From 4494239cc6d519b0b6219387ecd684b42b5c2d79 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 25 Nov 2009 23:20:12 +0100 Subject: add config setting for User-Agent in http and https to the Acquire group, thanks Timothy J. Miller! (Closes: #355782) --- doc/examples/configure-index | 3 +++ 1 file changed, 3 insertions(+) (limited to 'doc/examples') diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 27118fb7e..16e864d89 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -191,6 +191,7 @@ Acquire Max-Age "86400"; // 1 Day age on index files No-Store "false"; // Prevent the cache from storing archives Dl-Limit "7"; // 7Kb/sec maximum download rate + User-Agent "Debian APT-HTTP/1.3"; }; // HTTPS method configuration: @@ -204,6 +205,8 @@ Acquire CaPath "/etc/ssl/certs"; Verify-Host" "true"; AllowRedirect "true"; + + User-Agent "Debian APT-CURL/1.0"; }; ftp -- cgit v1.2.3 From c0d438474bac961897f9e9472356222f79350c39 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 25 Nov 2009 23:29:57 +0100 Subject: add https options which default to the ones from http for the https method as this is more sane than using only the http options without a possibility to override these for https. --- doc/examples/configure-index | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) (limited to 'doc/examples') diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 16e864d89..7e86b3d4a 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -194,19 +194,34 @@ Acquire User-Agent "Debian APT-HTTP/1.3"; }; - // HTTPS method configuration: - // - uses the http proxy config - // - uses the http cache-control values - // - uses the http Dl-Limit values - https + + + // HTTPS method configuration: uses the http + // - proxy config + // - cache-control values + // - Dl-Limit, Timout, ... values + // if not set explicit for https + // + // see /usr/share/doc/apt/examples/apt-https-method-example.conf.gz + // for more examples + https { Verify-Peer "false"; SslCert "/etc/apt/some.pem"; - CaPath "/etc/ssl/certs"; - Verify-Host" "true"; - AllowRedirect "true"; + CaPath "/etc/ssl/certs"; + Verify-Host" "true"; + AllowRedirect "true"; + + Timeout "120"; + AllowRedirect "true"; + + // Cache Control. Note these do not work with Squid 2.0.2 + No-Cache "false"; + Max-Age "86400"; // 1 Day age on index files + No-Store "false"; // Prevent the cache from storing archives + Dl-Limit "7"; // 7Kb/sec maximum download rate - User-Agent "Debian APT-CURL/1.0"; + User-Agent "Debian APT-CURL/1.0"; }; ftp -- cgit v1.2.3 From 45df0ad2aab7d019cec855ba2cfe7ecdd0f8c7c8 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 26 Nov 2009 22:23:08 +0100 Subject: [BREAK] add possibility to download and use multiply Translation files, configurable with Acquire::Languages accessable with APT::Configuration::getLanguages() and as always with documentation in apt.conf. The commit also includes a very very simple testapp. --- doc/examples/configure-index | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'doc/examples') diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 7e86b3d4a..05826feaa 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -273,6 +273,15 @@ Acquire Order { "gz"; "lzma"; "bz2"; }; }; + + Languages + { + "environment"; + "de"; + "en"; + "none"; + "fr"; + }; }; // Directory layout -- cgit v1.2.3 From 02dceb31f77f0812c76334a1758631c7cf9544a3 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 2 Jan 2010 00:22:31 +0100 Subject: add configuration PDiffs::Limit-options (FileLimit and SizeLimit) to not download too many or too big patches (Closes: #554349) --- doc/examples/configure-index | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'doc/examples') diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 0a20e8f2b..be461aaad 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -176,7 +176,10 @@ Acquire Source-Symlinks "true"; PDiffs "true"; // try to get the IndexFile diffs - + PDiffs::FileLimit "4"; // don't use diffs if we would need more than 4 diffs + PDiffs::SizeLimit "50"; // don't use diffs if size of all patches excess + // 50% of the size of the original file + // HTTP method configuration http { -- cgit v1.2.3 From c24f6ce22cd6720004addad2e3382b3caa6b1b7c Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 4 Jan 2010 13:45:14 +0100 Subject: =?UTF-8?q?add=20TrustedParts=20so=20in=20the=20future=20new=20key?