From 8bb2a91a070170d7d8e71206d1c66a26809bdbc3 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Tue, 18 Dec 2018 14:50:25 +0100 Subject: Introduce experimental 'never' pinning for sources This allows disabling a repository by pinning it to 'never', which is internally translated to a value of -32768 (or whatever the minimum of short is). This overrides any other pin for that repository. It can be used to make sure certain sources are never used; for example, in unattended-upgrades. To prevent semantic changes to existing files, we substitute min + 1 for every pin-priority: . This is a temporary solution, as we are waiting for an ABI break. To add pins with that value, the special Pin-Priority "never" may be used for now. It's unclear if that will persist, or if the interface will change eventually. --- test/integration/test-policy-pinning | 65 ++++++++++++++++++++++++++++++++++-- 1 file changed, 62 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/test/integration/test-policy-pinning b/test/integration/test-policy-pinning index 5676d1457..35e178871 100755 --- a/test/integration/test-policy-pinning +++ b/test/integration/test-policy-pinning @@ -315,15 +315,16 @@ testsuccessequal "coolstuff: Installed: 2.0~bpo1 Candidate: $2 Version table: - 2.0~bpo2 $1 - $1 file:${tmppath}/aptarchive backports/main all Packages + 2.0~bpo2 ${3:-$1} + ${3:-$1} file:${tmppath}/aptarchive backports/main all Packages *** 2.0~bpo1 100 100 ${tmppath}/rootdir/var/lib/dpkg/status 1.0 500 500 file:${tmppath}/aptarchive stable/main all Packages" apt policy coolstuff } currentpin '32767' '2.0~bpo2' -currentpin '-32768' '2.0~bpo1' +currentpin '-32768' '2.0~bpo1' '-32767' +currentpin '-32767' '2.0~bpo1' '-32767' # Check for 0 echo "Package: coolstuff @@ -359,3 +360,61 @@ testsuccessequal "coolstuff: 100 ${tmppath}/rootdir/var/lib/dpkg/status 1.0 500 500 file:${tmppath}/aptarchive stable/main all Packages" aptcache policy coolstuff + + +# Check for override pins + +# Normal pins: First one wins +echo "Package: coolstuff +Pin: release n=backports +Pin-Priority: 990 + +Package: coolstuff +Pin: release n=backports +Pin-Priority: 991 +" > rootdir/etc/apt/preferences + +testsuccessequal "coolstuff: + Installed: 2.0~bpo1 + Candidate: 2.0~bpo2 + Version table: + 2.0~bpo2 990 + 100 file:${tmppath}/aptarchive backports/main all Packages + *** 2.0~bpo1 100 + 100 ${tmppath}/rootdir/var/lib/dpkg/status + 1.0 500 + 500 file:${tmppath}/aptarchive stable/main all Packages" aptcache policy coolstuff + + +echo "Package: coolstuff +Pin: release n=backports +Pin-Priority: 990 + +Package: * +Pin: release n=backports +Pin-Priority: never +" > rootdir/etc/apt/preferences + +testsuccessequal "coolstuff: + Installed: 2.0~bpo1 + Candidate: 2.0~bpo1 + Version table: + 2.0~bpo2 -32768 + -32768 file:${tmppath}/aptarchive backports/main all Packages + *** 2.0~bpo1 100 + 100 ${tmppath}/rootdir/var/lib/dpkg/status + 1.0 500 + 500 file:${tmppath}/aptarchive stable/main all Packages" aptcache policy coolstuff + + + + +# Check for 0 +echo "Package: coolstuff +Pin: release n=backports +Pin-Priority: never +" > rootdir/etc/apt/preferences + +testfailureequal "Reading package lists... +E: ${tmppath}/rootdir/etc/apt/preferences: The special 'Pin-Priority: never' can only be used for 'Package: *' records" \ + aptget install -s coolstuff -o PinPriority=0 -- cgit v1.2.3 From c2b9b0489538fed4770515bd8853a960b13a2618 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 1 Feb 2019 14:43:52 +0100 Subject: Add a Packages-Require-Authorization Release file field This new field allows a repository to declare that access to packages requires authorization. The current implementation will set the pin to -32768 if no authorization has been provided in the auth.conf(.d) files. This implementation is suboptimal in two aspects: (1) A repository should behave more like NotSource repositories (2) We only have the host name for the repository, we cannot use paths yet. - We can fix those after an ABI break. The code also adds a check to acquire-item.cc to not use the specified repository as a download source, mimicking NotSource. --- .../test-packages-require-authorization | 61 ++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100755 test/integration/test-packages-require-authorization (limited to 'test') diff --git a/test/integration/test-packages-require-authorization b/test/integration/test-packages-require-authorization new file mode 100755 index 000000000..527497ce5 --- /dev/null +++ b/test/integration/test-packages-require-authorization @@ -0,0 +1,61 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' + +insertpackage 'unstable' 'cool' 'amd64' '1.0' + +export APT_DONT_SIGN='InRelease' +setupaptarchive --no-update +changetowebserver + +echo 'Packages-Require-Authorization: yes' >> aptarchive/dists/unstable/Release +signreleasefiles + +testsuccess aptget update +testsuccessequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now +-32768 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages + release a=unstable,n=sid,c=main,b=amd64 + origin localhost +Pinned packages:" aptcache policy + +mkdir rootdir/etc/apt/auth.conf.d +cat > rootdir/etc/apt/auth.conf.d/myauth.conf << EOF +machine localhost +login username +password usersPassword +EOF + + +testsuccessequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now + 500 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages + release a=unstable,n=sid,c=main,b=amd64 + origin localhost +Pinned packages:" aptcache policy + + +cat > rootdir/etc/apt/preferences.d/myauth.pref << EOF +Package: * +Pin: origin localhost +Pin-Priority: 990 + +Package: cool +Pin: origin localhost +Pin-Priority: 990 +EOF + +testsuccessequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now + 990 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages + release a=unstable,n=sid,c=main,b=amd64 + origin localhost +Pinned packages: + cool -> 1.0 with priority 990" aptcache policy -- cgit v1.2.3