httpcode, std::list &head date.append(TimeRFC1123(time(NULL))); headers.push_back(date); - std::clog << ">>> RESPONSE >>>" << std::endl; + std::clog << ">>> RESPONSE to " << client << " >>>" << std::endl; bool Success = true; for (std::list::const_iterator h = headers.begin(); Success == true && h != headers.end(); ++h) @@ -470,6 +470,173 @@ bool handleOnTheFlyReconfiguration(int const client, std::string const &request, return false; } /*}}}*/ +void * handleClient(void * voidclient) /*{{{*/ +{ + int client = *((int*)(voidclient)); + std::clog << "ACCEPT client " << client << std::endl; + std::vector messages; + while (ReadMessages(client, messages)) + { + bool closeConnection = false; + for (std::vector::const_iterator m = messages.begin(); + m != messages.end() && closeConnection == false; ++m) { + std::clog << ">>> REQUEST from " << client << " >>>" << std::endl << *m + << std::endl << "<<<<<<<<<<<<<<<<" << std::endl; + std::list headers; + std::string filename; + std::string params; + bool sendContent = true; + if (parseFirstLine(client, *m, filename, params, sendContent, closeConnection) == false) + continue; + + // special webserver command request + if (filename.length() > 1 && filename[0] == '_') + { + std::vector parts = VectorizeString(filename, '/'); + if (parts[0] == "_config") + { + handleOnTheFlyReconfiguration(client, *m, parts); + continue; + } + } + + // string replacements in the requested filename + ::Configuration::Item const *Replaces = _config->Tree("aptwebserver::redirect::replace"); + if (Replaces != NULL) + { + std::string redirect = "/" + filename; + for (::Configuration::Item *I = Replaces->Child; I != NULL; I = I->Next) + redirect = SubstVar(redirect, I->Tag, I->Value); + redirect.erase(0,1); + if (redirect != filename) + { + sendRedirect(client, 301, redirect, *m, sendContent); + continue; + } + } + + ::Configuration::Item const *Overwrite = _config->Tree("aptwebserver::overwrite"); + if (Overwrite != NULL) + { + for (::Configuration::Item *I = Overwrite->Child; I != NULL; I = I->Next) + { + regex_t *pattern = new regex_t; + int const res = regcomp(pattern, I->Tag.c_str(), REG_EXTENDED | REG_ICASE | REG_NOSUB); + if (res != 0) + { + char error[300]; + regerror(res, pattern, error, sizeof(error)); + sendError(client, 500, *m, sendContent, error); + continue; + } + if (regexec(pattern, filename.c_str(), 0, 0, 0) == 0) + { + filename = _config->Find("aptwebserver::overwrite::" + I->Tag + "::filename", filename); + if (filename[0] == '/') + filename.erase(0,1); + regfree(pattern); + break; + } + regfree(pattern); + } + } + + // deal with the request + if (RealFileExists(filename) == true) + { + FileFd data(filename, FileFd::ReadOnly); + std::string condition = LookupTag(*m, "If-Modified-Since", ""); + if (condition.empty() == false) + { + time_t cache; + if (RFC1123StrToTime(condition.c_str(), cache) == true && + cache >= data.ModificationTime()) + { + sendHead(client, 304, headers); + continue; + } + } + + if (_config->FindB("aptwebserver::support::range", true) == true) + condition = LookupTag(*m, "Range", ""); + else + condition.clear(); + if (condition.empty() == false && strncmp(condition.c_str(), "bytes=", 6) == 0) + { + time_t cache; + std::string ifrange; + if (_config->FindB("aptwebserver::support::if-range", true) == true) + ifrange = LookupTag(*m, "If-Range", ""); + bool validrange = (ifrange.empty() == true || + (RFC1123StrToTime(ifrange.c_str(), cache) == true && + cache <= data.ModificationTime())); + + // FIXME: support multiple byte-ranges (APT clients do not do this) + if (condition.find(',') == std::string::npos) + { + size_t start = 6; + unsigned long long filestart = strtoull(condition.c_str() + start, NULL, 10); + // FIXME: no support for last-byte-pos being not the end of the file (APT clients do not do this) + size_t dash = condition.find('-') + 1; + unsigned long long fileend = strtoull(condition.c_str() + dash, NULL, 10); + unsigned long long filesize = data.FileSize(); + if ((fileend == 0 || (fileend == filesize && fileend >= filestart)) && + validrange == true) + { + if (filesize > filestart) + { + data.Skip(filestart); + std::ostringstream contentlength; + contentlength << "Content-Length: " << (filesize - filestart); + headers.push_back(contentlength.str()); + std::ostringstream contentrange; + contentrange << "Content-Range: bytes " << filestart << "-" + << filesize - 1 << "/" << filesize; + headers.push_back(contentrange.str()); + sendHead(client, 206, headers); + if (sendContent == true) + sendFile(client, data); + continue; + } + else + { + headers.push_back("Content-Length: 0"); + std::ostringstream contentrange; + contentrange << "Content-Range: bytes */" << filesize; + headers.push_back(contentrange.str()); + sendHead(client, 416, headers); + continue; + } + } + } + } + + addFileHeaders(headers, data); + sendHead(client, 200, headers); + if (sendContent == true) + sendFile(client, data); + } + else if (DirectoryExists(filename) == true) + { + if (filename[filename.length()-1] == '/') + sendDirectoryListing(client, filename, *m, sendContent); + else + sendRedirect(client, 301, filename.append("/"), *m, sendContent); + } + else + sendError(client, 404, *m, sendContent); + } + _error->DumpErrors(std::cerr); + messages.clear(); + if (closeConnection == true) + break; + } + close(client); + std::clog << "CLOSE client " << client << std::endl; + return NULL; +} + /*}}}*/ + int main(int const argc, const char * argv[]) { CommandLine::Args Args[] = { @@ -490,6 +657,9 @@ int main(int const argc, const char * argv[]) // create socket, bind and listen to it {{{ // ignore SIGPIPE, this can happen on write() if the socket closes connection signal(SIGPIPE, SIG_IGN); + // we don't care for our slaves, so ignore their death + signal(SIGCHLD, SIG_IGN); + int sock = socket(AF_INET6, SOCK_STREAM, 0); if(sock < 0) { @@ -557,179 +727,47 @@ int main(int const argc, const char * argv[]) std::clog << "Serving ANY file on port: " << port << std::endl; - listen(sock, 1); + int const slaves = _config->FindB("aptwebserver::slaves", SOMAXCONN); + listen(sock, slaves); /*}}}*/ _config->CndSet("aptwebserver::response-header::Server", "APT webserver"); _config->CndSet("aptwebserver::response-header::Accept-Ranges", "bytes"); _config->CndSet("aptwebserver::directoryindex", "index.html"); - std::vector messages; - int client; - while ((client = accept(sock, NULL, NULL)) != -1) - { - std::clog << "ACCEPT client " << client - << " on socket " << sock << std::endl; + std::list accepted_clients; - while (ReadMessages(client, messages)) + while (true) + { + int client = accept(sock, NULL, NULL); + if (client == -1) { - bool closeConnection = false; - for (std::vector::const_iterator m = messages.begin(); - m != messages.end() && closeConnection == false; ++m) { - std::clog << ">>> REQUEST >>>>" << std::endl << *m - << std::endl << "<<<<<<<<<<<<<<<<" << std::endl; - std::list headers; - std::string filename; - bool sendContent = true; - if (parseFirstLine(client, *m, filename, sendContent, closeConnection) == false) - continue; - - // special webserver command request - if (filename.length() > 1 && filename[0] == '_') - { - std::vector parts = VectorizeString(filename, '/'); - if (parts[0] == "_config") - { - handleOnTheFlyReconfiguration(client, *m, parts); - continue; - } - } - - // string replacements in the requested filename - ::Configuration::Item const *Replaces = _config->Tree("aptwebserver::redirect::replace"); - if (Replaces != NULL) - { - std::string redirect = "/" + filename; - for (::Configuration::Item *I = Replaces->Child; I != NULL; I = I->Next) - redirect = SubstVar(redirect, I->Tag, I->Value); - redirect.erase(0,1); - if (redirect != filename) - { - sendRedirect(client, 301, redirect, *m, sendContent); - continue; - } - } - - ::Configuration::Item const *Overwrite = _config->Tree("aptwebserver::overwrite"); - if (Overwrite != NULL) - { - for (::Configuration::Item *I = Overwrite->Child; I != NULL; I = I->Next) - { - regex_t *pattern = new regex_t; - int const res = regcomp(pattern, I->Tag.c_str(), REG_EXTENDED | REG_ICASE | REG_NOSUB); - if (res != 0) - { - char error[300]; - regerror(res, pattern, error, sizeof(error)); - sendError(client, 500, *m, sendContent, error); - continue; - } - if (regexec(pattern, filename.c_str(), 0, 0, 0) == 0) - { - filename = _config->Find("aptwebserver::overwrite::" + I->Tag + "::filename", filename); - if (filename[0] == '/') - filename.erase(0,1); - regfree(pattern); - break; - } - regfree(pattern); - } - } - - // deal with the request - if (RealFileExists(filename) == true) - { - FileFd data(filename, FileFd::ReadOnly); - std::string condition = LookupTag(*m, "If-Modified-Since", ""); - if (condition.empty() == false) - { - time_t cache; - if (RFC1123StrToTime(condition.c_str(), cache) == true && - cache >= data.ModificationTime()) - { - sendHead(client, 304, headers); - continue; - } - } - - if (_config->FindB("aptwebserver::support::range", true) == true) - condition = LookupTag(*m, "Range", ""); - else - condition.clear(); - if (condition.empty() == false && strncmp(condition.c_str(), "bytes=", 6) == 0) - { - time_t cache; - std::string ifrange; - if (_config->FindB("aptwebserver::support::if-range", true) == true) - ifrange = LookupTag(*m, "If-Range", ""); - bool validrange = (ifrange.empty() == true || - (RFC1123StrToTime(ifrange.c_str(), cache) == true && - cache <= data.ModificationTime())); - - // FIXME: support multiple byte-ranges (APT clients do not do this) - if (condition.find(',') == std::string::npos) - { - size_t start = 6; - unsigned long long filestart = strtoull(condition.c_str() + start, NULL, 10); - // FIXME: no support for last-byte-pos being not the end of the file (APT clients do not do this) - size_t dash = condition.find('-') + 1; - unsigned long long fileend = strtoull(condition.c_str() + dash, NULL, 10); - unsigned long long filesize = data.FileSize(); - if ((fileend == 0 || (fileend == filesize && fileend >= filestart)) && - validrange == true) - { - if (filesize > filestart) - { - data.Skip(filestart); - std::ostringstream contentlength; - contentlength << "Content-Length: " << (filesize - filestart); - headers.push_back(contentlength.str()); - std::ostringstream contentrange; - contentrange << "Content-Range: bytes " << filestart << "-" - << filesize - 1 << "/" << filesize; - headers.push_back(contentrange.str()); - sendHead(client, 206, headers); - if (sendContent == true) - sendFile(client, data); - continue; - } - else - { - headers.push_back("Content-Length: 0"); - std::ostringstream contentrange; - contentrange << "Content-Range: bytes */" << filesize; - headers.push_back(contentrange.str()); - sendHead(client, 416, headers); - continue; - } - } - } - } + if (errno == EINTR) + continue; + _error->Errno("accept", "Couldn't accept client on socket %d", sock); + _error->DumpErrors(std::cerr); + return 6; + } - addFileHeaders(headers, data); - sendHead(client, 200, headers); - if (sendContent == true) - sendFile(client, data); - } - else if (DirectoryExists(filename) == true) - { - if (filename[filename.length()-1] == '/') - sendDirectoryListing(client, filename, *m, sendContent); - else - sendRedirect(client, 301, filename.append("/"), *m, sendContent); - } - else - sendError(client, 404, *m, sendContent); - } + pthread_attr_t attr; + if (pthread_attr_init(&attr) != 0 || pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED) != 0) + { + _error->Errno("pthread_attr", "Couldn't set detach attribute for a fresh thread to handle client %d on socket %d", client, sock); _error->DumpErrors(std::cerr); - messages.clear(); - if (closeConnection == true) - break; + close(client); + continue; } - std::clog << "CLOSE client " << client - << " on socket " << sock << std::endl; - close(client); + pthread_t tid; + // thats rather dirty, but we need to store the client socket somewhere safe + accepted_clients.push_front(client); + if (pthread_create(&tid, &attr, &handleClient, &(*accepted_clients.begin())) != 0) + { + _error->Errno("pthread_create", "Couldn't create a fresh thread to handle client %d on socket %d", client, sock); + _error->DumpErrors(std::cerr); + close(client); + continue; + } } pidfile.Close(); diff --git a/test/interactive-helper/makefile b/test/interactive-helper/makefile index f43df97e3..8dc014b98 100644 --- a/test/interactive-helper/makefile +++ b/test/interactive-helper/makefile @@ -41,7 +41,7 @@ include $(PROGRAM_H) # Program for testing udevcdrom PROGRAM=aptwebserver -SLIBS = -lapt-pkg +SLIBS = -lapt-pkg -lpthread LIB_MAKES = apt-pkg/makefile SOURCE = aptwebserver.cc include $(PROGRAM_H) -- cgit v1.2.3 From 8523b22fbcc6ca2ad004a9133559212908b768ed Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 23 Oct 2013 12:26:44 +0200 Subject: tests: rm pkgcache.bin in 719263 test As testcases are running really fast it can happen that files which are changed in reality are considered unchanged as the modify time isn't changed. What we could do is disable those caches by default, but some tests actually depend on those and deriving too much from the default by default (pun intended) is not a good idea for tests after all. Git-Dch: Ignore --- test/integration/test-bug-719263-print-uris-removes-authentication | 1 + 1 file changed, 1 insertion(+) diff --git a/test/integration/test-bug-719263-print-uris-removes-authentication b/test/integration/test-bug-719263-print-uris-removes-authentication index 1c1a27ceb..5e674db0b 100755 --- a/test/integration/test-bug-719263-print-uris-removes-authentication +++ b/test/integration/test-bug-719263-print-uris-removes-authentication @@ -25,6 +25,7 @@ Inst unrelated [1] (2 unstable [all]) Conf unrelated (2 unstable [all])' aptget install unrelated -s testsuccess aptget install unrelated -y testdpkginstalled unrelated + rm -rf rootdir/var/cache/apt/*.bin cp -a rootdir/var/lib/dpkg/status-backup-noact rootdir/var/lib/dpkg/status } -- cgit v1.2.3 From f2c0ec8bdb00b44de240190dae39fa255b6c85de Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 23 Oct 2013 16:32:48 +0200 Subject: tests: add a webserverconfig method to abstract config The URI to use to set a config option is a bit arcane to write/remember and checking if the setting was successful doubly so. Git-Dch: Ignore --- test/integration/framework | 16 ++++++++++++++++ test/integration/test-partial-file-support | 6 ++---- test/integration/test-releasefile-verification | 2 +- test/interactive-helper/aptwebserver.cc | 2 +- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/test/integration/framework b/test/integration/framework index 6a2a78c83..89b5bb0e4 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -792,6 +792,22 @@ signreleasefiles() { msgdone "info" } +webserverconfig() { + msgtest "Set webserver config option '${1}' to" "$2" + downloadfile "http://localhost:8080/_config/set/${1}/${2}" '/dev/null' >/dev/null + local DOWNLOG='download-testfile.log' + rm -f "$DOWNLOG" + local STATUS="$(mktemp)" + addtrap "rm $STATUS;" + downloadfile "http://localhost:8080/_config/find/aptwebserver::last-status-code" "$STATUS" > "$DOWNLOG" + if [ "$(cat "$STATUS")" = '200' ]; then + msgpass + else + cat >&2 "$DOWNLOG" + msgfail "Statuscode was $(cat "$STATUS")" + fi +} + rewritesourceslist() { local APTARCHIVE="file://$(readlink -f "${TMPWORKINGDIRECTORY}/aptarchive")" for LIST in $(find rootdir/etc/apt/sources.list.d/ -name 'apt-test-*.list'); do diff --git a/test/integration/test-partial-file-support b/test/integration/test-partial-file-support index b176cc15e..382789e68 100755 --- a/test/integration/test-partial-file-support +++ b/test/integration/test-partial-file-support @@ -66,8 +66,7 @@ TESTFILE='aptarchive/testfile' cp -a ${TESTDIR}/framework $TESTFILE testrun() { - downloadfile "$1/_config/set/aptwebserver::support::range/true" '/dev/null' >/dev/null - testwebserverlaststatuscode '200' + webserverconfig 'aptwebserver::support::range' 'true' copysource $TESTFILE 0 ./testfile testdownloadfile 'no data' "${1}/testfile" './testfile' '=' @@ -94,8 +93,7 @@ testrun() { testdownloadfile 'old data' "${1}/testfile" './testfile' '=' testwebserverlaststatuscode '200' - downloadfile "$1/_config/set/aptwebserver::support::range/false" '/dev/null' >/dev/null - testwebserverlaststatuscode '200' + webserverconfig 'aptwebserver::support::range' 'false' copysource $TESTFILE 20 ./testfile testdownloadfile 'no server support' "${1}/testfile" './testfile' '=' diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 9d34a521a..e558b83e8 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -11,7 +11,7 @@ buildaptarchive setupflataptarchive changetowebserver -downloadfile "http://localhost:8080/_config/set/aptwebserver::support::range/false" '/dev/null' >/dev/null +webserverconfig 'aptwebserver::support::range' 'false' prepare() { local DATE="${2:-now}" diff --git a/test/interactive-helper/aptwebserver.cc b/test/interactive-helper/aptwebserver.cc index 7d3589c9d..b7663a76a 100644 --- a/test/interactive-helper/aptwebserver.cc +++ b/test/interactive-helper/aptwebserver.cc @@ -546,7 +546,7 @@ void * handleClient(void * voidclient) /*{{{*/ { FileFd data(filename, FileFd::ReadOnly); std::string condition = LookupTag(*m, "If-Modified-Since", ""); - if (condition.empty() == false) + if (_config->FindB("aptwebserver::support::modified-since", true) == true && condition.empty() == false) { time_t cache; if (RFC1123StrToTime(condition.c_str(), cache) == true && -- cgit v1.2.3 From 581b556830ba17dc8a9d3edb858a4fd8c1d2fb58 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 13:10:33 +0100 Subject: merge ubuntus apport reporting changes to reduce diff apport reporting is still disabled by default, but it is available in Debian/experimental at the moment and a diff is not a good idea anyway. --- apt-pkg/deb/dpkgpm.cc | 59 ++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 54 insertions(+), 5 deletions(-) diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc index 14333c3e7..b4bfd1400 100644 --- a/apt-pkg/deb/dpkgpm.cc +++ b/apt-pkg/deb/dpkgpm.cc @@ -1622,18 +1622,49 @@ void pkgDPkgPM::WriteApportReport(const char *pkgpath, const char *errormsg) } // do not report out-of-memory failures - if(strstr(errormsg, strerror(ENOMEM)) != NULL) { + if(strstr(errormsg, strerror(ENOMEM)) != NULL || + strstr(errormsg, "failed to allocate memory") != NULL) { std::clog << _("No apport report written because the error message indicates a out of memory error") << std::endl; return; } - // do not report dpkg I/O errors - // XXX - this message is localized, but this only matches the English version. This is better than nothing. - if(strstr(errormsg, "short read in buffer_copy (")) { - std::clog << _("No apport report written because the error message indicates a dpkg I/O error") << std::endl; + // do not report bugs regarding inaccessible local files + if(strstr(errormsg, strerror(ENOENT)) != NULL || + strstr(errormsg, "cannot access archive") != NULL) { + std::clog << _("No apport report written because the error message indicates an issue on the local system") << std::endl; return; } + // do not report errors encountered when decompressing packages + if(strstr(errormsg, "--fsys-tarfile returned error exit status 2") != NULL) { + std::clog << _("No apport report written because the error message indicates an issue on the local system") << std::endl; + return; + } + + // do not report dpkg I/O errors, this is a format string, so we compare + // the prefix and the suffix of the error with the dpkg error message + vector io_errors; + io_errors.push_back(string("failed to read on buffer copy for %s")); + io_errors.push_back(string("failed in write on buffer copy for %s")); + io_errors.push_back(string("short read on buffer copy for %s")); + + for (vector::iterator I = io_errors.begin(); I != io_errors.end(); I++) + { + vector list = VectorizeString(dgettext("dpkg", (*I).c_str()), '%'); + if (list.size() > 1) { + // we need to split %s, VectorizeString only allows char so we need + // to kill the "s" manually + if (list[1].size() > 1) { + list[1].erase(0, 1); + if(strstr(errormsg, list[0].c_str()) && + strstr(errormsg, list[1].c_str())) { + std::clog << _("No apport report written because the error message indicates a dpkg I/O error") << std::endl; + return; + } + } + } + } + // get the pkgname and reportfile pkgname = flNotDir(pkgpath); pos = pkgname.find('_'); @@ -1721,6 +1752,24 @@ void pkgDPkgPM::WriteApportReport(const char *pkgpath, const char *errormsg) if(log != NULL) { char buf[1024]; + while( fgets(buf, sizeof(buf), log) != NULL) + fprintf(report, " %s", buf); + fprintf(report, " \n"); + fclose(log); + } + } + + // attach history log it if we have it + string histfile_name = _config->FindFile("Dir::Log::History"); + if (!histfile_name.empty()) + { + FILE *log = NULL; + char buf[1024]; + + fprintf(report, "DpkgHistoryLog:\n"); + log = fopen(histfile_name.c_str(),"r"); + if(log != NULL) + { while( fgets(buf, sizeof(buf), log) != NULL) fprintf(report, " %s", buf); fclose(log); -- cgit v1.2.3 From a40310a5e60d880ce1bd82f0513c5d6658bb48ef Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 13:15:01 +0100 Subject: enable NOISE for build logs to enable analyse MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It was enabled for a (long) while in Ubuntu, but it shouldn't hurt to enable it in Debian as well – especially now that Debian has automatic analyses of the buildlogs which don't work that well without the 'noise' --- debian/rules | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/rules b/debian/rules index 06ccdac31..28525af50 100755 --- a/debian/rules +++ b/debian/rules @@ -3,6 +3,9 @@ # Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess. # Some lines taken from debmake, by Christoph Lameter. +# build in verbose mode by default to make it easy to diangose issues +export NOISY=1 + export DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) export DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) -- cgit v1.2.3 From eef71f11a5836eb82df133cb4e24cb4806642188 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 14:01:28 +0100 Subject: introduce a vendor system to change sources.list Many derivatives make quiet a few simple changes to apt introducing silly diffs just to change examples and co making it harder for them to update apt and harder for us to merge real changes back. First stop: doc/examples/sources.list --- .gitignore | 3 +++ Makefile | 3 ++- doc/apt-verbatim.ent | 4 ++-- doc/examples/sources.list.in | 8 -------- doc/makefile | 12 ++++++++---- vendor/debian/makefile | 11 +++++++++++ vendor/debian/sources.list.in | 8 ++++++++ vendor/makefile | 42 ++++++++++++++++++++++++++++++++++++++++++ vendor/ubuntu/makefile | 11 +++++++++++ vendor/ubuntu/sources.list.in | 10 ++++++++++ 10 files changed, 97 insertions(+), 15 deletions(-) delete mode 100644 doc/examples/sources.list.in create mode 100644 vendor/debian/makefile create mode 100644 vendor/debian/sources.list.in create mode 100644 vendor/makefile create mode 100644 vendor/ubuntu/makefile create mode 100644 vendor/ubuntu/sources.list.in diff --git a/.gitignore b/.gitignore index 3e07e241b..d840ae48c 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,6 @@ /debian/libapt-pkg*.install /debian/libapt-inst*.install /debian/libapt-pkg-dev.install +/vendor/current +/vendor/debian/sources.list +/vendor/ubuntu/sources.list diff --git a/Makefile b/Makefile index fb843983c..394149bf1 100644 --- a/Makefile +++ b/Makefile @@ -11,6 +11,7 @@ default: startup all .PHONY: headers library clean veryclean all binary program doc test update-po all headers library clean veryclean binary program doc manpages debiandoc test update-po startup dirs: + $(MAKE) -C vendor $@ $(MAKE) -C apt-pkg $@ $(MAKE) -C apt-inst $@ $(MAKE) -C apt-private $@ @@ -20,7 +21,7 @@ all headers library clean veryclean binary program doc manpages debiandoc test u $(MAKE) -C dselect $@ $(MAKE) -C doc $@ $(MAKE) -C po $@ - $(MAKE) -C test $@ + $(MAKE) -C test $@ all headers library clean veryclean binary program doc manpages debiandoc test update-po: startup dirs diff --git a/doc/apt-verbatim.ent b/doc/apt-verbatim.ent index 0d0d95c7a..30b0c7fe0 100644 --- a/doc/apt-verbatim.ent +++ b/doc/apt-verbatim.ent @@ -221,11 +221,11 @@ - + - + / i\ diff --git a/doc/apt-cache.8.xml b/doc/apt-cache.8.xml index 0955c1c9e..a53a64446 100644 --- a/doc/apt-cache.8.xml +++ b/doc/apt-cache.8.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/apt-cdrom.8.xml b/doc/apt-cdrom.8.xml index b076a98a3..2fcd8e494 100644 --- a/doc/apt-cdrom.8.xml +++ b/doc/apt-cdrom.8.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/apt-config.8.xml b/doc/apt-config.8.xml index 39205e737..b84d25f7a 100644 --- a/doc/apt-config.8.xml +++ b/doc/apt-config.8.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/apt-extracttemplates.1.xml b/doc/apt-extracttemplates.1.xml index 4374c5ec3..d27e05075 100644 --- a/doc/apt-extracttemplates.1.xml +++ b/doc/apt-extracttemplates.1.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/apt-ftparchive.1.xml b/doc/apt-ftparchive.1.xml index 91fdfe1e0..6482b4632 100644 --- a/doc/apt-ftparchive.1.xml +++ b/doc/apt-ftparchive.1.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml index 4c050ec03..90f2b40f7 100644 --- a/doc/apt-get.8.xml +++ b/doc/apt-get.8.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/apt-key.8.xml b/doc/apt-key.8.xml index 6a36d08ca..5dbbaaf26 100644 --- a/doc/apt-key.8.xml +++ b/doc/apt-key.8.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> @@ -130,7 +132,7 @@ Update the local keyring with the archive keyring and remove from the local keyring the archive keys which are no longer valid. The archive keyring is shipped in the archive-keyring package of your - distribution, e.g. the debian-archive-keyring package in Debian. + distribution, e.g. the &keyring-package; package in &keyring-distro;. @@ -180,12 +182,12 @@ Local trust database of archive keys. - /usr/share/keyrings/debian-archive-keyring.gpg - Keyring of Debian archive trusted keys. + &keyring-filename; + Keyring of &keyring-distro; archive trusted keys. - /usr/share/keyrings/debian-archive-removed-keys.gpg - Keyring of Debian archive removed trusted keys. + &keyring-removed-filename; + Keyring of &keyring-distro; archive removed trusted keys. diff --git a/doc/apt-mark.8.xml b/doc/apt-mark.8.xml index 3503ece8f..d00e5b9e2 100644 --- a/doc/apt-mark.8.xml +++ b/doc/apt-mark.8.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml index 8cdfe3ab6..981351615 100644 --- a/doc/apt-secure.8.xml +++ b/doc/apt-secure.8.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> @@ -103,10 +105,10 @@ the maintainer signature is stripped off, and checksums of the package are computed and put in the Packages file. The checksums of all of the Packages files are then computed and put into the Release file. The - Release file is then signed by the archive key for this Debian release, + Release file is then signed by the archive key for this &keyring-distro; release, and distributed alongside the packages and the Packages files on - Debian mirrors. The keys are in the Debian archive keyring available in - the debian-archive-keyring package. + &keyring-distro; mirrors. The keys are in the &keyring-distro; archive keyring + available in the &keyring-package; package. diff --git a/doc/apt-sortpkgs.1.xml b/doc/apt-sortpkgs.1.xml index 482035b37..9bb03d624 100644 --- a/doc/apt-sortpkgs.1.xml +++ b/doc/apt-sortpkgs.1.