From 081fbea14d12f79c8d91ce4fe1f1004c7bc08656 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 12 Apr 2017 17:39:06 +0200 Subject: error in update on Release information changes The value of Origin, Label, Codename and co can be used in user configuration from apts own pinning to unattended upgrades. A repository changing this values can therefore have serious effects on the behaviour of apt and other tools using these values. In a first step we will generate error messages for these changes now explaining the need for explicit confirmation and provide config options and commandline flags to accept them. --- .../test-apt-update-releaseinfo-changes | 77 ++++++++++++++++++++++ ...bug-841874-warning-for-mismatching-distribution | 12 ---- test/integration/test-policy-pinning | 2 +- 3 files changed, 78 insertions(+), 13 deletions(-) create mode 100755 test/integration/test-apt-update-releaseinfo-changes (limited to 'test') diff --git a/test/integration/test-apt-update-releaseinfo-changes b/test/integration/test-apt-update-releaseinfo-changes new file mode 100755 index 000000000..822ae7ce7 --- /dev/null +++ b/test/integration/test-apt-update-releaseinfo-changes @@ -0,0 +1,77 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' + +insertpackage 'earth' 'human' 'all' '1' + +getoriginfromsuite() { echo -n 'Earth'; } +getlabelfromsuite() { echo -n 'Blue Planet'; } +getcodenamefromsuite() { echo -n 'home'; } +getreleaseversionfromsuite() { echo -n '1.0'; } +getnotautomaticfromsuite() { echo -n 'yes'; } +getbutautomaticupgradesfromsuite() { echo -n 'yes'; } +setupaptarchive --no-update +testsuccess aptget update + +cp -a aptarchive/dists aptarchive/dists.bak +cp -a rootdir/var/lib/apt/lists rootdir/var/lib/apt/lists.bak +APTARCHIVE="$(readlink -f './aptarchive')" + +sed -i -e 's#^Origin: Earth#Origin: Mars#' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Origin' value from 'Earth' to 'Mars' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update +testfailure apt update --allow-releaseinfo-change-label +testsuccesswithnotice apt update --allow-releaseinfo-change +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Origin' value from 'Earth' to 'Mars'" tail -n 2 rootdir/tmp/testsuccesswithnotice.output + +rm -rf rootdir/var/lib/apt/lists +cp -a rootdir/var/lib/apt/lists.bak rootdir/var/lib/apt/lists +sed -i -e 's#^Label: Blue#Label: Red#' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Origin' value from 'Earth' to 'Mars' +E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Label' value from 'Blue Planet' to 'Red Planet' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update +testfailure apt update --allow-releaseinfo-change-label +testfailuremsg "N: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Origin' value from 'Earth' to 'Mars' +E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Label' value from 'Blue Planet' to 'Red Planet' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update --allow-releaseinfo-change-origin +testsuccess apt update --allow-releaseinfo-change-origin --allow-releaseinfo-change-label -o quiet::ReleaseInfoChange=true + +# version changes are allowed by default +sed -i -e 's#^Version: 1#Version: 2#' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Version' value from '1.0' to '2.0' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update --no-allow-releaseinfo-change-version +testsuccesswithnotice apt update +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Version' value from '1.0' to '2.0'" tail -n 2 rootdir/tmp/testsuccesswithnotice.output + +sed -i -e 's#^Codename: home#Codename: colony#' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Codename' value from 'home' to 'colony' +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update --no-allow-releaseinfo-change-codename +testsuccesswithnotice apt update --allow-releaseinfo-change-codename +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its 'Codename' value from 'home' to 'colony'" tail -n 2 rootdir/tmp/testsuccesswithnotice.output + +sed -i -e '/^ButAutomaticUpgrades: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 100 to 1. +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update +testsuccesswithnotice apt update --allow-releaseinfo-change +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 