Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.9.1 2024-03-22T10:10:24Z 2024-03-22T10:10:24Z Julian Andres Klode julian.klode@canonical.com 2024-03-21T21:18:58Z urn:sha1:c8641c40d1a67408439c3a3a37ea203b838eb21a This reverts commit 9bb953fddae0246a4dcedddb769d75d3521e1f2f. 2024-03-22T10:10:24Z Julian Andres Klode julian.klode@canonical.com 2024-03-21T21:18:08Z urn:sha1:5414789489f9814aaacdc6169975bae1b871a44f The TagFile parser will have already parsed further and can't go back so it needs to reopen the file if compressed. Closes: #1067440 2024-03-07T15:35:17Z David Kalnischkies david@kalnischkies.de 2024-01-23T13:45:46Z urn:sha1:3d1614b0a6c9c185ed1b2834e338f14d4de5b124 libapt has a NotEquals relation for version constraints in dependencies, which is used internally e.g. in the MultiArch implementation, but this relation is not supported by Debian policy and as such can not be used in packages. Our parser here is extremely accepting, even unknown relations are parsed as Equals relation – but the version that must match will be a rather strange one… For our own testcases and e.g. on the command line with 'satisfy' it can make sense to have != available… and what strange things apt does parsing unsupported relations is not really much of a concern. Real packages will not have such relations anyhow as we are (mostly) just a consumer, not a producer of packages and index files. 2024-02-20T17:50:14Z Julian Andres Klode julian.klode@canonical.com 2024-02-20T08:56:06Z urn:sha1:e2949fc463f9e087978b072c82b11860ee02fdb6 This adds a bit more code but avoids any surprises later on by having both the shadowed and non-shadowed meta index in the list. Gbp-Dch: ignore 2024-02-20T17:50:14Z Julian Andres Klode julian.klode@canonical.com 2024-02-19T11:07:55Z urn:sha1:b6274188312e6338e94edc45dbf9cc410d650477 Convert sources.list Snapshot option from opt-in to automatic. If we can find a snapshot server, Snapshot: yes is assumed if a snapshot is specified. On the implementation side, we record automatic snapshot enablement by adding a '?' suffix to the snapshot timestamp, if any is specified, this avoids introducing bugs into the code where we could end up with an empty snapshot. This has an annoying internal implementation caveat: Since we call GetDebReleaseIndexBy() with the SHADOWED option emplaced, if we do not find a server, we need to remove the SHADOWED option again, but we already have inserted a shadowed release index into the list. This will simply insert the release index a second time without the SHADOWED option which in preliminary testing works fine, but it would arguably be more correct to also remove the release index again if we have created it. FIXME: This only has one test case: A source with supported snapshot server is auto-discovered. We should also add a test case where we cannot detect a server and then don't fail in automatic mode. 2024-02-20T12:49:04Z Julian Andres Klode julian.klode@canonical.com 2024-02-20T12:43:08Z urn:sha1:40a75722c43ae24cb9a99d6730a3b25b65819c49 This was automated with sed and git-clang-format, and then I had to fix up the top of policy.cc by hand as git-clang-format accidentally indented it by two spaces. 2023-10-04T12:17:16Z Julian Andres Klode julian.klode@canonical.com 2023-10-04T12:17:16Z urn:sha1:b24d6a1f3aff12f32f6a7024aac6961089f99719 This avoids the rabbit hole of md5 on FIPS systems, and repositories have moved to including the value as well. Also stop validating the field, this can be an arbitrary string as far as we are concerned. 2023-08-02T10:04:32Z Julian Andres Klode julian.klode@canonical.com 2023-08-01T11:59:09Z urn:sha1:5576e7f76da73f3f5217f90d816cc19b6c0a5a77 If we know both SHA256, and they're different, the packages are. This approach stores the SHA256 only at runtime, avoiding the overhead of storing it on-disk, because when we update repositories we update all of them anyhow. Note that pkgCacheGenerator is hidden, so we can just modify its ABI, hooray. Closes: #931175 LP: #2029268 2023-07-12T14:49:19Z Julian Andres Klode julian.klode@canonical.com 2023-06-27T15:11:06Z urn:sha1:5dcb36e7af4bd65211ac4937e5e7feac8c85683c We did not handle multiple components properly, add a contrib component to the test case. 2023-06-27T17:21:47Z Julian Andres Klode julian.klode@canonical.com 2023-06-27T17:14:43Z urn:sha1:aba813975abb880f8b27d659147f7760c02f99e7 We want to gently steer users towards having Signed-By for each source such that we can retire a shared keyring across sources which improves resilience against configuration issues and incompetent malicious actors.