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml index 428c0d2db..bfc43ba29 100644 --- a/doc/apt.conf.5.xml +++ b/doc/apt.conf.5.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/apt_preferences.5.xml b/doc/apt_preferences.5.xml index f56958fcc..d8c3efab7 100644 --- a/doc/apt_preferences.5.xml +++ b/doc/apt_preferences.5.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/doc/en/makefile b/doc/en/makefile index a4fb232d4..247ce38b5 100644 --- a/doc/en/makefile +++ b/doc/en/makefile @@ -9,12 +9,15 @@ include ../../buildlib/defaults.mak ifdef XSLTPROC # generate a list of accepted man page translations SOURCE = $(patsubst ../%.xml,%,$(wildcard ../*.?.xml)) -INCLUDES = ../apt.ent ../apt-verbatim.ent +INCLUDES = ../apt.ent ../apt-verbatim.ent apt-vendor.ent STYLESHEET=../manpage-style.xsl LOCAL := manpage-$(firstword $(SOURCE)) $(LOCAL)-LIST := $(SOURCE) +apt-vendor.ent: ../../vendor/current/apt-vendor.ent + ln -sf $(shell readlink -f $^) $@ + # Install generation hooks manpages: $($(LOCAL)-LIST) apt.8 @@ -30,7 +33,7 @@ apt.8: ../apt.8 veryclean: clean/$(LOCAL) clean: clean/$(LOCAL) clean/$(LOCAL): - -rm -rf $($(@F)-LIST) apt.8 + -rm -rf $($(@F)-LIST) apt.8 apt-vendor.ent endif # Chain to the manpage rule diff --git a/doc/makefile b/doc/makefile index ebaca908f..49f3e1b56 100644 --- a/doc/makefile +++ b/doc/makefile @@ -15,6 +15,8 @@ doc: manpages debiandoc examples/sources.list: ../vendor/current/sources.list ln -sf $(shell readlink -f $^) $@ +apt-vendor.ent: ../vendor/current/apt-vendor.ent + ln -sf $(shell readlink -f $^) $@ # Examples SOURCE = examples/apt.conf examples/sources.list examples/configure-index examples/apt-https-method-example.conf @@ -26,7 +28,7 @@ include $(COPY_H) clean: clean/subdirs clean/examples veryclean: veryclean/subdirs clean/examples -manpages: manpages/subdirs +manpages: manpages/subdirs apt-vendor.ent debiandoc: debiandoc/subdirs DOCUMENTATIONPO = $(patsubst %.po,%,$(notdir $(wildcard po/*.po))) @@ -44,6 +46,7 @@ debiandoc/subdirs manpages/subdirs clean/subdirs veryclean/subdirs: clean/examples: rm -f examples/sources.list + rm -f apt-vendor.ent stats: for i in po/*.po; do echo -n "$$i: "; msgfmt --output-file=/dev/null --statistics $$i; done diff --git a/doc/po/apt-doc.pot b/doc/po/apt-doc.pot index 43c184106..43e14b779 100644 --- a/doc/po/apt-doc.pot +++ b/doc/po/apt-doc.pot @@ -1620,8 +1620,8 @@ msgid "" "Update the local keyring with the archive keyring and remove from the local " "keyring the archive keys which are no longer valid. The archive keyring is " "shipped in the archive-keyring package of your " -"distribution, e.g. the debian-archive-keyring package in " -"Debian." +"distribution, e.g. the &keyring-package; package in " +"&keyring-distro;." msgstr "" #. type: Content of: @@ -1670,22 +1670,22 @@ msgstr "" #. type: Content of: #: apt-key.8.xml:183 -msgid "/usr/share/keyrings/debian-archive-keyring.gpg" +msgid "&keyring-filename;" msgstr "" #. type: Content of: #: apt-key.8.xml:184 -msgid "Keyring of Debian archive trusted keys." +msgid "Keyring of &keyring-distro; archive trusted keys." msgstr "" #. type: Content of: #: apt-key.8.xml:187 -msgid "/usr/share/keyrings/debian-archive-removed-keys.gpg" +msgid "&keyring-removed-filename;" msgstr "" #. type: Content of: #: apt-key.8.xml:188 -msgid "Keyring of Debian archive removed trusted keys." +msgid "Keyring of &keyring-distro; archive removed trusted keys." msgstr "" #. type: Content of: @@ -1862,10 +1862,10 @@ msgid "" "maintainer signature is stripped off, and checksums of the package are " "computed and put in the Packages file. The checksums of all of the Packages " "files are then computed and put into the Release file. The Release file is " -"then signed by the archive key for this Debian release, and distributed " -"alongside the packages and the Packages files on Debian mirrors. The keys " -"are in the Debian archive keyring available in the " -"debian-archive-keyring package." +"then signed by the archive key for this &keyring-distro; release, and distributed " +"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys " +"are in the &keyring-distro; archive keyring available in the " +"&keyring-package; package." msgstr "" #. type: Content of: diff --git a/doc/po/de.po b/doc/po/de.po index 8ecbf4cbf..808fcd126 100644 --- a/doc/po/de.po +++ b/doc/po/de.po @@ -2265,14 +2265,14 @@ msgid "" "Update the local keyring with the archive keyring and remove from the local " "keyring the archive keys which are no longer valid. The archive keyring is " "shipped in the archive-keyring package of your " -"distribution, e.g. the debian-archive-keyring package in " -"Debian." +"distribution, e.g. the &keyring-package; package in " +"&keyring-distro;." msgstr "" "aktualisiert den lokalen Schlüsselbund mit dem Archivschlüsselbund und " "entfernt die Archivschlüssel, die nicht länger gültig sind, aus dem lokalen " "Schlüsselbund. Der Archivschlüsselbund wird im Paket archive-" "keyring Ihrer Distribution mitgeliefert, z.B. dem Paket " -"debian-archive-keyring in Debian." +"&keyring-package; in &keyring-distro;." #. type: Content of: #: apt-key.8.xml:144 @@ -2335,26 +2335,26 @@ msgstr "lokale Datenbank vertrauenswürdiger Archivschlüssel" #. type: Content of: #: apt-key.8.xml:183 -msgid "/usr/share/keyrings/debian-archive-keyring.gpg" -msgstr "/usr/share/keyrings/debian-archive-keyring.gpg" +msgid "&keyring-filename;" +msgstr "&keyring-filename;" #. type: Content of: #: apt-key.8.xml:184 -msgid "Keyring of Debian archive trusted keys." -msgstr "Schlüsselbund vertrauenswürdiger Schlüssel des Debian-Archivs" +msgid "Keyring of &keyring-distro; archive trusted keys." +msgstr "Schlüsselbund vertrauenswürdiger Schlüssel des &keyring-distro;-Archivs" #. type: Content of: #: apt-key.8.xml:187 msgid "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" msgstr "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" #. type: Content of: #: apt-key.8.xml:188 -msgid "Keyring of Debian archive removed trusted keys." +msgid "Keyring of &keyring-distro; archive removed trusted keys." msgstr "" -"Schlüsselbund entfernter vertrauenswürdiger Schlüssel des Debian-Archivs" +"Schlüsselbund entfernter vertrauenswürdiger Schlüssel des &keyring-distro;-Archivs" #. type: Content of: #: apt-key.8.xml:197 @@ -2600,19 +2600,19 @@ msgid "" "maintainer signature is stripped off, and checksums of the package are " "computed and put in the Packages file. The checksums of all of the Packages " "files are then computed and put into the Release file. The Release file is " -"then signed by the archive key for this Debian release, and distributed " -"alongside the packages and the Packages files on Debian mirrors. The keys " -"are in the Debian archive keyring available in the debian-archive-" -"keyring package." +"then signed by the archive key for this &keyring-distro; release, and distributed " +"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys " +"are in the &keyring-distro; archive keyring available in the &keyring-package; " +"package." msgstr "" "Sobald das hochgeladene Paket überprüft und dem Archiv hinzugefügt wurde, " "wird die Betreuersignatur entfernt, Prüfsummen des Pakets werden berechnet " "und in die Datei Packages abgelegt. Die Prüfsummen aller Paketdateien werden " "berechnet und in der Release-Datei abgelegt. Dann wird die Release-Datei " -"durch den Archivschlüssel für diese Debian-Veröffentlichung signiert und " -"zusammen mit den Paketen und Packages-Dateien auf Debian-Spiegel verteilt. " -"Die Schlüssel sind im Debian-Archivschlüsselbund im Paket debian-" -"archive-keyring verfügbar." +"durch den Archivschlüssel für diese &keyring-distro;-Veröffentlichung signiert und " +"zusammen mit den Paketen und Packages-Dateien auf &keyring-distro;-Spiegel verteilt. " +"Die Schlüssel sind im &keyring-distro;-Archivschlüsselbund im Paket &keyring-package; " +"verfügbar." #. type: Content of: #: apt-secure.8.xml:113 diff --git a/doc/po/es.po b/doc/po/es.po index 38b2645ea..6b2e77914 100644 --- a/doc/po/es.po +++ b/doc/po/es.po @@ -2334,14 +2334,14 @@ msgid "" "Update the local keyring with the archive keyring and remove from the local " "keyring the archive keys which are no longer valid. The archive keyring is " "shipped in the archive-keyring package of your " -"distribution, e.g. the debian-archive-keyring package in " -"Debian." +"distribution, e.g. the &keyring-package; package in " +"&keyring-distro;." msgstr "" "Actualiza el registro de claves local con el registro de claves del archivo " "y elimina del registro local las claves de archivo que ya no son válidas. El " "registro de claves del archivo se encuentra en el paquete archive-" -"keyring de su distribución; esto es, el paquete debian-" -"archive-keyring en Debian." +"keyring de su distribución; esto es, el paquete &keyring-package; " +"en &keyring-distro;." #. type: Content of: #: apt-key.8.xml:144 @@ -2404,25 +2404,25 @@ msgstr "Base de datos local de las claves de confianza de archivos Debian" #. type: Content of: #: apt-key.8.xml:183 -msgid "/usr/share/keyrings/debian-archive-keyring.gpg" -msgstr "/usr/share/keyrings/debian-archive-keyring.gpg" +msgid "&keyring-filename;" +msgstr "&keyring-filename;" #. type: Content of: #: apt-key.8.xml:184 -msgid "Keyring of Debian archive trusted keys." -msgstr "Registro de las claves de confianza del archivo de Debian." +msgid "Keyring of &keyring-distro; archive trusted keys." +msgstr "Registro de las claves de confianza del archivo de &keyring-distro;." #. type: Content of: #: apt-key.8.xml:187 msgid "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" msgstr "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" #. type: Content of: #: apt-key.8.xml:188 -msgid "Keyring of Debian archive removed trusted keys." -msgstr "Registro de las claves de confianza eliminadas del archivo de Debian." +msgid "Keyring of &keyring-distro; archive removed trusted keys." +msgstr "Registro de las claves de confianza eliminadas del archivo de &keyring-distro;." #. type: Content of: #: apt-key.8.xml:197 @@ -2664,20 +2664,20 @@ msgid "" "maintainer signature is stripped off, and checksums of the package are " "computed and put in the Packages file. The checksums of all of the Packages " "files are then computed and put into the Release file. The Release file is " -"then signed by the archive key for this Debian release, and distributed " -"alongside the packages and the Packages files on Debian mirrors. The keys " -"are in the Debian archive keyring available in the debian-archive-" -"keyring package." +"then signed by the archive key for this &keyring-distro; release, and distributed " +"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys " +"are in the &keyring-distro; archive keyring available in the &keyring-package; " +"package." msgstr "" "Una vez que el paquete enviado se ha verificado e incluido en el archivo, se " "elimina la firma del mantenedor, y se realizan las sumas de control del " "paquete, que se incluyen en el fichero «Packages». A continuación, se " "realiza una suma de control de todos los ficheros «Package», y se incluyen " "en el fichero «Release». Acto seguido, el fichero «Release» se firma con la " -"clave del archivo de esta distribución de Debian, y se distribuye junto con " -"los paquetes y los ficheros «Packages» de las réplicas de Debian. Las claves " -"están disponibles en el registro de claves del archivo Debian en el paquete " -"debian-archive-keyring package." +"clave del archivo de esta distribución de &keyring-distro;, y se distribuye junto con " +"los paquetes y los ficheros «Packages» de las réplicas de &keyring-distro;. Las claves " +"están disponibles en el registro de claves del archivo &keyring-distro; en el paquete " +"&keyring-package; package." #. type: Content of: #: apt-secure.8.xml:113 diff --git a/doc/po/fr.po b/doc/po/fr.po index c2f4b6d83..3849630b5 100644 --- a/doc/po/fr.po +++ b/doc/po/fr.po @@ -2261,14 +2261,14 @@ msgid "" "Update the local keyring with the archive keyring and remove from the local " "keyring the archive keys which are no longer valid. The archive keyring is " "shipped in the archive-keyring package of your " -"distribution, e.g. the debian-archive-keyring package in " -"Debian." +"distribution, e.g. the &keyring-package; package in " +"&keyring-distro;." msgstr "" "Mettre à jour le trousseau de clés local avec le trousseau de clés de " "l'archive et y supprimer les clés qui ne sont plus valables. Le trousseau de " "clés de l'archive est fourni dans le paquet archive-keyring de la distribution, par exemple le paquet debian-archive-" -"keyring dans Debian." +"literal> de la distribution, par exemple le paquet &keyring-package; " +"dans &keyring-distro;." #. type: Content of: #: apt-key.8.xml:144 @@ -2331,25 +2331,25 @@ msgstr "Base de données locale de fiabilité des clés de l'archive." #. type: Content of: #: apt-key.8.xml:183 -msgid "/usr/share/keyrings/debian-archive-keyring.gpg" -msgstr "/usr/share/keyrings/debian-archive-keyring.gpg" +msgid "&keyring-filename;" +msgstr "&keyring-filename;" #. type: Content of: #: apt-key.8.xml:184 -msgid "Keyring of Debian archive trusted keys." -msgstr "Trousseau des clés fiables de l'archive Debian." +msgid "Keyring of &keyring-distro; archive trusted keys." +msgstr "Trousseau des clés fiables de l'archive &keyring-distro;." #. type: Content of: #: apt-key.8.xml:187 msgid "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" msgstr "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" #. type: Content of: #: apt-key.8.xml:188 -msgid "Keyring of Debian