100 to 1." tail -n 2 rootdir/tmp/testsuccesswithnotice.output + +sed -i -e '/^NotAutomatic: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 1 to 500. +N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update +testsuccesswithnotice apt update --allow-releaseinfo-change-defaultpin +testequal "All packages are up to date. +N: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 1 to 500." tail -n 2 rootdir/tmp/testsuccesswithnotice.output diff --git a/test/integration/test-bug-841874-warning-for-mismatching-distribution b/test/integration/test-bug-841874-warning-for-mismatching-distribution index 6cc8e3173..7502eefc3 100755 --- a/test/integration/test-bug-841874-warning-for-mismatching-distribution +++ b/test/integration/test-bug-841874-warning-for-mismatching-distribution @@ -47,15 +47,3 @@ testfailure apt show foo ln -s "${APTARCHIVE}/dists/testing" "${APTARCHIVE}/dists/buster" testsuccess apt update testsuccess apt show foo - -# changing codenames gets a warning, too -rm -rf rootdir/var/lib/apt/lists -sed -i -e 's#buster#testing#g' rootdir/etc/apt/sources.list.d/* -testsuccess apt update -testsuccess apt show foo -sed -i -e 's#^Codename: buster#Codename: zurg#g' $(find ./aptarchive -name 'Release') -signreleasefiles -testwarningmsg "W: Conflicting distribution: file:$APTARCHIVE testing/updates InRelease (expected buster/updates but got zurg/updates)" apt update -testsuccess apt show foo -testsuccess apt update -testsuccess apt show foo diff --git a/test/integration/test-policy-pinning b/test/integration/test-policy-pinning index 30238bd87..5676d1457 100755 --- a/test/integration/test-policy-pinning +++ b/test/integration/test-policy-pinning @@ -238,7 +238,7 @@ testequalpolicycoolstuff "2.0~bpo1" "2.0~bpo1" 990 500 990 "" -o Test=ButAutomat rm incoming/backports.main.pkglist incoming/backports.main.srclist buildsimplenativepackage "coolstuff" "all" "2.0~bpo2" "backports" -setupaptarchive +setupaptarchive --no-update sed -i aptarchive/dists/backports/Release -e 1i"NotAutomatic: yes" signreleasefiles -- cgit v1.2.3 From 96ebab48c25fcd1ee83729cdba4be8a6343a8766 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sun, 28 May 2017 13:24:33 +0200 Subject: show a Release-Notes URI if infos were changed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This gives the repository owner a chance to explain why this change was needed – e.g. explaining the organisational changes or simply detailing the changes in the new release made. Note that this URI is also shown if the change is accepted, so it also draws attention to release notes of minor updates (if users watch apt output closely). --- test/integration/test-apt-update-releaseinfo-changes | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/integration/test-apt-update-releaseinfo-changes b/test/integration/test-apt-update-releaseinfo-changes index 822ae7ce7..e4bca3658 100755 --- a/test/integration/test-apt-update-releaseinfo-changes +++ b/test/integration/test-apt-update-releaseinfo-changes @@ -68,10 +68,13 @@ testsuccesswithnotice apt update --allow-releaseinfo-change testequal "All packages are up to date. N: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 100 to 1." tail -n 2 rootdir/tmp/testsuccesswithnotice.output -sed -i -e '/^NotAutomatic: / d' $(find ./aptarchive -name 'Release') +sed -i -e '/^NotAutomatic: / d' -e '/^Codename: / a\ +Release-Notes: https://example.org/mars/release-notes' $(find ./aptarchive -name 'Release') signreleasefiles testfailuremsg "E: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 1 to 500. +N: More information about this can be found online in the Release notes at: https://example.org/mars/release-notes N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details." apt update testsuccesswithnotice apt update --allow-releaseinfo-change-defaultpin testequal "All packages are up to date. -N: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 1 to 500." tail -n 2 rootdir/tmp/testsuccesswithnotice.output +N: Repository 'file:$APTARCHIVE earth InRelease' changed its default priority for apt_preferences(5) from 1 to 500. +N: More information about this can be found online in the Release notes at: https://example.org/mars/release-notes" tail -n 3 rootdir/tmp/testsuccesswithnotice.output -- cgit v1.2.3