apt/methods, branch 1.5

apt/methods, branch 1.5 Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.5 2017-07-26T17:09:04Z allow the auth.conf to be root:root owned 2017-07-26T17:09:04Z David Kalnischkies david@kalnischkies.de 2017-07-07T20:21:44Z urn:sha1:881ec045b6660e2fe0c6953720260e380ceeeb99 Opening the file before we drop privileges in the methods allows us to avoid chowning in the acquire main process which can apply to the wrong file (imagine Binary scoped settings) and surprises users as their permission setup is overridden. There are no security benefits as the file is open, so an evil method could as before read the contents of the file, but it isn't worse than before and we avoid permission problems in this setup. lookup login info for proxies in auth.conf 2017-07-26T17:09:04Z David Kalnischkies david@kalnischkies.de 2017-07-07T19:59:01Z urn:sha1:6291fa81da6ed4c32d0dde33fa559cd155faff11 On HTTP Connect we since recently look into the auth.conf file for login information, so we should really look for all proxies into the file as the argument is the same as for sources entries and it is easier to document (especially as the manpage already mentions it as supported). reimplement and document auth.conf 2017-07-26T17:09:04Z David Kalnischkies david@kalnischkies.de 2017-07-07T14:24:21Z urn:sha1:ea408c560ed85bb4ef7cf8f72f8463653501332c We have support for an netrc-like auth.conf file since 0.7.25 (closing 518473), but it was never documented in apt that it even exists and netrc seems to have fallen out of usage as a manpage for it no longer exists making the feature even more arcane. On top of that the code was a bit of a mess (as it is written in c-style) and as a result the matching of machine tokens to URIs also a bit strange by checking for less specific matches (= without path) first. We now do a single pass over the stanzas. In practice early adopters of the undocumented implementation will not really notice the differences and the 'new' behaviour is simpler to document and more usual for an apt user. Closes: #811181 fail early in http if server answer is too small as well 2017-07-26T17:07:56Z David Kalnischkies david@kalnischkies.de 2017-07-26T16:35:42Z urn:sha1:f2f8e89f08cdf01c83a0b8ab053c65329d85ca90 Failing on too much data is good, but we can do better by checking for exact filesizes as we know with hashsums how large a file should be, so if we get a file which has a size we do not expect we can drop it directly, regardless of if the file is larger or smaller than what we expect which should catch most cases which would end up as hashsum errors later now a lot sooner. fail earlier if server answers with too much data 2017-07-26T17:07:56Z David Kalnischkies david@kalnischkies.de 2017-07-24T12:30:41Z urn:sha1:d7518dba50e2285c41c7002a1d86f876401fd9ea We tend to operate on rather large static files, which means we usually get Content-Length information from the server. If we combine this information with the filesize we are expecting (factoring in pipelining) we can avoid reading a bunch of data we are ending up rejecting anyhow by just closing the connection saving bandwidth and time both for the server as well as the client. don't try to parse all fields starting with HTTP as status-line 2017-07-26T17:07:56Z David Kalnischkies david@kalnischkies.de 2017-07-24T07:45:51Z urn:sha1:1c5f13d489688e5fbbcdd3d0d2dd766769639939 It is highly unlikely to encounter fields which start with HTTP in practice, but we should really be a bit more restrictive here. Reformat and sort all includes with clang-format 2017-07-12T11:57:51Z Julian Andres Klode jak@debian.org 2017-07-12T11:40:41Z urn:sha1:87274d0f22e1dfd99b2e5200e2fe75c1b804eac3 This makes it easier to see which headers includes what. The changes were done by running git grep -l '#\s*include' \ | grep -E '.(cc|h)$' \ | xargs sed -i -E 's/(^\s*)#(\s*)include/\1#\2 include/' To modify all include lines by adding a space, and then running ./git-clang-format.sh. methods/aptmethod.h: Add missing fileutl.h include 2017-07-12T11:56:05Z Julian Andres Klode jak@debian.org 2017-07-12T11:50:31Z urn:sha1:78fcdd9629022c0c37742614351f5b02fed97607 Stop bragging about old speeds in http.cc comments 2017-07-03T13:47:22Z Julian Andres Klode jak@debian.org 2017-07-03T13:47:22Z urn:sha1:239d0088142c986628305b56764b5f2b7c83bab2 That's just ridiculous these days. Gbp-Dch: ignore don't set ip addresses as server names for SNI 2017-07-03T13:06:26Z David Kalnischkies david@kalnischkies.de 2017-06-30T11:10:03Z urn:sha1:405189f2a794ded622a4ae3a83a9b70917faf894 It is kinda unlikely that apt will ever encounter a certificate for an IP and a user actually using it, but the API documentation for gnutls_server_name_set explicitly says that "IPv4 or IPv6 addresses are not permitted to be set by this function.", so we should follow it. [jak@d.o: Slightly rebased]