archive removed trusted keys." -msgstr "Trousseau des clés fiables supprimées de l'archive Debian." +msgid "Keyring of &keyring-distro; archive removed trusted keys." +msgstr "Trousseau des clés fiables supprimées de l'archive &keyring-distro;." #. type: Content of: #: apt-key.8.xml:197 @@ -2587,15 +2587,16 @@ msgstr "" #. type: Content of: #: apt-secure.8.xml:102 +#, fuzzy msgid "" "Once the uploaded package is verified and included in the archive, the " "maintainer signature is stripped off, and checksums of the package are " "computed and put in the Packages file. The checksums of all of the Packages " "files are then computed and put into the Release file. The Release file is " -"then signed by the archive key for this Debian release, and distributed " -"alongside the packages and the Packages files on Debian mirrors. The keys " -"are in the Debian archive keyring available in the debian-archive-" -"keyring package." +"then signed by the archive key for this &keyring-distro; release, and distributed " +"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys " +"are in the &keyring-distro; archive keyring available in the &keyring-package; " +"package." msgstr "" "Une fois que le paquet envoyé a été vérifié et inclus dans l'archive, la " "signature du responsable est enlevée, une somme de contrôle du paquet est " @@ -2603,8 +2604,7 @@ msgstr "" "paquets est ensuite calculée et mise dans le fichier Release. Ce fichier est " "signé par la clé de l'archive pour la version courante de la distribution et " "distribuée en même temps que les paquets et les fichiers Packages sur les " -"miroirs. Les clés sont fournies par le paquet debian-archive-" -"keyring." +"miroirs. Les clés sont fournies par le paquet &keyring-package;." #. type: Content of: #: apt-secure.8.xml:113 diff --git a/doc/po/it.po b/doc/po/it.po index df144e2b7..9f614a468 100644 --- a/doc/po/it.po +++ b/doc/po/it.po @@ -2300,14 +2300,14 @@ msgid "" "Update the local keyring with the archive keyring and remove from the local " "keyring the archive keys which are no longer valid. The archive keyring is " "shipped in the archive-keyring package of your " -"distribution, e.g. the debian-archive-keyring package in " -"Debian." +"distribution, e.g. the &keyring-package; package in " +"&keyring-distro;." msgstr "" "Aggiorna il portachiavi locale con il portachiavi dell'archivio e rimuove " "dal portachiavi locale le chiavi di archivio che non sono più valide. Il " "portachiavi degli archivi è fornito nel pacchetto archive-keyring delle diverse distribuzioni, ad esempio il pacchetto " -"debian-archive-keyring in Debian." +"&keyring-package; in &keyring-distro;." #. type: Content of: #: apt-key.8.xml:144 @@ -2370,25 +2370,25 @@ msgstr "Database locale di fiducia delle chiavi archiviate." #. type: Content of: #: apt-key.8.xml:183 -msgid "/usr/share/keyrings/debian-archive-keyring.gpg" -msgstr "/usr/share/keyrings/debian-archive-keyring.gpg" +msgid "&keyring-filename;" +msgstr "&keyring-filename;" #. type: Content of: #: apt-key.8.xml:184 -msgid "Keyring of Debian archive trusted keys." -msgstr "Portachiavi delle chiavi fidate degli archivi Debian." +msgid "Keyring of &keyring-distro; archive trusted keys." +msgstr "Portachiavi delle chiavi fidate degli archivi &keyring-distro;." #. type: Content of: #: apt-key.8.xml:187 msgid "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" msgstr "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" #. type: Content of: #: apt-key.8.xml:188 -msgid "Keyring of Debian archive removed trusted keys." -msgstr "Portachiavi delle chiavi fidate rimosse degli archivi Debian." +msgid "Keyring of &keyring-distro; archive removed trusted keys." +msgstr "Portachiavi delle chiavi fidate rimosse degli archivi &keyring-distro;." #. type: Content of: #: apt-key.8.xml:197 @@ -2633,19 +2633,19 @@ msgid "" "maintainer signature is stripped off, and checksums of the package are " "computed and put in the Packages file. The checksums of all of the Packages " "files are then computed and put into the Release file. The Release file is " -"then signed by the archive key for this Debian release, and distributed " -"alongside the packages and the Packages files on Debian mirrors. The keys " -"are in the Debian archive keyring available in the debian-archive-" -"keyring package." +"then signed by the archive key for this &keyring-distro; release, and distributed " +"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys " +"are in the &keyring-distro; archive keyring available in the &keyring-package; " +"package." msgstr "" "Una volta che il pacchetto caricato è verificato e incluso nell'archivio, la " "firma del manutentore viene rimossa e i codici di controllo del pacchetto " "vengono calcolati e messi nel file Packages. Vengono quindi calcolati i " "codici di controllo di tutti i file Packages e vengono messi nel file " "Release. Il file Release viene poi firmato con la chiave dell'archivio per " -"questo rilascio di Debian e viene distribuito insieme ai pacchetti e ai file " -"Packages nei mirror Debian. Le chiavi sono nel portachiavi degli archivi " -"Debian, disponibile nel pacchetto debian-archive-keyring." +"questo rilascio di &keyring-distro; e viene distribuito insieme ai pacchetti e ai file " +"Packages nei mirror &keyring-distro;. Le chiavi sono nel portachiavi degli archivi " +"&keyring-distro;, disponibile nel pacchetto &keyring-package;." #. type: Content of: #: apt-secure.8.xml:113 diff --git a/doc/po/ja.po b/doc/po/ja.po index 6b767f195..7370e21d8 100644 --- a/doc/po/ja.po +++ b/doc/po/ja.po @@ -2219,13 +2219,13 @@ msgid "" "Update the local keyring with the archive keyring and remove from the local " "keyring the archive keys which are no longer valid. The archive keyring is " "shipped in the archive-keyring package of your " -"distribution, e.g. the debian-archive-keyring package in " -"Debian." +"distribution, e.g. the &keyring-package; package in " +"&keyring-distro;." msgstr "" "ローカルキーリングをアーカイブキーリングで更新し、もう有効でなくなったアーカ" "イブキーをローカルキーリングから削除します。アーカイブキーリングは、使用中の" "ディストリビューションにある archive-keyring パッケージ " -"(例: Debian では debian-archive-keyring パッケージ) で提供" +"(例: &keyring-distro; では &keyring-package; パッケージ) で提供" "されています。" #. type: Content of: @@ -2287,25 +2287,25 @@ msgstr "アーカイブキーのローカル信頼データベースです。" #. type: Content of: #: apt-key.8.xml:183 -msgid "/usr/share/keyrings/debian-archive-keyring.gpg" -msgstr "/usr/share/keyrings/debian-archive-keyring.gpg" +msgid "&keyring-filename;" +msgstr "&keyring-filename;" #. type: Content of: #: apt-key.8.xml:184 -msgid "Keyring of Debian archive trusted keys." -msgstr "Debian アーカイブ信頼キーのキーリングです。" +msgid "Keyring of &keyring-distro; archive trusted keys." +msgstr "&keyring-distro; アーカイブ信頼キーのキーリングです。" #. type: Content of: #: apt-key.8.xml:187 msgid "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" msgstr "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" #. type: Content of: #: apt-key.8.xml:188 -msgid "Keyring of Debian archive removed trusted keys." -msgstr "削除された Debian アーカイブ信頼キーのキーリングです。" +msgid "Keyring of &keyring-distro; archive removed trusted keys." +msgstr "削除された &keyring-distro; アーカイブ信頼キーのキーリングです。" #. type: Content of: #: apt-key.8.xml:197 @@ -2541,18 +2541,18 @@ msgid "" "maintainer signature is stripped off, and checksums of the package are " "computed and put in the Packages file. The checksums of all of the Packages " "files are then computed and put into the Release file. The Release file is " -"then signed by the archive key for this Debian release, and distributed " -"alongside the packages and the Packages files on Debian mirrors. The keys " -"are in the Debian archive keyring available in the debian-archive-" -"keyring package." +"then signed by the archive key for this &keyring-distro; release, and distributed " +"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys " +"are in the &keyring-distro; archive keyring available in the &keyring-package; " +"package." msgstr "" "アップロードされたパッケージが検証されてアーカイブに格納されると、メンテナの" "署名を取り外し、パッケージのチェックサムを計算して、Packages ファイルに格納し" "ます。その後、全パッケージファイルのチェックサムを計算して、Release ファイル" -"に格納します。Release ファイルは、その Debian リリースのアーカイブキーで署名" -"され、Debian ミラーサイトでパッケージや Packages ファイルとともに配布されま" -"す。このキーは、debian-archive-keyring パッケージに収録さ" -"れている、Debian アーカイブキーリングに含まれます。" +"に格納します。Release ファイルは、その &keyring-distro; リリースのアーカイブキーで署名" +"され、&keyring-distro; ミラーサイトでパッケージや Packages ファイルとともに配布されま" +"す。このキーは、&keyring-package; パッケージに収録さ" +"れている、&keyring-distro; アーカイブキーリングに含まれます。" #. type: Content of: #: apt-secure.8.xml:113 diff --git a/doc/po/pl.po b/doc/po/pl.po index 2b33324b6..81edfb704 100644 --- a/doc/po/pl.po +++ b/doc/po/pl.po @@ -2366,14 +2366,14 @@ msgid "" "Update the local keyring with the archive keyring and remove from the local " "keyring the archive keys which are no longer valid. The archive keyring is " "shipped in the archive-keyring package of your " -"distribution, e.g. the debian-archive-keyring package in " -"Debian." +"distribution, e.g. the &keyring-package; package in " +"&keyring-distro;." msgstr "" "Aktualizuje lokalną składnicę kluczy używając składnicy kluczy archiwum i " "usuwa z lokalnej składnicy niepoprawne klucze archiwum. Składnica kluczy " "archiwum jest dostarczana przez pakiet archive-keyring " -"Twojej dystrybucji, np. pakiet debian-archive-keyring w " -"systemach Debiana." +"Twojej dystrybucji, np. pakiet &keyring-package; w " +"systemach &keyring-distro;." #. type: Content of: #: apt-key.8.xml:144 @@ -2436,25 +2436,25 @@ msgstr "Lokalna składnica zaufanych kluczy archiwum." #. type: Content of: #: apt-key.8.xml:183 -msgid "/usr/share/keyrings/debian-archive-keyring.gpg" -msgstr "/usr/share/keyrings/debian-archive-keyring.gpg" +msgid "&keyring-filename;" +msgstr "&keyring-filename;" #. type: Content of: #: apt-key.8.xml:184 -msgid "Keyring of Debian archive trusted keys." -msgstr "Składnica zaufanych kluczy archiwum Debiana." +msgid "Keyring of &keyring-distro; archive trusted keys." +msgstr "Składnica zaufanych kluczy archiwum &keyring-distro;." #. type: Content of: #: apt-key.8.xml:187 msgid "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" msgstr "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" #. type: Content of: #: apt-key.8.xml:188 -msgid "Keyring of Debian archive removed trusted keys." -msgstr "Składnica usuniętych zaufanych kluczy archiwum Debiana." +msgid "Keyring of &keyring-distro; archive removed trusted keys." +msgstr "Składnica usuniętych zaufanych kluczy archiwum &keyring-distro;." #. type: Content of: #: apt-key.8.xml:197 @@ -2696,20 +2696,19 @@ msgid "" "maintainer signature is stripped off, and checksums of the package are " "computed and put in the Packages file. The checksums of all of the Packages " "files are then computed and put into the Release file. The Release file is " -"then signed by the archive key for this Debian release, and distributed " -"alongside the packages and the Packages files on Debian mirrors. The keys " -"are in the Debian archive keyring available in the debian-archive-" -"keyring package." +"then signed by the archive key for this &keyring-distro; release, and distributed " +"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys " +"are in the &keyring-distro; archive keyring available in the &keyring-package; " +"package." msgstr "" "Po tym jak dostarczony przez opiekuna pakiet zostanie zweryfikowany i " "dołączony do archiwum, sygnatura opiekuna jest usuwana, a sumy kontrolne " "pakietu są wyliczane i umieszczane w pliku Packages. Sumy kontrolne " "wszystkich plików Packages są następnie wyliczane i umieszczane w pliku " "Release. Plik Release jest następnie podpisywany przy użyciu klucza archiwum " -"tego wydania dystrybucji Debiana i dystrybuowany wraz z pakietami i plikami " -"Packages przez serwery lustrzane Debiana. Klucze archiwum znajdują się w " -"składnicy kluczy Debiana dostępnej w pakiecie debian-archive-" -"keyring." +"tego wydania dystrybucji &keyring-distro; i dystrybuowany wraz z pakietami i plikami " +"Packages przez serwery lustrzane &keyring-distro;. Klucze archiwum znajdują się w " +"składnicy kluczy &keyring-distro; dostępnej w pakiecie &keyring-package;." #. type: Content of: #: apt-secure.8.xml:113 diff --git a/doc/po/pt.po b/doc/po/pt.po index 726b184d0..b06026154 100644 --- a/doc/po/pt.po +++ b/doc/po/pt.po @@ -2280,13 +2280,13 @@ msgid "" "Update the local keyring with the archive keyring and remove from the local " "keyring the archive keys which are no longer valid. The archive keyring is " "shipped in the archive-keyring package of your " -"distribution, e.g. the debian-archive-keyring package in " -"Debian." +"distribution, e.g. the &keyring-package; package in " +"&keyring-distro;." msgstr "" "Actualiza o chaveiro local com o chaveiro do arquivo e remove do chaveiro " "local as chaves de arquivo que já não são válidas. O chaveiro do arquivo é " "submetido no pacote archive-keyring da sua distribuição, " -"por exemplo o pacote debian-archive-keyring em Debian." +"por exemplo o pacote &keyring-package; em &keyring-distro;." #. type: Content of: #: apt-key.8.xml:144 @@ -2349,25 +2349,25 @@ msgstr "Base de dados local de confiança de chaves de arquivos." #. type: Content of: #: apt-key.8.xml:183 -msgid "/usr/share/keyrings/debian-archive-keyring.gpg" -msgstr "/usr/share/keyrings/debian-archive-keyring.gpg" +msgid "&keyring-filename;" +msgstr "&keyring-filename;" #. type: Content of: #: apt-key.8.xml:184 -msgid "Keyring of Debian archive trusted keys." -msgstr "Chaveiro das chaves de confiança dos arquivos Debian." +msgid "Keyring of &keyring-distro; archive trusted keys." +msgstr "Chaveiro das chaves de confiança dos arquivos &keyring-distro;." #. type: Content