Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.9.5 2019-12-02T17:18:57Z 2019-12-02T17:18:57Z Julian Andres Klode julian.klode@canonical.com 2019-12-02T17:18:57Z urn:sha1:5a98b531f7afcd34367b46ac9e0c7bfe151d6999 2019-12-02T15:21:12Z Julian Andres Klode jak@debian.org 2019-12-02T15:21:12Z urn:sha1:878861d35c8a97823b7cecc7e47d6850a5394d8b Fix a mistake in man french translation See merge request apt-team/apt!83 2019-12-02T14:49:07Z Julian Andres Klode jak@debian.org 2019-12-02T14:49:07Z urn:sha1:b59be3af284d13988182d99fcd2ab5948a0f6a83 Pu/patterns phase2 See merge request apt-team/apt!85 2019-12-02T13:28:07Z Julian Andres Klode jak@debian.org 2019-12-02T13:28:07Z urn:sha1:203ed6e094e0e5a332ddae9e4f08df5694b84ba9 netrc: Restrict auth.conf data to https by default See merge request apt-team/apt!84 2019-12-02T13:27:38Z Julian Andres Klode julian.klode@canonical.com 2019-12-02T10:46:49Z urn:sha1:93f33052de84e9aeaf19c92291d043dad2665bbd This avoids downgrade attacks where an attacker could inject Location: http://private.example/ and then (having access to raw data to private.example, for example, by opening a port there, or sniffing network traffic) read the credentials for the private repository. Closes: #945911 2019-11-28T15:28:06Z Anthony Papillon anthony.papillon@gmail.com 2019-11-28T15:28:06Z urn:sha1:d248e77c0c5cd01997ee09cd4e1e2835bf31f1e2 2019-11-27T21:00:43Z David Kalnischkies david@kalnischkies.de 2019-11-27T11:10:31Z urn:sha1:1690c3f87ae45a41e8d3e09bf0b1021c008460b9 While passing the combi Release and Release.gpg to the gpgv method for verification the filename of Release is placed where usually Release.gpg is assumed in the rest of the code. The "usual" cases like passing verification and failing verification ending in an error are taking care of this, but the code path dealing with a failed verification, but ignoring said failure (e.g. due to trusted=yes) was not which results in the wrong file being removed later on (in case the index happens to be unmodified since the last update call) leading us into the abyss of strange failures (fixed in the previous commit) were nothing should have changed. This is not a security issue in this form as the repository needs to fail verification & the user forcing apt to ignore the failure and carry on anyhow. It does show however how complicated the code and its various interconnected paths can become. Reported-By: Val "pinkieval" Lorentz on IRC 2019-11-27T20:56:33Z David Kalnischkies david@kalnischkies.de 2019-11-27T18:57:08Z urn:sha1:62bfe5b6ca3ccfba6313d3f9ab4cb75a24a5557a If we have no old Release file, but old indices we can't compare hashsums with the new Release file and hence must request the indices again and have to react to IMS hits if they didn't change. We used to symlink the old index file to the partial directory, but that usually meant that we linked an uncompressed file to a compressed file, which not all uncompressors can deal with transparently resulting in strange failures. We could do without the symlink, but that would require changes in the codepaths dealing with failure as they would rename the file to FAILED. 2019-11-26T11:36:46Z David Kalnischkies david@kalnischkies.de 2019-11-09T13:18:45Z urn:sha1:d88fb9fa233b1356c767d0183d91c821ee1ccd83 Skipped tests do not age very well as changes to the infrastructure go by unnoticied. In this case we are fetching Translation files now differently meaning only if mentioned in Release file, which broke this test. As it makes use of LC_ALL and utf8 locales it can't really be reenabled, but it might be able to serve as an example for others and hence at least deserves being fixed. Gbp-Dch: Ignore 2019-11-26T11:36:46Z David Kalnischkies david@kalnischkies.de 2019-09-13T10:01:47Z urn:sha1:35012abf30ec1cfc9b5ee29647d4b1e25d98e99f Unused variable, std::algorithms instead of raw for-loops. There should be no observeable difference in behaviour. Reported-By: cppcheck Gbp-Dch: Ignore