From 197c53951430bcb267ddd6e398439a8a5d9a83ad Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 22 Nov 2017 13:42:31 +0100 Subject: if insecure repo is allowed continue on all http errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a InRelease file fails to download with a non-404 error we assumed there is some general problem with repository like a webportal or your are blocked from access (wrong auth, Tor, …). Turns out some server like S3 return 403 if a file doesn't exist. Allowing this in general seems like a step backwards as 403 is a reasonable response if auth failed, so failing here seems better than letting those users run into problems. What we can do is show our insecure warnings through and allow the failures for insecure repos: If the repo is signed it is easy to add an InRelease file and if not you are setup for trouble anyhow. References: cbbf185c3c55effe47f218a07e7b1f324973a8a6 --- test/integration/test-apt-update-nofallback | 6 ++++-- .../test-ubuntu-bug-346386-apt-get-update-paywall | 22 +++++++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index 47adff33d..d7e30ba20 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -178,8 +178,10 @@ test_subvert_inrelease() # replace InRelease with something else mv "$APTARCHIVE/dists/unstable/Release" "$APTARCHIVE/dists/unstable/InRelease" - testfailuremsg "E: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) -E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update + testfailuremsg "E: Failed to fetch file://${APTARCHIVE}/dists/unstable/InRelease Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?) +E: The repository 'file:${APTARCHIVE} unstable InRelease' is no longer signed. +N: Updating from such a repository can't be done securely, and is therefore disabled by default. +N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update # ensure we keep the repo testfileequal lists.before "$(listcurrentlistsdirectory)" diff --git a/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall b/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall index 46c7c5672..3571a9f25 100755 --- a/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall +++ b/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall @@ -78,4 +78,24 @@ testfailureequal "Err:1 http://localhost:${APTHTTPPORT} unstable InRelease 511 Network Authentication Required Reading package lists... E: Failed to fetch http://localhost:${APTHTTPPORT}/dists/unstable/InRelease 511 Network Authentication Required -E: Some index files failed to download. They have been ignored, or old ones used instead." apt update +E: The repository 'http://localhost:${APTHTTPPORT} unstable InRelease' is not signed. +N: Updating from such a repository can't be done securely, and is therefore disabled by default. +N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update + +# on S3 all files get a 403. If we accept unsigned, lets be liberal in non-existence acceptance +webserverconfig 'aptwebserver::httpcode::404' '403 Forbidden' +rm -rf rootdir/var/lib/apt/lists +testfailureequal "Err:1 http://localhost:${APTHTTPPORT} unstable InRelease + 403 Forbidden +Reading package lists... +E: Failed to fetch http://localhost:${APTHTTPPORT}/dists/unstable/InRelease 403 Forbidden +E: The repository 'http://localhost:${APTHTTPPORT} unstable InRelease' is not signed. +N: Updating from such a repository can't be done securely, and is therefore disabled by default. +N: See apt-secure(8) manpage for repository creation and user configuration details." apt update + +sed -i 's#^deb\(-src\)\? #deb\1 [allow-insecure=yes] #' rootdir/etc/apt/sources.list.d/* +testfailure apt update +testequal "Ign:1 http://localhost:${APTHTTPPORT} unstable InRelease + 403 Forbidden +Ign:2 http://localhost:${APTHTTPPORT} unstable Release + 403 Forbidden" head -n 4 rootdir/tmp/testfailure.output -- cgit v1.2.3