of: #: apt-key.8.xml:187 msgid "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" msgstr "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" #. type: Content of: #: apt-key.8.xml:188 -msgid "Keyring of Debian archive removed trusted keys." -msgstr "Chaveiro das chaves de confiança removidas dos arquivos Debian." +msgid "Keyring of &keyring-distro; archive removed trusted keys." +msgstr "Chaveiro das chaves de confiança removidas dos arquivos &keyring-distro;." #. type: Content of: #: apt-key.8.xml:197 @@ -2609,20 +2609,19 @@ msgid "" "maintainer signature is stripped off, and checksums of the package are " "computed and put in the Packages file. The checksums of all of the Packages " "files are then computed and put into the Release file. The Release file is " -"then signed by the archive key for this Debian release, and distributed " -"alongside the packages and the Packages files on Debian mirrors. The keys " -"are in the Debian archive keyring available in the debian-archive-" -"keyring package." +"then signed by the archive key for this &keyring-distro; release, and distributed " +"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys " +"are in the &keyring-distro; archive keyring available in the &keyring-package; " +"package." msgstr "" "Assim que o pacote submetido é verificado e incluído no arquivo, a " "assinatura do responsável é despojada, são computados sumários de " "verificação do pacote e colocado no ficheiro Packages. Os sumários de " "verificação de todos os ficheiros Packages são então computados e colocados " "no ficheiro Release. O ficheiro Release é então assinado pela chave de " -"arquivo para este lançamento de Debian, e distribuído juntamente com os " -"pacotes e os ficheiros Packages em mirrors de Debian. As chaves estão no " -"chaveiro do arquivo Debian no pacote debian-archive-keyring." +"arquivo para este lançamento de &keyring-distro;, e distribuído juntamente com os " +"pacotes e os ficheiros Packages em mirrors de &keyring-distro;. As chaves estão no " +"chaveiro do arquivo &keyring-distro; no pacote &keyring-package;." #. type: Content of: #: apt-secure.8.xml:113 diff --git a/doc/po/pt_BR.po b/doc/po/pt_BR.po index 00619cd22..a5df9e80e 100644 --- a/doc/po/pt_BR.po +++ b/doc/po/pt_BR.po @@ -1618,8 +1618,8 @@ msgid "" "Update the local keyring with the archive keyring and remove from the local " "keyring the archive keys which are no longer valid. The archive keyring is " "shipped in the archive-keyring package of your " -"distribution, e.g. the debian-archive-keyring package in " -"Debian." +"distribution, e.g. the &keyring-package; package in " +"&keyring-distro;." msgstr "" #. type: Content of: @@ -1669,23 +1669,23 @@ msgstr "" #. type: Content of: #: apt-key.8.xml:183 -msgid "/usr/share/keyrings/debian-archive-keyring.gpg" +msgid "&keyring-filename;" msgstr "" #. type: Content of: #: apt-key.8.xml:184 -msgid "Keyring of Debian archive trusted keys." +msgid "Keyring of &keyring-distro; archive trusted keys." msgstr "" #. type: Content of: #: apt-key.8.xml:187 msgid "" -"/usr/share/keyrings/debian-archive-removed-keys.gpg" +"&keyring-removed-filename;" msgstr "" #. type: Content of: #: apt-key.8.xml:188 -msgid "Keyring of Debian archive removed trusted keys." +msgid "Keyring of &keyring-distro; archive removed trusted keys." msgstr "" #. type: Content of: @@ -1863,10 +1863,10 @@ msgid "" "maintainer signature is stripped off, and checksums of the package are " "computed and put in the Packages file. The checksums of all of the Packages " "files are then computed and put into the Release file. The Release file is " -"then signed by the archive key for this Debian release, and distributed " -"alongside the packages and the Packages files on Debian mirrors. The keys " -"are in the Debian archive keyring available in the debian-archive-" -"keyring package." +"then signed by the archive key for this &keyring-distro; release, and distributed " +"alongside the packages and the Packages files on &keyring-distro; mirrors. The keys " +"are in the &keyring-distro; archive keyring available in the &keyring-package; " +"package." msgstr "" #. type: Content of: diff --git a/doc/sources.list.5.xml b/doc/sources.list.5.xml index fa32297c2..87fb4d71e 100644 --- a/doc/sources.list.5.xml +++ b/doc/sources.list.5.xml @@ -8,6 +8,8 @@ %aptverbatiment; + +%aptvendor; ]> diff --git a/vendor/debian/apt-vendor.ent b/vendor/debian/apt-vendor.ent new file mode 100644 index 000000000..56775bbaa --- /dev/null +++ b/vendor/debian/apt-vendor.ent @@ -0,0 +1,5 @@ + + +debian-archive-keyring"> +/usr/share/keyrings/debian-archive-keyring.gpg"> +/usr/share/keyrings/debian-archive-removed-keys.gpg"> diff --git a/vendor/ubuntu/apt-vendor.ent b/vendor/ubuntu/apt-vendor.ent new file mode 100644 index 000000000..fd5e5a7cf --- /dev/null +++ b/vendor/ubuntu/apt-vendor.ent @@ -0,0 +1,5 @@ + + +ubuntu-keyring"> +/usr/share/keyrings/ubuntu-archive-keyring.gpg"> +/usr/share/keyrings/ubuntu-archive-removed-keys.gpg"> -- cgit v1.2.3 From 0005fa07886135d6adfec59f2d722df229b7af12 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 22:07:38 +0100 Subject: use a substvar to set the archive-keyring in debian/control Adds a small helper to extract the small information bits we store in apt-vendor.ent and uses it in debian/rules to set apt:keyring as a substvar for debian/control populated with the &keyring-package; info --- debian/control | 2 +- debian/rules | 2 +- vendor/debian/makefile | 2 +- vendor/getinfo | 36 ++++++++++++++++++++++++++++++++++++ vendor/ubuntu/makefile | 2 +- 5 files changed, 40 insertions(+), 4 deletions(-) create mode 100755 vendor/getinfo diff --git a/debian/control b/debian/control index 84d6155a6..c70d0e9ea 100644 --- a/debian/control +++ b/debian/control @@ -17,7 +17,7 @@ XS-Testsuite: autopkgtest Package: apt Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, debian-archive-keyring, gnupg +Depends: ${shlibs:Depends}, ${misc:Depends}, ${apt:keyring}, gnupg Replaces: manpages-pl (<< 20060617-3~), manpages-it (<< 2.80-4~) Breaks: manpages-pl (<< 20060617-3~), manpages-it (<< 2.80-4~) Conflicts: python-apt (<< 0.7.93.2~) diff --git a/debian/rules b/debian/rules index 28525af50..f4f7ec06b 100755 --- a/debian/rules +++ b/debian/rules @@ -219,7 +219,7 @@ apt: build-binary build-manpages debian/apt.install dh_fixperms -p$@ dh_installdeb -p$@ dh_shlibdeps -p$@ - dh_gencontrol -p$@ + dh_gencontrol -p$@ -- -Vapt:keyring="$(shell ./vendor/getinfo keyring-package)" dh_md5sums -p$@ dh_builddeb -p$@ diff --git a/vendor/debian/makefile b/vendor/debian/makefile index 41202c6a0..dd35a70f0 100644 --- a/vendor/debian/makefile +++ b/vendor/debian/makefile @@ -8,4 +8,4 @@ include ../../buildlib/defaults.mak doc: sources.list sources.list: sources.list.in ../../doc/apt-verbatim.ent - sed -e 's#&stable-codename;#$(shell grep --max-count=1 '^ $@ + sed -e 's#&stable-codename;#$(shell ../getinfo debian-stable-codename)#g' $< > $@ diff --git a/vendor/getinfo b/vendor/getinfo new file mode 100755 index 000000000..df5a44e5c --- /dev/null +++ b/vendor/getinfo @@ -0,0 +1,36 @@ +#!/bin/sh +# small helper to extract information form *.ent files + +BASEDIR="$(readlink -f "$(dirname $0)")" +INFO="$(readlink -f "${BASEDIR}/current/apt-vendor.ent")" + +if [ -z "$INFO" ] || [ ! -e "$INFO" ]; then + echo >&2 'The current vendor is not valid or not chosen by the buildsystem yet.' + exit 1 +fi + +getrawfield() { + grep --max-count=1 "^}" + echo "${FIELD%<*}" +} + +case "$1" in +debian-stable-codename) + getrawfield 'stable-codename' "${BASEDIR}/../doc/apt-verbatim.ent" + ;; +ubuntu-codename) + getrawfield 'stable-codename' "${BASEDIR}/../doc/apt-verbatim.ent" + ;; +keyring-package) + getfield "$1" + ;; +*) + echo >&2 "Unknown data field $1 requested" + exit 2 + ;; +esac diff --git a/vendor/ubuntu/makefile b/vendor/ubuntu/makefile index 388a529a9..ea67e6e63 100644 --- a/vendor/ubuntu/makefile +++ b/vendor/ubuntu/makefile @@ -8,4 +8,4 @@ include ../../buildlib/defaults.mak doc: sources.list sources.list: sources.list.in ../../doc/apt-verbatim.ent - sed -e 's#&ubuntu-codename;#$(shell grep --max-count=1 '^ $@ + sed -e 's#&ubuntu-codename;#$(shell ../getinfo ubuntu-codename)#g' $< > $@ -- cgit v1.2.3 From f87338d2da95ba7d55a1a67b4506717e94d49bca Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 23:07:20 +0100 Subject: cherry-pick ubuntus (disabled) net-update fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With the net-update command a special keyring can be downloaded and imported into apt, which must be signed by a master key. Its is currently disabled because of security problems with it – and the only known user before that was Ubuntu. --- cmdline/apt-key | 44 +++++++--- .../integration/exploid-keyring-with-dupe-keys.pub | Bin 0 -> 3986 bytes .../exploid-keyring-with-dupe-subkeys.pub | Bin 0 -> 2016 bytes test/integration/test-apt-key-net-update | 95 +++++++++++++++++++++ 4 files changed, 126 insertions(+), 13 deletions(-) create mode 100644 test/integration/exploid-keyring-with-dupe-keys.pub create mode 100644 test/integration/exploid-keyring-with-dupe-subkeys.pub create mode 100755 test/integration/test-apt-key-net-update diff --git a/cmdline/apt-key b/cmdline/apt-key index 713a41c07..64cf5a6f4 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -25,17 +25,15 @@ GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" GPG="$GPG_CMD" -MASTER_KEYRING="" -#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg +MASTER_KEYRING='' eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) -ARCHIVE_KEYRING_URI="" -#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg -eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) - -ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg +ARCHIVE_KEYRING='/usr/share/keyrings/debian-archive-keyring.gpg' eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) -REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg +REMOVED_KEYS='/usr/share/keyrings/debian-archive-removed-keys.gpg' eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) +ARCHIVE_KEYRING_URI='' +eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) +TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg requires_root() { if [ "$(id -u)" -ne 0 ]; then @@ -57,7 +55,7 @@ init_keyring() { add_keys_with_verify_against_master_keyring() { ADD_KEYRING=$1 MASTER=$2 - + if [ ! -f "$ADD_KEYRING" ]; then echo "ERROR: '$ADD_KEYRING' not found" return @@ -72,12 +70,28 @@ add_keys_with_verify_against_master_keyring() { # all keys that are exported must have a valid signature # from a key in the $distro-master-keyring add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + + # ensure there are no colisions LP: #857472 + for all_add_key in $all_add_keys; do + for master_key in $master_keys; do + if [ "$all_add_key" = "$master_key" ]; then + echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" + return 1 + fi + done + done + for add_key in $add_keys; do - ADDED=0 + # export the add keyring one-by-one + rm -f $TMP_KEYRING + $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key + # check if signed with the master key and only add in this case + ADDED=0 for master_key in $master_keys; do - if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then - $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import + if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then + $GPG --import $TMP_KEYRING ADDED=1 fi done @@ -85,12 +99,16 @@ add_keys_with_verify_against_master_keyring() { echo >&2 "Key '$add_key' not added. It is not signed with a master key" fi done + rm -f $TMP_KEYRING } # update the current archive signing keyring from a network URI # the archive-keyring keys needs to be signed with the master key # (otherwise it does not make sense from a security POV) net_update() { + # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) + exit 1 + if [ -z "$ARCHIVE_KEYRING_URI" ]; then echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" exit 1 @@ -110,7 +128,7 @@ net_update() { if [ -e $keyring ]; then old_mtime=$(stat -c %Y $keyring) fi - (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI) + (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) if [ ! -e $keyring ]; then return fi diff --git a/test/integration/exploid-keyring-with-dupe-keys.pub b/test/integration/exploid-keyring-with-dupe-keys.pub new file mode 100644 index 000000000..642952a40 Binary files /dev/null and b/test/integration/exploid-keyring-with-dupe-keys.pub differ diff --git a/test/integration/exploid-keyring-with-dupe-subkeys.pub b/test/integration/exploid-keyring-with-dupe-subkeys.pub new file mode 100644 index 000000000..02d4e6ee8 Binary files /dev/null and b/test/integration/exploid-keyring-with-dupe-subkeys.pub differ diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update new file mode 100755 index 000000000..d5205836f --- /dev/null +++ b/test/integration/test-apt-key-net-update @@ -0,0 +1,95 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +# mock +requires_root() { + return 0 +} + +# extract net_update() and import it +func=$( sed -n -e '/^add_keys_with_verify_against_master_keyring/,/^}/p' ${BUILDDIRECTORY}/apt-key ) +eval "$func" + +mkdir -p ./etc/apt +TRUSTEDFILE=./etc/apt/trusted.gpg +mkdir -p ./var/lib/apt/keyrings +TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" +GPG="$GPG_CMD --keyring $TRUSTEDFILE" +MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg + + +msgtest "add_keys_with_verify_against_master_keyring" +if [ ! -e $MASTER_KEYRING ]; then + echo -n "No $MASTER_KEYRING found" + msgskip + exit 0 +fi + +# test bad keyring and ensure its not added (LP: #857472) +ADD_KEYRING=./keys/exploid-keyring-with-dupe-keys.pub +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgfail +else + msgpass +fi + +# ensure the keyring is still empty +gpg_out=$($GPG --list-keys) +msgtest "Test if keyring is empty" +if [ -n "" ]; then + msgfail +else + msgpass +fi + + +# test another possible attack vector using subkeys (LP: #1013128) +msgtest "add_keys_with_verify_against_master_keyring with subkey attack" +ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgfail +else + msgpass +fi + +# ensure the keyring is still empty +gpg_out=$($GPG --list-keys) +msgtest "Test if keyring is empty" +if [ -n "" ]; then + msgfail +else + msgpass +fi + + +# test good keyring and ensure we get no errors +ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgpass +else + msgfail +fi + +testequal './etc/apt/trusted.gpg +--------------------- +pub 1024D/437D05B5 2004-09-12 +uid Ubuntu Archive Automatic Signing Key +sub 2048g/79164387 2004-09-12 + +pub 1024D/FBB75451 2004-12-30 +uid Ubuntu CD Image Automatic Signing Key + +pub 4096R/C0B21F32 2012-05-11 +uid Ubuntu Archive Automatic Signing Key (2012) + +pub 4096R/EFE21092 2012-05-11 +uid Ubuntu CD Image Automatic Signing Key (2012) +' $GPG --list-keys + -- cgit v1.2.3 From 5b2c6ddcc0e45c92c544032ad2bb91bdf7222d7c Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 23:11:43 +0100 Subject: generate apt-key script with vendor info about keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The apt-key script uses quiet a few keyring files for operation which are specific to the distribution it is build on and is hence one of the most patched parts – even if it is not that often used anymore now that a fragment directory for trusted.gpg exists. --- .gitignore | 1 + cmdline/apt-key | 354 ------------------------------------------- cmdline/apt-key.in | 354 +++++++++++++++++++++++++++++++++++++++++++ cmdline/makefile | 8 + vendor/debian/apt-vendor.ent | 2 + vendor/getinfo | 2 +- vendor/ubuntu/apt-vendor.ent | 2 + 7 files changed, 368 insertions(+), 355 deletions(-) delete mode 100755 cmdline/apt-key create mode 100644 cmdline/apt-key.in diff --git a/.gitignore b/.gitignore index 76b24f9c5..321b15471 100644 --- a/.gitignore +++ b/.gitignore @@ -31,6 +31,7 @@ /debian/apt-transport-https/ # generated from *.in files +/cmdline/apt-key /doc/apt-vendor.ent /doc/examples/sources.list /debian/libapt-pkg*.install diff --git a/cmdline/apt-key b/cmdline/apt-key deleted file mode 100755 index 64cf5a6f4..000000000 --- a/cmdline/apt-key +++ /dev/null @@ -1,354 +0,0 @@ -#!/bin/sh - -set -e -unset GREP_OPTIONS - -GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" - -# gpg needs a trustdb to function, but it can't be invalid (not even empty) -# so we create a temporary directory to store our fresh readable trustdb in -TRUSTDBDIR="$(mktemp -d)" -CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" -trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM -chmod 700 "$TRUSTDBDIR" -# We also don't use a secret keyring, of course, but gpg panics and -# implodes if there isn't one available - and writeable for imports -SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" -touch $SECRETKEYRING -GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" -GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" - -# now create the trustdb with an (empty) dummy keyring -$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING -# and make sure that gpg isn't trying to update the file -GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" - -GPG="$GPG_CMD" - -MASTER_KEYRING='' -eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) -ARCHIVE_KEYRING='/usr/share/keyrings/debian-archive-keyring.gpg' -eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) -REMOVED_KEYS='/usr/share/keyrings/debian-archive-removed-keys.gpg' -eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) -ARCHIVE_KEYRING_URI='' -eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) -TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg - -requires_root() { - if [ "$(id -u)" -ne 0 ]; then - echo >&1 "ERROR: This command can only be used by root." - exit 1 - fi -} - -# gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. -init_keyring() { - for path; do - if ! [ -e "$path" ]; then - touch -- "$path" - chmod 0644 -- "$path" - fi - done -} - -add_keys_with_verify_against_master_keyring() { - ADD_KEYRING=$1 - MASTER=$2 - - if [ ! -f "$ADD_KEYRING" ]; then - echo "ERROR: '$ADD_KEYRING' not found" - return - fi - if [ ! -f "$MASTER" ]; then - echo "ERROR: '$MASTER' not found" - return - fi - - # when adding new keys, make sure that the archive-master-keyring - # is honored. so: - # all keys that are exported must have a valid signature - # from a key in the $distro-master-keyring - add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` - all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` - master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` - - # ensure there are no colisions LP: #857472 - for all_add_key in $all_add_keys; do - for master_key in $master_keys; do - if [ "$all_add_key" = "$master_key" ]; then - echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" - return 1 - fi - done - done - - for add_key in $add_keys; do - # export the add keyring one-by-one - rm -f $TMP_KEYRING - $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key - # check if signed with the master key and only add in this case - ADDED=0 - for master_key in $master_keys; do - if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then - $GPG --import $TMP_KEYRING - ADDED=1 - fi - done - if [ $ADDED = 0 ]; then - echo >&2 "Key '$add_key' not added. It is not signed with a master key" - fi - done - rm -f $TMP_KEYRING -} - -# update the current archive signing keyring from a network URI -# the archive-keyring keys needs to be signed with the master key -# (otherwise it does not make sense from a security POV) -net_update() { - # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) - exit 1 - - if [ -z "$ARCHIVE_KEYRING_URI" ]; then - echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" - exit 1 - fi - requires_root - # in theory we would need to depend on wget for this, but this feature - # isn't useable in debian anyway as we have no keyring uri nor a master key - if ! which wget >/dev/null 2>&1; then - echo >&2 "ERROR: an installed wget is required for a network-based update" - exit 1 - fi - if [ ! -d /var/lib/apt/keyrings ]; then - mkdir -p /var/lib/apt/keyrings - fi - keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) - old_mtime=0 - if [ -e $keyring ]; then - old_mtime=$(stat -c %Y $keyring) - fi - (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) - if [ ! -e $keyring ]; then - return - fi - new_mtime=$(stat -c %Y $keyring) - if [ $new_mtime -ne $old_mtime ]; then - echo "Checking for new archive signing keys now" - add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING - fi -} - -update() { - if [ ! -f $ARCHIVE_KEYRING ]; then - echo >&2 "ERROR: Can't find the archive-keyring" - echo >&2 "Is the debian-archive-keyring package installed?" - exit 1 - fi - requires_root - - # add new keys from the package; - - # we do not use add_keys_with_verify_against_master_keyring here, - # because "update" is run on regular package updates. A - # attacker might as well replace the master-archive-keyring file - # in the package and add his own keys. so this check wouldn't - # add any security. we *need* this check on net-update though - $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import - - if [ -r "$REMOVED_KEYS" ]; then - # remove no-longer supported/used keys - keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` - for key in $keys; do - if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then - $GPG --quiet --batch --delete-key --yes ${key} - fi - done - else - echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2 - fi -} - -remove_key_from_keyring() { - local GPG="$GPG_CMD --keyring $1" - # check if the key is in this keyring: the key id is in the 5 column at the end - if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then - return - fi - if [ ! -w "$1" ]; then - echo >&2 "Key ${2} is in keyring ${1}, but can't be removed as it is read only." - return - fi - # check if it is the only key in the keyring and if so remove the keyring alltogether - if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then - mv -f "$1" "${1}~" # behave like gpg - return - fi - # we can't just modify pointed to files as these might be in /usr or something - local REALTARGET - if [ -L "$1" ]; then - REALTARGET="$(readlink -f "$1")" - mv -f "$1" "${1}.dpkg-tmp" - cp -a "$REALTARGET" "$1" - ls "$(dirname $1)" - fi - # delete the key from the keyring - $GPG --batch --delete-key --yes "$2" - if [ -n "$REALTARGET" ]; then - # the real backup is the old link, not the copy we made - mv -f "${1}.dpkg-tmp" "${1}~" - fi -} - -remove_key() { - requires_root - - # if a --keyring was given, just remove from there - if [ -n "$FORCED_KEYRING" ]; then - remove_key_from_keyring "$FORCED_KEYRING" "$1" - else - # otherwise all known keyrings are up for inspection - local TRUSTEDFILE="/etc/apt/trusted.gpg" - eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) - eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) - remove_key_from_keyring "$TRUSTEDFILE" "$1" - TRUSTEDPARTS="/etc/apt/trusted.gpg.d" - eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) - if [ -d "$TRUSTEDPARTS" ]; then - for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do - remove_key_from_keyring "$trusted" "$1" - done - fi - fi - echo "OK" -} - - -usage() { - echo "Usage: apt-key [--keyring file] [command] [arguments]" - echo - echo "Manage apt's list of trusted keys" - echo - echo " apt-key add - add the key contained in ('-' for stdin)" - echo " apt-key del - remove the key " - echo " apt-key export - output the key " - echo " apt-key exportall - output all trusted keys" - echo " apt-key update - update keys using the keyring package" - echo " apt-key net-update - update keys using the network" - echo " apt-key list - list keys" - echo " apt-key finger - list fingerprints" - echo " apt-key adv - pass advanced options to gpg (download key)" - echo - echo "If no specific keyring file is given the command applies to all keyring files." -} - -while [ -n "$1" ]; do - case "$1" in - --keyring) - shift - TRUSTEDFILE="$1" - FORCED_KEYRING="$1" - if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then - GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" - else - echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" - exit 1 - fi - shift - ;; - --fakeroot) - requires_root() { true; } - shift - ;; - --*) - echo >&2 "Unknown option: $1" - usage - exit 1;; - *) - break;; - esac -done - -if [ -z "$TRUSTEDFILE" ]; then - TRUSTEDFILE="/etc/apt/trusted.gpg" - eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) - eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) - if [ -r "$TRUSTEDFILE" ]; then - GPG="$GPG --keyring $TRUSTEDFILE" - fi - GPG="$GPG --primary-keyring $TRUSTEDFILE" - TRUSTEDPARTS="/etc/apt/trusted.gpg.d" - eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) - if [ -d "$TRUSTEDPARTS" ]; then - # strip / suffix as gpg will double-slash in that case (#665411) - STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" - if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then - TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" - fi - for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do - GPG="$GPG --keyring $trusted" - done - fi -fi - -command="$1" -if [ -z "$command" ]; then - usage - exit 1 -fi -shift - -if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then - echo >&2 "Warning: gnupg does not seem to be installed." - echo >&2 "Warning: apt-key requires gnupg for most operations." - echo >&2 -fi - -case "$command" in - add) - requires_root - init_keyring "$TRUSTEDFILE" - $GPG --quiet --batch --import "$1" - echo "OK" - ;; - del|rm|remove) - init_keyring "$TRUSTEDFILE" - remove_key "$1" - ;; - update) - init_keyring "$TRUSTEDFILE" - update - ;; - net-update) - init_keyring "$TRUSTEDFILE" - net_update - ;; - list) - init_keyring "$TRUSTEDFILE" - $GPG --batch --list-keys - ;; - finger*) - init_keyring "$TRUSTEDFILE" - $GPG --batch --fingerprint - ;; - export) - init_keyring "$TRUSTEDFILE" - $GPG --armor --export "$1" - ;; - exportall) - init_keyring "$TRUSTEDFILE" - $GPG --armor --export - ;; - adv*) - init_keyring "$TRUSTEDFILE" - echo "Executing: $GPG $*" - $GPG $* - ;; - help) - usage - ;; - *) - usage - exit 1 - ;; -esac diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in new file mode 100644 index 000000000..779872b4c --- /dev/null +++ b/cmdline/apt-key.in @@ -0,0 +1,354 @@ +#!