<feed xmlns='http://www.w3.org/2005/Atom'>
<title>apt/CMake, branch main</title>
<subtitle>Debians commandline package manager</subtitle>
<id>https://git.kalnischkies.de/apt/atom?h=main</id>
<link rel='self' href='https://git.kalnischkies.de/apt/atom?h=main'/>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/'/>
<updated>2026-03-02T21:53:49Z</updated>
<entry>
<title>Copyright changes</title>
<updated>2026-03-02T21:53:49Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>jak@debian.org</email>
</author>
<published>2026-03-02T21:53:49Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=140e4e2f84813c85d96488031e6d3e0359f7b6d5'/>
<id>urn:sha1:140e4e2f84813c85d96488031e6d3e0359f7b6d5</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Pass --check to msgfmt and fix broken format strings</title>
<updated>2025-05-06T16:11:33Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>jak@debian.org</email>
</author>
<published>2025-05-06T16:11:33Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=9a7e34d491b828a227930654d4f99e4fd2eb93ec'/>
<id>urn:sha1:9a7e34d491b828a227930654d4f99e4fd2eb93ec</id>
<content type='text'>
The check option discovers broken format string translations as
well as other issues like broken headers, enable it.

The Japanese translation was discovered to both use the wrong
ordering for %.*s translations with different positions, and
missing the dot, e.g.

    %1$*2$s should have been %2$.*1$s

    (the number after % matches the string and the number after
     .* the size)
</content>
</entry>
<entry>
<title>apt-pkg: Avoid exporting any optional symbols</title>
<updated>2025-02-14T18:45:12Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2025-01-05T19:19:21Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=6de55404ca8ce296ccf14880c6115b6d8eb4e0b9'/>
<id>urn:sha1:6de55404ca8ce296ccf14880c6115b6d8eb4e0b9</id>
<content type='text'>
</content>
</entry>
<entry>
<title>methods: Add new sqv method</title>
<updated>2024-12-22T22:51:22Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>jak@debian.org</email>
</author>
<published>2024-12-07T15:44:18Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=da9a05e0b0b2150dbb67090e8b0c3922e46bd5cf'/>
<id>urn:sha1:da9a05e0b0b2150dbb67090e8b0c3922e46bd5cf</id>
<content type='text'>
The new sqv method uses sequoia's sqv tool to verify files. The
tool's interface is quite simple: It returns 0 on success, and
prints one line per good signer with the fingerprint.

sqv has a configurable crypto policy. We have defined apt-specific
override mechanisms for sequoia's standard policy, allowing both
users, distributions, and apt package to provide overrides for
Sequoia's default policy in meaningful ways.

The sqv method will be built and be the standard method for
verifying OpenPGP signatures provided that `sqv` is in the
PATH during building. It is not built if there was no sqv
at build time, so you need a rebuild to enable sqv later
on.

On the flip side, the gpgv method is always built, but it
does need to be always built: If APT::Key::GPGVCommand is
set, we need to fallback to it - this is important to
support existing users of that interface such as
mmdebstrap. Also we want to fall back to it when /usr/bin/sqv
disappears - for example in our CI :D

A couple of concessions have been made for test suite purposes:

- Failure to split a clearsigned file only shows the summary,
  as the gpgv method also only showed it, and no details why
  it failed.
- We write "Got GOODSIG &lt;fingerprint&gt;" in debug mode to mimic
  the gpgv code to keep the test suite happy.

- In various places in the test suite we assert minimal output
  from sqv, but sqv's human output is not intended to be stable.
  This will incur additional work when it breaks. However we do
  not _parse_ the output, so actual operation of apt is unaffected.

A couple of things are suboptimal here:

- We are still doing clearsigned splitting ourselves. sqv only
  has support for detached signatures right now, whereas sqopv
  has support for clearsigned files as well (but sqopv does not
  provide any reasons for why signature verification fails or
  means to set a policy).

- Deprecation of algorithms happens on a timebomb basis in
  sequoia. We have no means to give users warnings ahead of
  time if their configuration is outdated.

We have implemented various bits that probably should be going away:

- Fallback to trusted.gpg
  This is just annoying...
- Support for fingerprints in Signed-By (no subkey matching though)
  The extra work here is arguably less compared to gpgv.
- Check the keyring for correctness.
  With Signed-By everywhere, we should just error out rather than
  skip broken keyrings.

