Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.7.9 2023-06-27T17:21:47Z 2023-06-27T17:21:47Z Julian Andres Klode julian.klode@canonical.com 2023-06-27T17:14:43Z urn:sha1:aba813975abb880f8b27d659147f7760c02f99e7 We want to gently steer users towards having Signed-By for each source such that we can retire a shared keyring across sources which improves resilience against configuration issues and incompetent malicious actors. 2023-05-02T13:23:14Z Julian Andres Klode julian.klode@canonical.com 2023-02-22T13:14:52Z urn:sha1:a19f606aad717fe5c9c69237c3af53feb547115e Provide snapshot support for offical Debian and Ubuntu archives. There are two ways to enable snapshots for sources: 1. Add Snapshot: yes to your sources file ([snapshot=yes]). This will allow you to specify a snapshot to use when updating or installing using the --snapshot,-S option. 2. Add Snapshot: ID to your sources files to request a specific snapshot for this source. Snapshots are discovered using Label and Origin fields in the Release file of the main source, hence you need to have updated the source at least once before you can use snapshots. The Release file may also declare a snapshots server to use, similar to Changelogs, it can contain a Snapshots field with the values: 1. `Snapshots: https://example.com/@SNAPSHOTID@` where `@SNAPSHOTID@` is a placeholder that is replaced with the requested snapshot id 2. `Snapshots: no` to disable snapshot support for this source. Requesting snapshots for this source will result in a failure to load the source. The implementation adds a SHADOWED option to deb source entries, and marks the main entry as SHADOWED when a snapshot has been requested, which will cause it to be updated, but not included in the generated cache. The concern here was that we need to keep generating the shadowed entries because the cleanup in `apt update` deletes any files not queued for download, so we gotta keep downloading the main source. This design is not entirely optimal, but avoids the pitfalls of having to reimplement list cleanup. Gaps: - Ubuntu Pro repositories and PPAs are not yet supported. 2021-09-13T14:08:52Z David Kalnischkies david@kalnischkies.de 2021-09-12T14:08:52Z urn:sha1:2b0369a5d1673d9e40f2af4db7677b040a26ee58 We allow file (and other file-based methods) URIs to either be given as file:///path or as file:/path, but in various places of the acquire system we perform string comparisons on URIs which do not handle this expecting the canonical representation produced by our URI code. That used to be hidden by us quoting and dequoting the URIs in the system, but as we don't do this anymore we have to be a bit more careful on input. Ideally we would do less of these comparisons, but for now lets be content with inserting a canonicalisation early on to prevent hangs in the acquire system. 2019-07-10T14:15:30Z David Kalnischkies david@kalnischkies.de 2019-07-10T14:15:30Z urn:sha1:5cfbc5727dba2f4662d24cf4deb7cab7cdd57c14 Also in old changelogs, but nothing really user visible like error messages or alike so barely noteworthy. Reported-By: codespell Gbp-Dch: Ignore 2019-02-26T15:31:20Z Julian Andres Klode julian.klode@canonical.com 2019-02-26T12:20:21Z urn:sha1:30d563c7a7ac68a0d2c1e765a1a43687d406c0d5 2019-02-26T15:31:20Z Julian Andres Klode julian.klode@canonical.com 2019-02-26T10:59:38Z urn:sha1:e217a3a425ba72e8b6ce395e1ecd411fbe58e916 This is possible now with the API break. Cleaner code, woohoo. 2018-05-07T11:41:31Z Guillem Jover guillem@debian.org 2018-05-06T20:32:41Z urn:sha1:164f1b78d1849a0f33df7352875f86e28f5de06a Prompted-by: Jakub Wilk <jwilk@debian.org> 2018-02-19T15:05:01Z Julian Andres Klode julian.klode@canonical.com 2018-01-29T15:15:41Z urn:sha1:9e5899cac1a6367e3769af52a724821880e538f6 By restricting the Date field to be in the past, an attacker cannot just create a repository from the future that would be accepted as a valid update for a repository. This check can be disabled by Acquire::Check-Date set to false. This will also disable Check-Valid-Until and any future date related checking, if any - the option means: "my computers date cannot be trusted." Modify the tests to allow repositories to be up to 10 hours in the future, so we can keep using hours there to simulate time changes. 2017-11-19T16:24:41Z David Kalnischkies david@kalnischkies.de 2017-11-16T23:46:34Z urn:sha1:7fba4e0df1768703ce657d8bf8200472c2dd825f The documentation said "spaces", but there is no real reason to be so strict and only allow spaces to separate values as that only leads to very long lines if e.g. multiple URIs are specified which are again hard to deal with from a user PoV which the deb822 format is supposed to avoid. It also deals with multiple consecutive spaces and strange things like tabs users will surely end up using in the real world. The old behviour on encountering folded lines is the generation of URIs which end up containing all these whitespace characters which tends to mess really bad with output and further processing. Closes: 881875 2017-07-26T17:09:04Z David Kalnischkies david@kalnischkies.de 2017-07-15T13:08:35Z urn:sha1:51751106976b1c6afa8f7991790db87b239fcc84 We used to fail on unreadable config/preferences/sources files, but at least for sources we didn't in the past and it seems harsh to refuse to work because of a single file, especially as the error messages are inconsistent and end up being silly (like suggesting to run apt update to fix the problem…). LP: #1701852