/bin/sh + +set -e +unset GREP_OPTIONS + +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" + +# gpg needs a trustdb to function, but it can't be invalid (not even empty) +# so we create a temporary directory to store our fresh readable trustdb in +TRUSTDBDIR="$(mktemp -d)" +CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" +trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM +chmod 700 "$TRUSTDBDIR" +# We also don't use a secret keyring, of course, but gpg panics and +# implodes if there isn't one available - and writeable for imports +SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" +touch $SECRETKEYRING +GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" +GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" + +# now create the trustdb with an (empty) dummy keyring +$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING +# and make sure that gpg isn't trying to update the file +GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" + +GPG="$GPG_CMD" + +MASTER_KEYRING='&keyring-master-filename;' +eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) +ARCHIVE_KEYRING='&keyring-filename;' +eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) +REMOVED_KEYS='&keyring-removed-filename;' +eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) +ARCHIVE_KEYRING_URI='&keyring-uri;' +eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) +TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg + +requires_root() { + if [ "$(id -u)" -ne 0 ]; then + echo >&1 "ERROR: This command can only be used by root." + exit 1 + fi +} + +# gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. +init_keyring() { + for path; do + if ! [ -e "$path" ]; then + touch -- "$path" + chmod 0644 -- "$path" + fi + done +} + +add_keys_with_verify_against_master_keyring() { + ADD_KEYRING=$1 + MASTER=$2 + + if [ ! -f "$ADD_KEYRING" ]; then + echo "ERROR: '$ADD_KEYRING' not found" + return + fi + if [ ! -f "$MASTER" ]; then + echo "ERROR: '$MASTER' not found" + return + fi + + # when adding new keys, make sure that the archive-master-keyring + # is honored. so: + # all keys that are exported must have a valid signature + # from a key in the $distro-master-keyring + add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` + master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + + # ensure there are no colisions LP: #857472 + for all_add_key in $all_add_keys; do + for master_key in $master_keys; do + if [ "$all_add_key" = "$master_key" ]; then + echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" + return 1 + fi + done + done + + for add_key in $add_keys; do + # export the add keyring one-by-one + rm -f $TMP_KEYRING + $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key + # check if signed with the master key and only add in this case + ADDED=0 + for master_key in $master_keys; do + if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then + $GPG --import $TMP_KEYRING + ADDED=1 + fi + done + if [ $ADDED = 0 ]; then + echo >&2 "Key '$add_key' not added. It is not signed with a master key" + fi + done + rm -f $TMP_KEYRING +} + +# update the current archive signing keyring from a network URI +# the archive-keyring keys needs to be signed with the master key +# (otherwise it does not make sense from a security POV) +net_update() { + # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) + exit 1 + + if [ -z "$ARCHIVE_KEYRING_URI" ]; then + echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" + exit 1 + fi + requires_root + # in theory we would need to depend on wget for this, but this feature + # isn't useable in debian anyway as we have no keyring uri nor a master key + if ! which wget >/dev/null 2>&1; then + echo >&2 "ERROR: an installed wget is required for a network-based update" + exit 1 + fi + if [ ! -d /var/lib/apt/keyrings ]; then + mkdir -p /var/lib/apt/keyrings + fi + keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) + old_mtime=0 + if [ -e $keyring ]; then + old_mtime=$(stat -c %Y $keyring) + fi + (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) + if [ ! -e $keyring ]; then + return + fi + new_mtime=$(stat -c %Y $keyring) + if [ $new_mtime -ne $old_mtime ]; then + echo "Checking for new archive signing keys now" + add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING + fi +} + +update() { + if [ ! -f $ARCHIVE_KEYRING ]; then + echo >&2 "ERROR: Can't find the archive-keyring" + echo >&2 "Is the &keyring-package; package installed?" + exit 1 + fi + requires_root + + # add new keys from the package; + + # we do not use add_keys_with_verify_against_master_keyring here, + # because "update" is run on regular package updates. A + # attacker might as well replace the master-archive-keyring file + # in the package and add his own keys. so this check wouldn't + # add any security. we *need* this check on net-update though + $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import + + if [ -r "$REMOVED_KEYS" ]; then + # remove no-longer supported/used keys + keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` + for key in $keys; do + if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then + $GPG --quiet --batch --delete-key --yes ${key} + fi + done + else + echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2 + fi +} + +remove_key_from_keyring() { + local GPG="$GPG_CMD --keyring $1" + # check if the key is in this keyring: the key id is in the 5 column at the end + if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then + return + fi + if [ ! -w "$1" ]; then + echo >&2 "Key ${2} is in keyring ${1}, but can't be removed as it is read only." + return + fi + # check if it is the only key in the keyring and if so remove the keyring alltogether + if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then + mv -f "$1" "${1}~" # behave like gpg + return + fi + # we can't just modify pointed to files as these might be in /usr or something + local REALTARGET + if [ -L "$1" ]; then + REALTARGET="$(readlink -f "$1")" + mv -f "$1" "${1}.dpkg-tmp" + cp -a "$REALTARGET" "$1" + ls "$(dirname $1)" + fi + # delete the key from the keyring + $GPG --batch --delete-key --yes "$2" + if [ -n "$REALTARGET" ]; then + # the real backup is the old link, not the copy we made + mv -f "${1}.dpkg-tmp" "${1}~" + fi +} + +remove_key() { + requires_root + + # if a --keyring was given, just remove from there + if [ -n "$FORCED_KEYRING" ]; then + remove_key_from_keyring "$FORCED_KEYRING" "$1" + else + # otherwise all known keyrings are up for inspection + local TRUSTEDFILE="/etc/apt/trusted.gpg" + eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) + eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + remove_key_from_keyring "$TRUSTEDFILE" "$1" + TRUSTEDPARTS="/etc/apt/trusted.gpg.d" + eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) + if [ -d "$TRUSTEDPARTS" ]; then + for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do + remove_key_from_keyring "$trusted" "$1" + done + fi + fi + echo "OK" +} + + +usage() { + echo "Usage: apt-key [--keyring file] [command] [arguments]" + echo + echo "Manage apt's list of trusted keys" + echo + echo " apt-key add - add the key contained in ('-' for stdin)" + echo " apt-key del - remove the key " + echo " apt-key export - output the key " + echo " apt-key exportall - output all trusted keys" + echo " apt-key update - update keys using the keyring package" + echo " apt-key net-update - update keys using the network" + echo " apt-key list - list keys" + echo " apt-key finger - list fingerprints" + echo " apt-key adv - pass advanced options to gpg (download key)" + echo + echo "If no specific keyring file is given the command applies to all keyring files." +} + +while [ -n "$1" ]; do + case "$1" in + --keyring) + shift + TRUSTEDFILE="$1" + FORCED_KEYRING="$1" + if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then + GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" + else + echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" + exit 1 + fi + shift + ;; + --fakeroot) + requires_root() { true; } + shift + ;; + --*) + echo >&2 "Unknown option: $1" + usage + exit 1;; + *) + break;; + esac +done + +if [ -z "$TRUSTEDFILE" ]; then + TRUSTEDFILE="/etc/apt/trusted.gpg" + eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) + eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + if [ -r "$TRUSTEDFILE" ]; then + GPG="$GPG --keyring $TRUSTEDFILE" + fi + GPG="$GPG --primary-keyring $TRUSTEDFILE" + TRUSTEDPARTS="/etc/apt/trusted.gpg.d" + eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) + if [ -d "$TRUSTEDPARTS" ]; then + # strip / suffix as gpg will double-slash in that case (#665411) + STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" + if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then + TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" + fi + for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do + GPG="$GPG --keyring $trusted" + done + fi +fi + +command="$1" +if [ -z "$command" ]; then + usage + exit 1 +fi +shift + +if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then + echo >&2 "Warning: gnupg does not seem to be installed." + echo >&2 "Warning: apt-key requires gnupg for most operations." + echo >&2 +fi + +case "$command" in + add) + requires_root + init_keyring "$TRUSTEDFILE" + $GPG --quiet --batch --import "$1" + echo "OK" + ;; + del|rm|remove) + init_keyring "$TRUSTEDFILE" + remove_key "$1" + ;; + update) + init_keyring "$TRUSTEDFILE" + update + ;; + net-update) + init_keyring "$TRUSTEDFILE" + net_update + ;; + list) + init_keyring "$TRUSTEDFILE" + $GPG --batch --list-keys + ;; + finger*) + init_keyring "$TRUSTEDFILE" + $GPG --batch --fingerprint + ;; + export) + init_keyring "$TRUSTEDFILE" + $GPG --armor --export "$1" + ;; + exportall) + init_keyring "$TRUSTEDFILE" + $GPG --armor --export + ;; + adv*) + init_keyring "$TRUSTEDFILE" + echo "Executing: $GPG $*" + $GPG $* + ;; + help) + usage + ;; + *) + usage + exit 1 + ;; +esac diff --git a/cmdline/makefile b/cmdline/makefile index e77ad5669..06f170b6a 100644 --- a/cmdline/makefile +++ b/cmdline/makefile @@ -41,6 +41,14 @@ SOURCE = apt-cdrom.cc include $(PROGRAM_H) # The apt-key program +apt-key: apt-key.in + sed -e "s#&keyring-filename;#$(shell ../vendor/getinfo keyring-filename)#" \ + -e "s#&keyring-removed-filename;#$(shell ../vendor/getinfo keyring-removed-filename)#" \ + -e "s#&keyring-master-filename;#$(shell ../vendor/getinfo keyring-master-filename)#" \ + -e "s#&keyring-uri;#$(shell ../vendor/getinfo keyring-uri)#" \ + -e "s#&keyring-package;#$(shell ../vendor/getinfo keyring-package)#" $< > $@ + chmod 755 $@ + SOURCE=apt-key TO=$(BIN) TARGET=program diff --git a/vendor/debian/apt-vendor.ent b/vendor/debian/apt-vendor.ent index 56775bbaa..6cda5995c 100644 --- a/vendor/debian/apt-vendor.ent +++ b/vendor/debian/apt-vendor.ent @@ -3,3 +3,5 @@ debian-archive-keyring"> /usr/share/keyrings/debian-archive-keyring.gpg"> /usr/share/keyrings/debian-archive-removed-keys.gpg"> + + diff --git a/vendor/getinfo b/vendor/getinfo index df5a44e5c..ac816e10e 100755 --- a/vendor/getinfo +++ b/vendor/getinfo @@ -26,7 +26,7 @@ debian-stable-codename) ubuntu-codename) getrawfield 'stable-codename' "${BASEDIR}/../doc/apt-verbatim.ent" ;; -keyring-package) +keyring-package|keyring-filename|keyring-master-filename|keyring-removed-filename|keyring-uri) getfield "$1" ;; *) diff --git a/vendor/ubuntu/apt-vendor.ent b/vendor/ubuntu/apt-vendor.ent index fd5e5a7cf..caa532699 100644 --- a/vendor/ubuntu/apt-vendor.ent +++ b/vendor/ubuntu/apt-vendor.ent @@ -3,3 +3,5 @@ ubuntu-keyring"> /usr/share/keyrings/ubuntu-archive-keyring.gpg"> /usr/share/keyrings/ubuntu-archive-removed-keys.gpg"> + + -- cgit v1.2.3 From 5555ef9850b7e66aa02d39bb7d624fdf3e43edb2 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sun, 1 Dec 2013 00:05:34 +0100 Subject: drop old /var/state to /var/lib transition artefacts Regardless of when this transition was, it is so long ago that everyone who would still need this has a million other problems to deal with now so lets just drop this code. --- apt-pkg/init.cc | 10 +--------- debian/preinst | 32 -------------------------------- 2 files changed, 1 insertion(+), 41 deletions(-) delete mode 100755 debian/preinst diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc index 76278921f..81b601a7f 100644 --- a/apt-pkg/init.cc +++ b/apt-pkg/init.cc @@ -44,16 +44,8 @@ bool pkgInitConfig(Configuration &Cnf) Cnf.CndSet("APT::Install-Suggests", false); Cnf.CndSet("Dir","/"); - // State + // State Cnf.CndSet("Dir::State","var/lib/apt/"); - - /* Just in case something goes horribly wrong, we can fall back to the - old /var/state paths.. */ - struct stat St; - if (stat("/var/lib/apt/.",&St) != 0 && - stat("/var/state/apt/.",&St) == 0) - Cnf.CndSet("Dir::State","var/state/apt/"); - Cnf.CndSet("Dir::State::lists","lists/"); Cnf.CndSet("Dir::State::cdroms","cdroms.list"); Cnf.CndSet("Dir::State::mirrors","mirrors/"); diff --git a/debian/preinst b/debian/preinst deleted file mode 100755 index 985ad9b84..000000000 --- a/debian/preinst +++ /dev/null @@ -1,32 +0,0 @@ -#! /bin/sh - -set -e - -# dpkg does this for us while we are upgrading.. -#if [ "$1" = "upgrade" -a -L /var/state/apt -a -e /var/lib/apt -a ! -L /var/state/apt ] && dpkg --compare-versions "$2" ">=" "0.4.10"; then -# rm /var/state/apt -#fi - -if [ "$1" = "upgrade" -o "$1" = "install" -a "$2" != "" ]; then - if [ ! -e /var/lib/apt -a -e /var/state/apt ]; then - # upgrading from /var/state/apt using apt. - # it's probably running now so we want to ensure /var/state/apt - # is still valid afterwards. and since we're upgrading - - if [ -x /usr/bin/perl -a -d /var/state/apt -a ! -L /var/state/apt ] && - perl -e 'exit 1 if ((stat("/var/lib"))[0] != (stat("/var/state/apt"))[0])' - then - # same fs, we can mv it - mv /var/state/apt /var/lib/apt - ln -s ../lib/apt /var/state/apt - # note that this symlink (/var/state/apt) will be removed when - # dpkg finishes unpacking the apt we're about to install; this is okay - else - # scary, let's just symlink it and hope - ln -s /var/state/apt /var/lib/apt - fi - fi - touch /var/lib/apt/lists/partial/.delete-me-later || true -fi - -#DEBHELPER# -- cgit v1.2.3 From fb83d0ccdda584a5aa9a93d87c6c71a03bc24ed4 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Mon, 11 Jun 2012 22:36:02 +0000 Subject: prepare-release: declare the packages needed as source build deps. --- prepare-release | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/prepare-release b/prepare-release index 2d8502d7f..a9cc49cfd 100755 --- a/prepare-release +++ b/prepare-release @@ -1,11 +1,15 @@ #!