apt/methods, branch 1.2.7

apt/methods, branch 1.2.7 Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.2.7 2016-03-15T11:33:21Z methods/gpgv: Warn about SHA1 (and RIPEMD-160) 2016-03-15T11:33:21Z Julian Andres Klode jak@debian.org 2016-03-15T11:30:37Z urn:sha1:07ea3af0fe55fdfe976ab847c5c88efd703d1282 We will drop support for those in the future. Also adjust the std::array to be a std::vector, as that's easier to maintain. apt-pkg/acquire-worker.cc: Introduce 104 Warning message 2016-03-15T11:33:21Z Julian Andres Klode jak@debian.org 2016-03-15T10:40:10Z urn:sha1:8c9b7725c3d89461e78061aff4bc644cdb237fe7 This can be used by workers to send warnings to the main program. The messages will be passed to _error->Warning() by APT with the URI prepended. We are not going to make that really public now, as the interface might change a bit. methods/gpgv: Correctly handle weak signatures with multiple keys 2016-03-15T11:33:21Z Julian Andres Klode jak@debian.org 2016-03-15T09:56:05Z urn:sha1:08fd77e83528fd03795524adf76e359ae2b56e06 We added weak signatures to BadSigners, meaning that a Release file signed by both a weak signature and a strong signature would be rejected; preventing people from migrating from DSA to RSA keys in a sane way. Instead of using BadSigners, treat weak signatures like expired keys: They are no good signatures, and they are worthless. Gbp-Dch: ignore methods/gpgv: Reject weak digest algorithms 2016-03-14T14:37:05Z Julian Andres Klode jak@debian.org 2016-03-14T14:35:14Z urn:sha1:d91051242d10ada198b4ed59d59ad4aa8f59bcaf This keeps a list of weak digest algorithms. For now, only MD5 is disabled, as SHA1 breaks to many repos. Revert "Handle ERRSIG in the gpgv method like BADSIG" 2016-03-14T13:44:38Z Julian Andres Klode jak@debian.org 2016-03-14T13:44:33Z urn:sha1:0d80586a67622d4d58908fee41c3be8a6813d426 This reverts commit 76a71a1237d22c1990efbc19ce0e02aacf572576. That commit broke the test suite. Gbp-Dch: ignore Handle ERRSIG in the gpgv method like BADSIG 2016-03-14T13:23:50Z Julian Andres Klode jak@debian.org 2016-03-14T13:23:50Z urn:sha1:76a71a1237d22c1990efbc19ce0e02aacf572576 ERRSIG is created whenever a key uses an unknown/weak digest algorithm, for example. This allows us to report a more useful error than just "unknown apt-key error.": The following signatures were invalid: ERRSIG 13B00F1FD2C19886 1 2 01 1457609403 5 While still not being the best reportable error message, it's better than unknown apt-key error and hopefully redirects users to complain to their repository owners. rred: If there were I/O errors, fail 2016-02-04T16:56:27Z Julian Andres Klode jak@debian.org 2016-02-04T16:56:27Z urn:sha1:610e13842a3718128c03454c5dfcbde49d323281 We basically ignored errors from writing and flushing, let's not do that. act on various suggestions from cppcheck 2016-01-26T14:32:15Z David Kalnischkies david@kalnischkies.de 2016-01-25T21:13:52Z urn:sha1:2651f1c071927b7fc440ec7a638ecad7ccf04a2e Reported-By: cppcheck Git-Dch: Ignore Only enable pipelining if server is HTTP/1.1 2016-01-12T22:40:59Z Julian Andres Klode jak@debian.org 2016-01-12T14:18:12Z urn:sha1:b6d88f39aceda2e093e1bf8751f07236b7d9e483 Just enabling it for anyone breaks with HTTP/1.0 servers and proxies sometimes. Closes: #810796 allow pdiff bootstrap from all supported compressors 2016-01-08T14:40:01Z David Kalnischkies david@kalnischkies.de 2016-01-05T23:05:24Z urn:sha1:4e3c5633b1e74b4f58b95f339cfbbf4cbf21ab3e There is no reason to enforce that the file we start the bootstrap with is compressed with a compressor which is available online. This allows us to change the on-disk format as well as deals with repositories adding/removing support for a specific compressor.