Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.8.0_alpha3.1 2019-01-22T18:50:36Z 2019-01-22T18:50:36Z Julian Andres Klode julian.klode@canonical.com 2019-01-18T08:13:52Z urn:sha1:c31d65e76810f72c356e381818174bf100605de7 This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353 (cherry picked from commit 5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b) 2018-12-10T17:35:33Z Julian Andres Klode jak@debian.org 2018-12-10T17:35:33Z urn:sha1:d57834a36e6adebbad28819360a984819995b376 Set PATH=/usr/sbin:/usr/bin:/sbin:/bin when running dpkg See merge request apt-team/apt!38 2018-12-10T16:31:24Z Julian Andres Klode julian.klode@canonical.com 2018-12-10T15:52:59Z urn:sha1:806e94dcd8dbdf7bf1909657fd4331cfe17b4ab0 This avoids a lot of problems from local installations of scripting languages and other stuff in /usr/local for which maintainer scripts are not prepared. [v3: Inherit PATH during tests, check overrides work] [v2: Add testing] 2018-12-04T16:48:41Z Julian Andres Klode julian.klode@canonical.com 2018-12-03T16:39:03Z urn:sha1:bbfcc05c1978decd28df9681fd73e2a7d9a8c2a5 This allows us to install matching auth files for sources.list.d files, for example; very useful. This converts aptmethod's authfd from one FileFd to a vector of pointers to FileFd, as FileFd cannot be copied, and move operators are hard. 2018-12-04T15:34:26Z Julian Andres Klode julian.klode@canonical.com 2018-12-04T15:31:07Z urn:sha1:37bdbe03d44975951d2518bb9b3d3636081dca6a FileFd could be copied using the default copy constructor, which does not work, and then causes code to crash. 2018-12-04T11:53:05Z Julian Andres Klode jak@debian.org 2018-12-04T11:53:05Z urn:sha1:b9d405d4074bb1de10e869038fe9685bf660fd16 Use quoted tagnames in config dumps See merge request apt-team/apt!32 2018-12-04T11:52:28Z Julian Andres Klode jak@debian.org 2018-12-04T11:52:28Z urn:sha1:dbf202ff9d20a043855d41f4bea1d954b0cef579 Remove old derivatives See merge request apt-team/apt!31 2018-11-29T21:15:28Z David Kalnischkies david@kalnischkies.de 2018-11-29T21:15:28Z urn:sha1:64d7e1c568a7f9e7f32d1dee1ab771f924baa28d Tagnames in configuration can include spaces (and other nasties) e.g. in repository-specific configuration options due to Origin/Label potentially containing a space. The configuration file format supports parsing quoted as well as encoded spaces, but the output generated by apt-config and other places which might be feedback into apt via parsing (e.g. before calling apt-key in our gpgv method) do not quote and hence produce invalid configuration files. Changing the default to be an encoded tagname ensures that the output of dump can be used as a config file, but other users might not expect this so that is technically a backward-breaking change. 2018-11-25T16:38:31Z David Kalnischkies david@kalnischkies.de 2018-11-25T16:38:31Z urn:sha1:f313e09d167cc7a83846ac9d4d5d72ba10cc2638 No user visible change expect for some years old changelog entries, so we don't really need to add a new one for this… Reported-By: codespell Gbp-Dch: Ignore 2018-10-30T21:43:35Z Chris Leick c.leick@vollbio.de 2018-10-30T21:32:34Z urn:sha1:b6b159cc5eedca24d2ca0e27e230865ad2b4ad0f