/bin/sh +set -e + VERSION=$(dpkg-parsechangelog | sed -n -e '/^Version:/s/^Version: //p') DISTRIBUTION=$(dpkg-parsechangelog | sed -n -e '/^Distribution:/s/^Distribution: //p') LIBAPTPKGVERSION="$(awk -v ORS='.' '/^\#define APT_PKG_M/ {print $3}' apt-pkg/init.h | sed 's/\.$//')" LIBAPTINSTVERSION="$(egrep '^MAJOR=' apt-inst/makefile |cut -d '=' -f 2)" +dpkg-checkbuilddeps -d 'libxml2-utils' + if [ "$1" = 'pre-export' ]; then libraryversioncheck() { local LIBRARY="$1" -- cgit v1.2.3 From 7014e1482942d00b66eb30061b0cf5d2a7b3ebf3 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 5 Dec 2013 08:11:11 +0100 Subject: * enable release based selection for deb-src (closes: 731102) --- apt-pkg/deb/debmetaindex.cc | 17 +++++- apt-pkg/deb/debmetaindex.h | 7 +++ apt-pkg/indexfile.h | 4 +- apt-pkg/indexrecords.cc | 5 ++ apt-pkg/indexrecords.h | 1 + apt-pkg/metaindex.h | 24 ++++++--- cmdline/apt-get.cc | 122 +++++++++++++++++++++++++++++++++++--------- 7 files changed, 145 insertions(+), 35 deletions(-) diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index b597b6f3c..504877558 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -1,4 +1,3 @@ -// ijones, walters #include #include @@ -72,6 +71,22 @@ string debReleaseIndex::MetaIndexURI(const char *Type) const return Res; } +#if (APT_PKG_MAJOR >= 4 && APT_PKG_MINOR >= 13) +std::string debReleaseIndex::LocalFileName() const +{ + // see if we have a InRelease file + std::string PathInRelease = MetaIndexFile("InRelease"); + if (FileExists(PathInRelease)) + return PathInRelease; + + // and if not return the normal one + if (FileExists(PathInRelease)) + return MetaIndexFile("Release"); + + return ""; +} +#endif + string debReleaseIndex::IndexURISuffix(const char *Type, string const &Section, string const &Arch) const { string Res =""; diff --git a/apt-pkg/deb/debmetaindex.h b/apt-pkg/deb/debmetaindex.h index b9ecab97c..cef8d68f7 100644 --- a/apt-pkg/deb/debmetaindex.h +++ b/apt-pkg/deb/debmetaindex.h @@ -3,6 +3,7 @@ #define PKGLIB_DEBMETAINDEX_H #include +#include #include #include @@ -39,9 +40,15 @@ class debReleaseIndex : public metaIndex { virtual bool GetIndexes(pkgAcquire *Owner, bool const &GetAll=false) const; std::vector * ComputeIndexTargets() const; std::string Info(const char *Type, std::string const &Section, std::string const &Arch="") const; + std::string MetaIndexInfo(const char *Type) const; std::string MetaIndexFile(const char *Types) const; std::string MetaIndexURI(const char *Type) const; + +#if (APT_PKG_MAJOR >= 4 && APT_PKG_MINOR >= 13) + virtual std::string LocalFileName() const; +#endif + std::string IndexURI(const char *Type, std::string const &Section, std::string const &Arch="native") const; std::string IndexURISuffix(const char *Type, std::string const &Section, std::string const &Arch="native") const; std::string SourceIndexURI(const char *Type, const std::string &Section) const; diff --git a/apt-pkg/indexfile.h b/apt-pkg/indexfile.h index 1d34dc773..2d433b60a 100644 --- a/apt-pkg/indexfile.h +++ b/apt-pkg/indexfile.h @@ -78,10 +78,10 @@ class pkgIndexFile virtual bool Exists() const = 0; virtual bool HasPackages() const = 0; virtual unsigned long Size() const = 0; - virtual bool Merge(pkgCacheGenerator &/*Gen*/,OpProgress* /*Prog*/) const { return false; }; + virtual bool Merge(pkgCacheGenerator &Gen, OpProgress* Prog) const { return false; }; __deprecated virtual bool Merge(pkgCacheGenerator &Gen, OpProgress &Prog) const { return Merge(Gen, &Prog); }; - virtual bool MergeFileProvides(pkgCacheGenerator &/*Gen*/,OpProgress* /*Prog*/) const {return true;}; + virtual bool MergeFileProvides(pkgCacheGenerator &Gen,OpProgress* Prog) const {return true;}; __deprecated virtual bool MergeFileProvides(pkgCacheGenerator &Gen, OpProgress &Prog) const {return MergeFileProvides(Gen, &Prog);}; virtual pkgCache::PkgFileIterator FindInCache(pkgCache &Cache) const; diff --git a/apt-pkg/indexrecords.cc b/apt-pkg/indexrecords.cc index 8a72ca151..f8097c3c6 100644 --- a/apt-pkg/indexrecords.cc +++ b/apt-pkg/indexrecords.cc @@ -27,6 +27,11 @@ string indexRecords::GetDist() const return this->Dist; } +string indexRecords::GetSuite() const +{ + return this->Suite; +} + bool indexRecords::CheckDist(const string MaybeDist) const { return (this->Dist == MaybeDist diff --git a/apt-pkg/indexrecords.h b/apt-pkg/indexrecords.h index a98b939bc..d003ec0fa 100644 --- a/apt-pkg/indexrecords.h +++ b/apt-pkg/indexrecords.h @@ -46,6 +46,7 @@ class indexRecords virtual bool Load(std::string Filename); std::string GetDist() const; + std::string GetSuite() const; time_t GetValidUntil() const; virtual bool CheckDist(const std::string MaybeDist) const; std::string GetExpectedDist() const; diff --git a/apt-pkg/metaindex.h b/apt-pkg/metaindex.h index 5783735ff..18a90a29d 100644 --- a/apt-pkg/metaindex.h +++ b/apt-pkg/metaindex.h @@ -5,6 +5,7 @@ #include #include #include +#include #ifndef APT_8_CLEANER_HEADERS #include @@ -28,27 +29,36 @@ class metaIndex public: - // Various accessors virtual std::string GetURI() const {return URI;} virtual std::string GetDist() const {return Dist;} virtual const char* GetType() const {return Type;} + // interface to to query it +#if (APT_PKG_MAJOR >= 4 && APT_PKG_MINOR >= 13) + // returns the path of the local file (or "" if its not available) + virtual std::string LocalFileName() const {return "";}; +#endif + // Interface for acquire - virtual std::string ArchiveURI(std::string const& /*File*/) const = 0; + virtual std::string ArchiveURI(std::string const& File) const = 0; virtual bool GetIndexes(pkgAcquire *Owner, bool const &GetAll=false) const = 0; - virtual std::vector *GetIndexFiles() = 0; virtual bool IsTrusted() const = 0; - metaIndex(std::string const &URI, std::string const &Dist, char const * const Type) : - Indexes(NULL), Type(Type), URI(URI), Dist(Dist) { + metaIndex(std::string const &URI, std::string const &Dist, + char const * const Type) + : Indexes(NULL), Type(Type), URI(URI), Dist(Dist) + { + /* nothing */ } - virtual ~metaIndex() { + virtual ~metaIndex() + { if (Indexes == 0) return; - for (std::vector::iterator I = (*Indexes).begin(); I != (*Indexes).end(); ++I) + for (std::vector::iterator I = (*Indexes).begin(); + I != (*Indexes).end(); ++I) delete *I; delete Indexes; } diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 912b2d609..7e59f3d67 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -50,6 +50,8 @@ #include #include #include +#include +#include #include #include @@ -61,6 +63,8 @@ #include #include +#include + #include #include @@ -130,22 +134,80 @@ bool TryToInstallBuildDep(pkgCache::PkgIterator Pkg,pkgCacheFile &Cache, return true; } /*}}}*/ + + +// helper that can go wit hthe next ABI break +#if (APT_PKG_MAJOR >= 4 && APT_PKG_MINOR < 13) +std::string MetaIndexFileNameOnDisk(metaIndex *metaindex) +{ + // FIXME: this cast is the horror, the horror + debReleaseIndex *r = (debReleaseIndex*)metaindex; + + // see if we have a InRelease file + std::string PathInRelease = r->MetaIndexFile("InRelease"); + if (FileExists(PathInRelease)) + return PathInRelease; + + // and if not return the normal one + if (FileExists(PathInRelease)) + return r->MetaIndexFile("Release"); + + return ""; +} +#endif + +// GetReleaseForSourceRecord - Return Suite for the given srcrecord /*{{{*/ +// --------------------------------------------------------------------- +/* */ +std::string GetReleaseForSourceRecord(pkgSourceList *SrcList, + pkgSrcRecords::Parser *Parse) +{ + // try to find release + const pkgIndexFile& CurrentIndexFile = Parse->Index(); + + for (pkgSourceList::const_iterator S = SrcList->begin(); + S != SrcList->end(); ++S) + { + vector *Indexes = (*S)->GetIndexFiles(); + for (vector::const_iterator IF = Indexes->begin(); + IF != Indexes->end(); ++IF) + { + if (&CurrentIndexFile == (*IF)) + { +#if (APT_PKG_MAJOR >= 4 && APT_PKG_MINOR < 13) + std::string path = MetaIndexFileNameOnDisk(*S); +#else + std::string path = (*S)->LocalFileName(); +#endif + if (path != "") + { + indexRecords records; + records.Load(path); + return records.GetSuite(); + } + } + } + } + return ""; +} + /*}}}*/ // FindSrc - Find a source record /*{{{*/ // --------------------------------------------------------------------- /* */ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, pkgSrcRecords &SrcRecs,string &Src, - pkgDepCache &Cache) + CacheFile &CacheFile) { string VerTag; - string DefRel = _config->Find("APT::Default-Release"); + string RelTag = _config->Find("APT::Default-Release"); string TmpSrc = Name; + pkgDepCache *Cache = CacheFile.GetDepCache(); // extract the version/release from the pkgname const size_t found = TmpSrc.find_last_of("/="); if (found != string::npos) { if (TmpSrc[found] == '/') - DefRel = TmpSrc.substr(found+1); + RelTag = TmpSrc.substr(found+1); else VerTag = TmpSrc.substr(found+1); TmpSrc = TmpSrc.substr(0,found); @@ -155,10 +217,10 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, install a version and determine the source package name, then look in the archive for a source package of the same name. */ bool MatchSrcOnly = _config->FindB("APT::Get::Only-Source"); - const pkgCache::PkgIterator Pkg = Cache.FindPkg(TmpSrc); + const pkgCache::PkgIterator Pkg = Cache->FindPkg(TmpSrc); if (MatchSrcOnly == false && Pkg.end() == false) { - if(VerTag.empty() == false || DefRel.empty() == false) + if(VerTag.empty() == false || RelTag.empty() == false) { bool fuzzy = false; // we have a default release, try to locate the pkg. we do it like @@ -180,7 +242,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, } // We match against a concrete version (or a part of this version) if (VerTag.empty() == false && - (fuzzy == true || Cache.VS().CmpVersion(VerTag, Ver.VerStr()) != 0) && // exact match + (fuzzy == true || Cache->VS().CmpVersion(VerTag, Ver.VerStr()) != 0) && // exact match (fuzzy == false || strncmp(VerTag.c_str(), Ver.VerStr(), VerTag.size()) != 0)) // fuzzy match continue; @@ -198,8 +260,8 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, // or we match against a release if(VerTag.empty() == false || - (VF.File().Archive() != 0 && VF.File().Archive() == DefRel) || - (VF.File().Codename() != 0 && VF.File().Codename() == DefRel)) + (VF.File().Archive() != 0 && VF.File().Archive() == RelTag) || + (VF.File().Codename() != 0 && VF.File().Codename() == RelTag)) { pkgRecords::Parser &Parse = Recs.Lookup(VF); Src = Parse.SourcePkg(); @@ -217,22 +279,14 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, if (Src.empty() == false) break; } - if (Src.empty() == true) - { - // Sources files have no codename information - if (VerTag.empty() == true && DefRel.empty() == false) - { - _error->Error(_("Ignore unavailable target release '%s' of package '%s'"), DefRel.c_str(), TmpSrc.c_str()); - return 0; - } - } } if (Src.empty() == true) { // if we don't have found a fitting package yet so we will // choose a good candidate and proceed with that. // Maybe we will find a source later on with the right VerTag - pkgCache::VerIterator Ver = Cache.GetCandidateVer(Pkg); + // or RelTag + pkgCache::VerIterator Ver = Cache->GetCandidateVer(Pkg); if (Ver.end() == false) { pkgRecords::Parser &Parse = Recs.Lookup(Ver.FileList()); @@ -244,7 +298,9 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, } if (Src.empty() == true) + { Src = TmpSrc; + } else { /* if we have a source pkg name, make sure to only search @@ -262,6 +318,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, pkgSrcRecords::Parser *Last = 0; unsigned long Offset = 0; string Version; + pkgSourceList *SrcList = CacheFile.GetSourceList(); /* Iterate over all of the hits, which includes the resulting binary packages in the search */ @@ -273,25 +330,40 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, { const string Ver = Parse->Version(); + // See if we need to look for a specific release tag + if (RelTag != "") + { + const string Rel = GetReleaseForSourceRecord(SrcList, Parse); + + if (Rel == RelTag) + { + ioprintf(c1out, "Selectied version '%s' (%s) for %s\n", + Ver.c_str(), RelTag.c_str(), Src.c_str()); + Last = Parse; + Offset = Parse->Offset(); + break; + } + } + // Ignore all versions which doesn't fit if (VerTag.empty() == false && - Cache.VS().CmpVersion(VerTag, Ver) != 0) // exact match + Cache->VS().CmpVersion(VerTag, Ver) != 0) // exact match continue; // Newer version or an exact match? Save the hit - if (Last == 0 || Cache.VS().CmpVersion(Version,Ver) < 0) { + if (Last == 0 || Cache->VS().CmpVersion(Version,Ver) < 0) { Last = Parse; Offset = Parse->Offset(); Version = Ver; } - // was the version check above an exact match? If so, we don't need to look further - if (VerTag.empty() == false && VerTag.size() == Ver.size()) + // was the version check above an exact match? + // If so, we don't need to look further + if (VerTag.empty() == false && (VerTag == Ver)) break; } if (Last != 0 || VerTag.empty() == true) break; - //if (VerTag.empty() == false && Last == 0) _error->Error(_("Ignore unavailable version '%s' of package '%s'"), VerTag.c_str(), TmpSrc.c_str()); return 0; } @@ -628,7 +700,7 @@ bool DoSource(CommandLine &CmdL) for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++) { string Src; - pkgSrcRecords::Parser *Last = FindSrc(*I,Recs,SrcRecs,Src,*Cache); + pkgSrcRecords::Parser *Last = FindSrc(*I,Recs,SrcRecs,Src,Cache); if (Last == 0) { delete[] Dsc; @@ -925,7 +997,7 @@ bool DoBuildDep(CommandLine &CmdL) for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++) { string Src; - pkgSrcRecords::Parser *Last = FindSrc(*I,Recs,SrcRecs,Src,*Cache); + pkgSrcRecords::Parser *Last = FindSrc(*I,Recs,SrcRecs,Src,Cache); if (Last == 0) return _error->Error(_("Unable to find a source package for %s"),Src.c_str()); -- cgit v1.2.3
#NameSizeLast-Modified
dParent Directory--