Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.6_alpha2 2017-09-26T17:32:15Z 2017-09-26T17:32:15Z David Kalnischkies david@kalnischkies.de 2017-09-26T17:27:30Z urn:sha1:f3e34838d95132e5f318e85525326decbfb19e36 APT connects just fine to any .onion address given, only if the connect fails somehow it will perform checks on the sanity of which in this case is checking the length as they are well defined and as the strings are arbitrary a user typing them easily mistypes which apt should can be slightly more helpful in figuring out by saying the onion hasn't the required length. 2017-07-12T11:57:51Z Julian Andres Klode jak@debian.org 2017-07-12T11:40:41Z urn:sha1:87274d0f22e1dfd99b2e5200e2fe75c1b804eac3 This makes it easier to see which headers includes what. The changes were done by running git grep -l '#\s*include' \ | grep -E '.(cc|h)$' \ | xargs sed -i -E 's/(^\s*)#(\s*)include/\1#\2 include/' To modify all include lines by adding a space, and then running ./git-clang-format.sh. 2017-07-03T13:06:26Z David Kalnischkies david@kalnischkies.de 2017-06-30T11:10:03Z urn:sha1:405189f2a794ded622a4ae3a83a9b70917faf894 It is kinda unlikely that apt will ever encounter a certificate for an IP and a user actually using it, but the API documentation for gnutls_server_name_set explicitly says that "IPv4 or IPv6 addresses are not permitted to be set by this function.", so we should follow it. [jak@d.o: Slightly rebased] 2017-07-03T13:06:26Z Julian Andres Klode jak@debian.org 2017-07-03T12:33:15Z urn:sha1:f3b9e58cc5e6878daff9cf127bd00587d1f715d3 This makes more sense. If the handshake failed midway, we still should run the gnutls bye stuff. The thinking here is to only set the fd after the session setup, as we do not modify it before, so if it fails in session setup, you retain a usable file descriptor. Gbp-Dch: ignore 2017-07-03T13:06:26Z Julian Andres Klode jak@debian.org 2017-07-03T12:31:41Z urn:sha1:55673e5476f86ffae8969bfc3a47237f3eeb7720 This probably makes more sense if Verify-Peer is set to off. 2017-07-03T13:06:26Z Julian Andres Klode jak@debian.org 2017-07-03T12:29:37Z urn:sha1:a742bac161759e2b265a4d4d5f5527f6035d8e58 This should make it easier to figure out what was going on. 2017-07-01T13:51:55Z Julian Andres Klode jak@debian.org 2017-07-01T13:51:55Z urn:sha1:9a34c8557ac02e691bc66a5313103569a5e646ac We can actually just pass null as a hostname, so let's just do that when Verify-Host is set to false. 2017-06-30T15:20:21Z Julian Andres Klode jak@debian.org 2017-06-30T15:20:21Z urn:sha1:6a0e7acbf01e22665d89a9c6556f3a8220a78756 Silently ignoring the options might be a security issue, so produce an error instead. 2017-06-30T15:12:11Z Julian Andres Klode jak@debian.org 2017-06-30T15:12:11Z urn:sha1:8f5db6b513b90b6ee5b625131a25b146fa912e0d If gnutls_session_bye() exited with an error, we never closed the underlying file descriptor, causing the method to think the connection was still open. This caused problems especially in test-partial-file-support where we checked that a "complete" file and an incomplete file work. The first GET returns a 416 with Connection: close, and the next GET request then accidentally reads the body of the 416 as the header for its own request. 2017-06-30T12:57:54Z Julian Andres Klode jak@debian.org 2017-06-30T11:51:32Z urn:sha1:4b1d19fe5619ef46c952ca84531759a981741482 This is especially needed if we use an HTTPS proxy to CONNECT to an HTTPS URI, as we run TLS-inside-TLS then.