Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.6.0 2023-03-06T09:57:55Z 2023-03-06T09:57:55Z Julian Andres Klode julian.klode@canonical.com 2023-02-27T16:58:33Z urn:sha1:d9039b2409e69e651bf0d7ba582dbf528086332d 2023-03-06T09:23:20Z Julian Andres Klode jak@debian.org 2023-03-06T09:23:20Z urn:sha1:278f542caf92750aed06dae88f066fa01f3f09ac Fix permissions && change section matching in config files to be more gitignore style rightmost match See merge request apt-team/apt!286 2023-03-04T12:07:00Z David Kalnischkies david@kalnischkies.de 2023-03-04T10:55:34Z urn:sha1:937221fde2a5ca989a0b80728cd3ba3639f9f20e A source marked with trusted=yes can still fail verification of the Release file, mostly for Date related issues, like being too new or too old, which have other options to force them in. The update code was not using the Release file (which was a InRelease file but failed verification – which was overridden by trusted=yes) as intended, but it marked it for storage, so that this "bad" Release file would end up being moved into lists/, which is bad as the indexes it refers to aren't updated while the next update run assumes that the indexes are in the state the Release file claims them to be in. Fixed simply by making the storage conditional on the usage as intended, which also resolves a second issue: The verification can also detect that a Release file we got is older than what we already have to avoid down- grade attacks. The more likely explanation is a slightly outdated mirror in a rotation/CDN through, so this gets the silent treatment to avoid scaring users by handling it as if we had got the same Release file we already have stored locally, removing the freshly received older file in the process alongside setting some variables. Those variables were already modified in the trusted=yes case though resulting in the stored Release file being removed instead. Not modifying the variables too early resolves this problem as well. Both seem to exist since at least 2015 as traces are visible in 448c38bdcd already, which shuffled lots of code around including the bad ones, but as we are in trusted=yes land, security is of no concern here, this "just" leads to failed pinning, hashsum mismatches and other strange problems in follow-up calls depending on how out of sync the Release file (if its still present) is with the rest of the trusted data. Reported-By: Dima Kogan <dkogan@debian.org> on IRC Tested-By: Dima Kogan <dkogan@debian.org> 2023-03-03T16:51:05Z David Kalnischkies david@kalnischkies.de 2023-01-28T21:17:44Z urn:sha1:acbfdf0533602a05de066aa86d1f756b5fe0f4a3 We only check the start of these lines to avoid hard coding the exact command and we pick 150 as maximum line length as the longest package name on my system is apparently 75 characters long. We could choose longer or shorter without much issue as over-length just means we mishandle the rest of the line as a new line and it should be really unlikely that a) lines are that long in this file and b) that such long lines contain one of our trigger sequences – but even if, all we do is start a download of an online file. Could be worse. This auto-detection can be avoided by setting Acquire::Changelogs::AlwaysOnline (or Origin specific sub options) to "true" if you always want the changelog from an online source. The reverse – setting it to "false" in the hope it would not get the changelog from an online source – was not and is still not possible. Closes: #1024457 2023-02-27T13:44:12Z Julian Andres Klode julian.klode@canonical.com 2023-02-27T13:41:52Z urn:sha1:557aed9806b59bebac33f4589bafc25fcb8a2728 Use a rightmost match for / so that if we end up with a Section: a/b/c, a 'c' matcher still matches. If the section does not contain any /, it can be matched using /pattern, e.g. /c only matches Section: c, but not Section: a/b/c. 2023-02-27T09:21:24Z Julian Andres Klode jak@debian.org 2023-02-27T09:21:24Z urn:sha1:f98732f703601a8db67527b1b82f3296290f2dc1 Support transition to new non-free-firmware component See merge request apt-team/apt!282 2023-01-29T23:55:05Z David Kalnischkies david@kalnischkies.de 2023-01-29T15:54:39Z urn:sha1:8aeb07448c09375c730c76a6baf31303b129bb96 Hard coding each and every component is not only boring but given that everyone is free to add or use more we end up in situations in which apt behaves differently for the same binary package just because metadata said it is in different components (e.g. non-free vs. non-free-firmware). It is also probably not what the casual user would expect. So we instead treat a value without a component as if it applies for all of them. The previous behaviour can be restored by prefixing the value with "<undefined>/" as in the component is not defined. In an ideal world we would probably use "*/foo" for the new default instead of changing the behaviour for "foo", but it seems rather unlikely that the old behaviour is actually desired. All existing values were duplicated for all (previously) known components in Debian and Ubuntu. 2023-01-29T23:54:48Z Cyril Brulebois kibi@debian.org 2023-01-27T04:51:31Z urn:sha1:0dd4e0b4caeeb3e943a993db79c416d491c469cd Closes: #1029751 2023-01-29T12:59:30Z David Kalnischkies david@kalnischkies.de 2023-01-29T12:44:37Z urn:sha1:3c9ff866affaae10303de04f647220a16bf7e27a The matchers are usually called via its base class, but if we would call them via the derivate class we would not be able to call the not explicitly "imported" overloads, which would be strange. Reported-By: gcc-13 -Woverloaded-virtual Gbp-Dch: Ignore 2023-01-29T12:59:30Z David Kalnischkies david@kalnischkies.de 2023-01-29T12:27:24Z urn:sha1:2cd6be476d1e5a5592ddac8a912ae73bc882d55e Reported-By: clang-tidy [cppcoreguidelines-explicit-virtual-functions] Gbp-Dch: Ignore