From 995a4bf6d770a5cc824c38388909f23fcca558c3 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Tue, 20 Oct 2015 18:31:10 +0200 Subject: disable updating insecure repositories in apt by default apt is an interactive command and the reasons we haven't this option set for everything is mostly in keeping compatibility for a little while longer to allow scripts to be changed if need be. --- apt-private/private-cmndline.cc | 1 + test/integration/framework | 12 +----------- test/integration/test-apt-update-failure-propagation | 4 ++-- test/integration/test-apt-update-ims | 13 +++++++------ test/integration/test-bug-624218-Translation-file-handling | 2 +- 5 files changed, 12 insertions(+), 20 deletions(-) diff --git a/apt-private/private-cmndline.cc b/apt-private/private-cmndline.cc index 463c087cc..9f019121c 100644 --- a/apt-private/private-cmndline.cc +++ b/apt-private/private-cmndline.cc @@ -332,6 +332,7 @@ static void BinarySpecificConfiguration(char const * const Binary) /*{{{*/ _config->CndSet("Binary::apt::APT::Get::Upgrade-Allow-New", true); _config->CndSet("Binary::apt::APT::Cmd::Show-Update-Stats", true); _config->CndSet("Binary::apt::DPkg::Progress-Fancy", true); + _config->CndSet("Binary::apt::Acquire::AllowInsecureRepositories", false); } _config->Set("Binary", binary); diff --git a/test/integration/framework b/test/integration/framework index 8b85cb71e..f9bb2e824 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -388,12 +388,8 @@ EOF TEST_DEFAULT_GROUP="$USER" fi - # Acquire::AllowInsecureRepositories=false is not yet the default - # but we want it to be the default soon - configallowinsecurerepositories "false"; - # cleanup the environment a bit - # prefer our apt binaries over the system apt binaries + # prefer our apt binaries over the system apt binaries export PATH="${BUILDDIRECTORY}:${PATH}:/usr/local/sbin:/usr/sbin:/sbin" export LC_ALL=C.UTF-8 unset LANGUAGE APT_CONFIG @@ -506,12 +502,6 @@ int execvp(const char *file, char *const argv[]) { EOF testsuccess --nomsg gcc -fPIC -shared -o noopchroot.so noopchroot.c -ldl } - -configallowinsecurerepositories() { - echo "Acquire::AllowInsecureRepositories \"$1\";" > rootdir/etc/apt/apt.conf.d/allow-insecure-repositories.conf - -} - configcompression() { while [ -n "$1" ]; do case "$1" in diff --git a/test/integration/test-apt-update-failure-propagation b/test/integration/test-apt-update-failure-propagation index 713f09db7..e4ce5f968 100755 --- a/test/integration/test-apt-update-failure-propagation +++ b/test/integration/test-apt-update-failure-propagation @@ -43,7 +43,7 @@ testsuccessequal "foo: pretest mv aptarchive/dists/stable aptarchive/dists/stable.good -testfailuremsg "E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file." aptget update +testfailuremsg "E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file." apt update testfailureequal "Hit:1 http://localhost:${APTHTTPPORT} sid InRelease Ign:2 https://localhost:${APTHTTPSPORT} stable InRelease 404 Not Found @@ -52,7 +52,7 @@ Err:3 https://localhost:${APTHTTPSPORT} stable Release Reading package lists... E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file. N: Updating such a repository securily is impossible and therefore disabled by default. -N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update -q=0 +N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update -q=0 --no-allow-insecure-repositories mv aptarchive/dists/stable.good aptarchive/dists/stable posttest() { testsuccessequal "foo: diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims index 4c25186f5..623c3d380 100755 --- a/test/integration/test-apt-update-ims +++ b/test/integration/test-apt-update-ims @@ -13,19 +13,20 @@ setupaptarchive --no-update changetowebserver runtest() { + local APTOPT="" if [ -n "$1" ]; then - configallowinsecurerepositories 'true' + APTOPT='--allow-insecure-repositories' else - configallowinsecurerepositories 'false' + APTOPT='--no-allow-insecure-repositories' fi rm -rf rootdir/var/lib/apt/lists/ local TEST="test${1:-success}" - $TEST aptget update + $TEST aptget update $APTOPT if [ "$1" = 'failure' ]; then # accept the outdated Release file so we can check Hit behaviour - "test${2:-success}" aptget update -o Acquire::Min-ValidTime=9999999 + "test${2:-success}" aptget update -o Acquire::Min-ValidTime=9999999 $APTOPT fi listcurrentlistsdirectory > listsdir.lst testsuccess grep '_Packages\(\.gz\)\?$' listsdir.lst @@ -37,14 +38,14 @@ runtest() { # check that I-M-S header is kept in redirections echo "$EXPECT" | sed -e 's#(invalid since [^)]\+)#(invalid since)#' > expected.output - $TEST aptget update -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 -q=0 + $TEST aptget update -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 -q=0 $APTOPT sed -i -e 's#(invalid since [^)]\+)#(invalid since)#' rootdir/tmp/${TEST}.output testequal "$(cat expected.output)" cat rootdir/tmp/${TEST}.output testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" # ensure that we still do a hash check for other files on ims hit of Release if grep -q '^Hit:[0-9]\+ .* InRelease$' expected.output || ! grep -q '^Ign:[0-9]\+ .* Release\(\.gpg\)\?$' expected.output; then - $TEST aptget update -o Debug::Acquire::gpgv=1 + $TEST aptget update -o Debug::Acquire::gpgv=1 $APTOPT cp rootdir/tmp/${TEST}.output goodsign.output testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" testsuccess grep '^Got GOODSIG, key ID:GOODSIG' goodsign.output diff --git a/test/integration/test-bug-624218-Translation-file-handling b/test/integration/test-bug-624218-Translation-file-handling index af9134da3..9733b7026 100755 --- a/test/integration/test-bug-624218-Translation-file-handling +++ b/test/integration/test-bug-624218-Translation-file-handling @@ -61,7 +61,7 @@ translationslisted 'with full Index' # No Release file at all, so no records about Translation files # (fallback to guessing) find aptarchive \( -name 'Release' -o -name 'InRelease' \) -delete -configallowinsecurerepositories "true"; +echo 'Acquire::AllowInsecureRepositories "true";' > rootdir/etc/apt/apt.conf.d/allow-insecure-repositories.conf msgtest 'Download of en as forced language' 'without Index' testwarning --nomsg aptget update -o Acquire::Languages=en -- cgit v1.2.3