Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.8.0_beta1 2019-01-22T15:02:36Z 2019-01-22T15:02:36Z Julian Andres Klode jak@debian.org 2019-01-22T15:02:36Z urn:sha1:690bc2923814b3620ace1ffcb710603f81fa217f Report keys used to sign file from gpgv method to acquire system See merge request apt-team/apt!44 2019-01-22T11:50:59Z Julian Andres Klode julian.klode@canonical.com 2019-01-18T08:13:52Z urn:sha1:5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353 2019-01-22T11:24:22Z David Kalnischkies david@kalnischkies.de 2018-09-11T23:44:18Z urn:sha1:7bf533967fb385b9625a1ee4dd7c6542a84b489c Telling the acquire system which keys caused the gpgv method to succeed allows us for now just a casual check if the gpgv method really executed catching bugs like CVE-2018-0501, but we will make use of the information for better features in the following commits. 2019-01-22T11:08:14Z Khem Raj raj.khem@gmail.com 2019-01-20T23:57:05Z urn:sha1:9f3207395ca4d331107cfd76365d484f4637c76d In C++17 `register` keyword was removed. Current gcc 8.1.0 produces following warning if `-std=c++17` flag is used: warning: ISO C++17 does not allow 'register' storage class specifier [-Wregister] GCC almost completely ignores `register` keyword, with rare exception of `-O0` when additional copy from/to stack may be generated. For simplicity of the codebase it is better to just remove this problematic keyword where it is not strictly required. See: http://en.cppreference.com/w/cpp/language/storage_duration Signed-off-by: Khem Raj <raj.khem@gmail.com> 2019-01-05T17:40:18Z Julian Andres Klode jak@debian.org 2019-01-05T17:40:18Z urn:sha1:fb1c5167f1a69fc47ca8e741b86fab1ae7c08309 2018-12-26T20:24:20Z Julian Andres Klode jak@debian.org 2018-12-26T11:40:09Z urn:sha1:563fedea263361b0786303f58dccc1a9a733e1d9 We called low-level ParseDepends without an architecture each time, which means each call looked up the native architecture. Store the native architecture in the class and use that when calling low-level ParseDepends from the high-level ParseDepends(). This improves performance for a cache build from 2.7 to 2.5 seconds for me. Also avoid a call when stripping multiarch, as the native architecture is passed in. 2018-12-26T20:24:20Z Julian Andres Klode jak@debian.org 2018-12-26T11:40:06Z urn:sha1:6018a849f46c7f701adbc4c2474de0b1177f3711 2018-12-26T20:22:37Z Julian Andres Klode jak@debian.org 2018-12-26T11:39:56Z urn:sha1:37ae749b20485b6c8237d5b5a08cfdd58a2364e1 This is more than twice as fast as adler32, but could be made another 50% faster by calculating crcs for 8 byte blocks in "parallel" (without data dependency) and then combining them. But that's complicated code. Reference measurements for hashing the cache 100 times: adler32=2.46s xxhash64=0.64 xxhash32=1.12 crc32c(this)=1.10 crc32c(opt)=0.44s 2018-12-10T17:35:33Z Julian Andres Klode jak@debian.org 2018-12-10T17:35:33Z urn:sha1:d57834a36e6adebbad28819360a984819995b376 Set PATH=/usr/sbin:/usr/bin:/sbin:/bin when running dpkg See merge request apt-team/apt!38 2018-12-10T16:31:24Z Julian Andres Klode julian.klode@canonical.com 2018-12-10T15:52:59Z urn:sha1:806e94dcd8dbdf7bf1909657fd4331cfe17b4ab0 This avoids a lot of problems from local installations of scripting languages and other stuff in /usr/local for which maintainer scripts are not prepared. [v3: Inherit PATH during tests, check overrides work] [v2: Add testing]