Moo
</content>
</entry>
<entry>
<title>Remove GnuTLS and gcrypt support</title>
<updated>2024-12-22T22:45:15Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-12-21T14:26:34Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=7b1fb90b93ced7c0772d726e512da01fad456852'/>
<id>urn:sha1:7b1fb90b93ced7c0772d726e512da01fad456852</id>
<content type='text'>
OpenSSL is mandatory now, it is no longer possible to build
without https support either.
</content>
</entry>
<entry>
<title>hashes, methods: Add OpenSSL backends</title>
<updated>2024-12-22T21:55:39Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-12-18T18:37:40Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=90270f0959d490d56db891809d83c91b3d4b9bf0'/>
<id>urn:sha1:90270f0959d490d56db891809d83c91b3d4b9bf0</id>
<content type='text'>
Introduce an OpenSSL::Crypto backend for the hashes library
and an OpenSSL::SSL backend for the TLS support in our https
method.

Many thanks to curl for showing the way with how to handle
a CRL file. There are some memory leaks here with the
TlsFd itself as well as the proxy support; and we should
reorganize the code to generate the ssl object as late
as possible.

A peculiar aspect of OpenSSL is that SSL_has_pending() returns
1 even if SSL_read() will fail to read anything and return the
equivalent of EAGAIN. We work around this here by also peeking
ahead 1 byte. I was running a very high RTT connection from
Germany to Australia for testing, and with the peeking it's
using negligible amounts of CPU; before that, it was busy
looping at 100%. Bad OpenSSL!
</content>
</entry>
<entry>
<title>Introduce automatic pager for read commands</title>
<updated>2024-12-18T09:25:24Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>jak@debian.org</email>
</author>
<published>2024-12-16T16:05:40Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=6e260e26e4cd671f781151e24d89a17b29a55530'/>
<id>urn:sha1:6e260e26e4cd671f781151e24d89a17b29a55530</id>
<content type='text'>
Automatically show the output of `show`, `policy`, `list`,
`search`, `showsrc` in a pager.

The pager setup is inspired by git's pager setup. Notably,
the pager is found using APT_PAGER and PAGER variables.

We wait for the pager to be setup somewhat correctly by
using a notify pipe to figure out whether execvp() was
succesful - then the pipe will read EOF as the other end
got closed by CLOEXEC during exec - or not, then the pipe
will contain an errno.

We set up the correct handlers for signals and exit to close
the fds and wait for the pager. Notably inside the signal
handler we cannot flush our streams, only close them, so
there is some duplication.

We call the InitOutputPager() function from inside the
various Do...() functions rather than setting it up
generally in InitOutput(). Doing so allows us to first
render the progress without a pager, and then setup
the pager for the content only which improves user
experience.

When we setup a pager we also take care to disable
standard input, as we should not be prompting users
while a pager is running (the pager will be reading
from the tty directly). We do this by dup2-ing() a
/dev/null over it; if we just close()d the fd, another
open() might reuse the fd number and problems could
occur.
</content>
</entry>
<entry>
<title>Avoid unnormalized paths for CMake install destinations</title>
<updated>2024-11-22T12:11:13Z</updated>
<author>
<name>David Kalnischkies</name>
<email>david@kalnischkies.de</email>
</author>
<published>2024-11-19T21:58:13Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=7578b7031921231400be78fa8c2893bbd5ea18df'/>
<id>urn:sha1:7578b7031921231400be78fa8c2893bbd5ea18df</id>
<content type='text'>
CMake 3.31 is very noisy about our manpage (and to a lesser extend
documentation in general) building as we used "//" and "/../" there.

`cmake --help-policy CMP0177` documents the warning, so we could just
decide on a value and deal with it, but given our usage is not really
needed and rather trivial to change lets not pick a value and instead
use a normalized path so we don't use different code paths in CMake
depending on which CMake version we happen to be build with.
</content>
</entry>
<entry>
<title>Do not ignore if a cmake execute_process fails</title>
<updated>2024-04-24T13:16:21Z</updated>
<author>
<name>David Kalnischkies</name>
<email>david@kalnischkies.de</email>
</author>
<published>2024-04-05T14:02:39Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=3e24f431d9527816820e103df7db9f39062b551d'/>
<id>urn:sha1:3e24f431d9527816820e103df7db9f39062b551d</id>
<content type='text'>
Ignoring errors might lead to failures later on anyhow, but especially
with triehash it could also lead to broken builds or other crazy stuff,
so lets better be save than sorry.
</content>
</entry>
<entry>
<title>Hide nice subtree character and indentation of summary from translations</title>
<updated>2024-04-13T19:22:36Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>jak@debian.org</email>
</author>
<published>2024-04-13T19:22:36Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=cf71004551eca23f6d73648bc19f65e8b2a08ce9'/>
<id>urn:sha1:cf71004551eca23f6d73648bc19f65e8b2a08ce9</id>
<content type='text'>
Also allow us to have utf-8 characters in xgettext, but msgcomm still
fails so ugh.

This avoids translations messing up the formatting a bit more, at
least, and makes apt build again
</content>
</entry>
</feed>
