Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.7.0 2023-05-02T13:56:30Z 2023-05-02T13:56:30Z Julian Andres Klode jak@debian.org 2023-05-02T13:56:30Z urn:sha1:ed818cfe5c53503f8096056f599e639a9308b3da Add --snapshot and --update support See merge request apt-team/apt!291 2023-05-02T13:23:14Z Julian Andres Klode julian.klode@canonical.com 2023-02-22T13:14:52Z urn:sha1:a19f606aad717fe5c9c69237c3af53feb547115e Provide snapshot support for offical Debian and Ubuntu archives. There are two ways to enable snapshots for sources: 1. Add Snapshot: yes to your sources file ([snapshot=yes]). This will allow you to specify a snapshot to use when updating or installing using the --snapshot,-S option. 2. Add Snapshot: ID to your sources files to request a specific snapshot for this source. Snapshots are discovered using Label and Origin fields in the Release file of the main source, hence you need to have updated the source at least once before you can use snapshots. The Release file may also declare a snapshots server to use, similar to Changelogs, it can contain a Snapshots field with the values: 1. `Snapshots: https://example.com/@SNAPSHOTID@` where `@SNAPSHOTID@` is a placeholder that is replaced with the requested snapshot id 2. `Snapshots: no` to disable snapshot support for this source. Requesting snapshots for this source will result in a failure to load the source. The implementation adds a SHADOWED option to deb source entries, and marks the main entry as SHADOWED when a snapshot has been requested, which will cause it to be updated, but not included in the generated cache. The concern here was that we need to keep generating the shadowed entries because the cleanup in `apt update` deletes any files not queued for download, so we gotta keep downloading the main source. This design is not entirely optimal, but avoids the pitfalls of having to reimplement list cleanup. Gaps: - Ubuntu Pro repositories and PPAs are not yet supported. 2023-05-02T11:59:45Z Jacob Kauffmann jacob@system76.com 2023-05-02T11:59:45Z urn:sha1:5f9552801139e6ea8d84db20692561b79cda6d00 2023-03-06T09:57:55Z Julian Andres Klode julian.klode@canonical.com 2023-02-27T16:58:33Z urn:sha1:d9039b2409e69e651bf0d7ba582dbf528086332d 2023-03-06T09:23:20Z Julian Andres Klode jak@debian.org 2023-03-06T09:23:20Z urn:sha1:278f542caf92750aed06dae88f066fa01f3f09ac Fix permissions && change section matching in config files to be more gitignore style rightmost match See merge request apt-team/apt!286 2023-03-04T12:07:00Z David Kalnischkies david@kalnischkies.de 2023-03-04T10:55:34Z urn:sha1:937221fde2a5ca989a0b80728cd3ba3639f9f20e A source marked with trusted=yes can still fail verification of the Release file, mostly for Date related issues, like being too new or too old, which have other options to force them in. The update code was not using the Release file (which was a InRelease file but failed verification – which was overridden by trusted=yes) as intended, but it marked it for storage, so that this "bad" Release file would end up being moved into lists/, which is bad as the indexes it refers to aren't updated while the next update run assumes that the indexes are in the state the Release file claims them to be in. Fixed simply by making the storage conditional on the usage as intended, which also resolves a second issue: The verification can also detect that a Release file we got is older than what we already have to avoid down- grade attacks. The more likely explanation is a slightly outdated mirror in a rotation/CDN through, so this gets the silent treatment to avoid scaring users by handling it as if we had got the same Release file we already have stored locally, removing the freshly received older file in the process alongside setting some variables. Those variables were already modified in the trusted=yes case though resulting in the stored Release file being removed instead. Not modifying the variables too early resolves this problem as well. Both seem to exist since at least 2015 as traces are visible in 448c38bdcd already, which shuffled lots of code around including the bad ones, but as we are in trusted=yes land, security is of no concern here, this "just" leads to failed pinning, hashsum mismatches and other strange problems in follow-up calls depending on how out of sync the Release file (if its still present) is with the rest of the trusted data. Reported-By: Dima Kogan <dkogan@debian.org> on IRC Tested-By: Dima Kogan <dkogan@debian.org> 2023-03-03T16:51:05Z David Kalnischkies david@kalnischkies.de 2023-01-28T21:17:44Z urn:sha1:acbfdf0533602a05de066aa86d1f756b5fe0f4a3 We only check the start of these lines to avoid hard coding the exact command and we pick 150 as maximum line length as the longest package name on my system is apparently 75 characters long. We could choose longer or shorter without much issue as over-length just means we mishandle the rest of the line as a new line and it should be really unlikely that a) lines are that long in this file and b) that such long lines contain one of our trigger sequences – but even if, all we do is start a download of an online file. Could be worse. This auto-detection can be avoided by setting Acquire::Changelogs::AlwaysOnline (or Origin specific sub options) to "true" if you always want the changelog from an online source. The reverse – setting it to "false" in the hope it would not get the changelog from an online source – was not and is still not possible. Closes: #1024457 2023-02-27T13:44:12Z Julian Andres Klode julian.klode@canonical.com 2023-02-27T13:41:52Z urn:sha1:557aed9806b59bebac33f4589bafc25fcb8a2728 Use a rightmost match for / so that if we end up with a Section: a/b/c, a 'c' matcher still matches. If the section does not contain any /, it can be matched using /pattern, e.g. /c only matches Section: c, but not Section: a/b/c. 2023-02-27T09:21:24Z Julian Andres Klode jak@debian.org 2023-02-27T09:21:24Z urn:sha1:f98732f703601a8db67527b1b82f3296290f2dc1 Support transition to new non-free-firmware component See merge request apt-team/apt!282 2023-01-29T23:55:05Z David Kalnischkies david@kalnischkies.de 2023-01-29T15:54:39Z urn:sha1:8aeb07448c09375c730c76a6baf31303b129bb96 Hard coding each and every component is not only boring but given that everyone is free to add or use more we end up in situations in which apt behaves differently for the same binary package just because metadata said it is in different components (e.g. non-free vs. non-free-firmware). It is also probably not what the casual user would expect. So we instead treat a value without a component as if it applies for all of them. The previous behaviour can be restored by prefixing the value with "<undefined>/" as in the component is not defined. In an ideal world we would probably use "*/foo" for the new default instead of changing the behaviour for "foo", but it seems rather unlikely that the old behaviour is actually desired. All existing values were duplicated for all (previously) known components in Debian and Ubuntu.