= =?UTF-8?q?rings=20can=20just=20be=20dropped=20into=20/etc/apt/trusted.gpg?= =?UTF-8?q?.d/=20which=20eliminates=20the=20need=20to=20have=20gpg=20insta?= =?UTF-8?q?lled=20to=20add=20keys=20to=20APTs=20trusted=20keyring=20(with?= =?UTF-8?q?=20apt-key)=20(Closes=20#304846)=20-=20Thanks=20to=20Timo=20Wei?= =?UTF-8?q?ng=C3=A4rtner=20&=20Peter=20Palfrader=20for=20providing=20diffe?= =?UTF-8?q?rent=20patchs/ideas=20for=20this!?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/examples/configure-index | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'doc/examples') diff --git a/doc/examples/configure-index b/doc/examples/configure-index index be461aaad..87cf97ffe 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -90,11 +90,6 @@ APT TrustCDROM "false"; // consider the CDROM always trusted }; - GPGV - { - TrustedKeyring "/etc/apt/trusted.gpg"; - }; - // Some general options Ignore-Hold "false"; Clean-Installed "true"; @@ -320,6 +315,8 @@ Dir "/" SourceParts "sources.list.d"; VendorList "vendors.list"; VendorParts "vendors.list.d"; + Trusted "trusted.gpg"; + TrustedParts "trusted.gpg.d"; }; // Locations of binaries -- cgit v1.2.3 From 930f51811cd36a695c07f0b8414b118ce28dda04 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 4 Jan 2010 13:54:57 +0100 Subject: finally merge the rest of the patchset from Arnaud Ebalard with the CRL and Issuers options for https, thanks! (Closes: #485963) --- doc/examples/apt-https-method-example.conf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'doc/examples') diff --git a/doc/examples/apt-https-method-example.conf b/doc/examples/apt-https-method-example.conf index 0067171bd..cc7889044 100644 --- a/doc/examples/apt-https-method-example.conf +++ b/doc/examples/apt-https-method-example.conf @@ -36,6 +36,8 @@ to access its content. - The certificate presented by both server have (as expected) a CN that matches their respective DNS names. + - We have CRL available for both dom1.tld and dom2.tld PKI, and intend + to use them. - It somtimes happens that we had other more generic https available repository to our list. We want the checks to be performed against a common list of anchors (like the one provided by ca-certificates @@ -56,10 +58,13 @@ Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem"; // Use a specific anchor and associated CRL. Enforce issuer of // server certificate using its cert. Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem"; +Acquire::https::secure.dom1.tld::CrlFile "/etc/apt/certs/ca-dom1-crl.pem"; +Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem"; // Like previous for anchor and CRL, but also provide our // certificate and keys for client authentication. Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem"; +Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem"; Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem"; Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem"; @@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem"; used for the https entries in the sources.list file that use that repository (with the same name). + Acquire::https[::repo.domain.tld]::CrlFile "/path/to/all/crl.pem"; + + Like previous knob but for passing the list of CRL files (in PEM + format) to be used to verify revocation status. Again, if the + option is defined with no specific mirror (probably makes little + sense), this CRL information is used for all defined https entries + in sources.list file. In a mirror specific context, it only applies + to that mirror. + + Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem"; + + Allows to constrain the issuer of the server certificate (for all + https mirrors or a specific one) to a specific issuer. If the + server certificate has not been issued by this certificate, + connection fails. + Acquire::https[::repo.domain.tld]::Verify-Peer "true"; When authenticating the server, if the certificate verification fails -- cgit v1.2.3