apt/test/integration, branch 1.8.0Debians commandline package managerhttps://git.kalnischkies.de/apt/atom?h=1.8.02019-03-03T20:52:40ZAdd explicit message for unsupported binary signature2019-03-03T20:52:40ZDavid Kalnischkiesdavid@kalnischkies.de2019-03-03T18:41:42Zurn:sha1:3e3638dc9389591cfd30baa6c41d85c31127402a
Verifying the content of Release.gpg made us fail on binary signatures
which were never officially supported (apt-secure manpage only documents
only the generation of ASCII armored), but silently accepted by gpgv as
we passed it on unchecked before.
The binary format is complex and is itself split into old and new
formats so adding support for this would not only add lots of code but
also a good opportunity for bugs and dubious benefit.
Reporting this issue explicitly should help repository creators figure
out the problem faster than the default NODATA message hinting at
captive portals.
Given that the binary format has no file magic or any other clear and
simple indication that this is a detached signature we guess based on
the first two bits only – and by that only supporting the "old" binary
format which seems to be the only one generated by gnupg in this case.
References: e2965b0b6bdd68ffcad0e06d11755412a7e16e50
Closes: #921685
Fix various typos in the documentation2019-02-10T12:16:27ZJakub Wilkjwilk@jwilk.net2019-02-10T11:51:30Zurn:sha1:9a702b150c8ddeafa8c10c9f120dafdeb08ef93bMerge branch 'pu/dead-pin' into 'master'2019-02-04T12:44:08ZJulian Andres Klodejak@debian.org2019-02-04T12:44:08Zurn:sha1:3a015964dd56edf897ee062b2eafa2cfc0584380
A pin of -32768 overrides any other, disables repo
See merge request apt-team/apt!40Add a Packages-Require-Authorization Release file field2019-02-01T16:52:03ZJulian Andres Klodejulian.klode@canonical.com2019-02-01T13:43:52Zurn:sha1:c2b9b0489538fed4770515bd8853a960b13a2618
This new field allows a repository to declare that access to
packages requires authorization. The current implementation will
set the pin to -32768 if no authorization has been provided in
the auth.conf(.d) files.
This implementation is suboptimal in two aspects:
(1) A repository should behave more like NotSource repositories
(2) We only have the host name for the repository, we cannot use
paths yet.
- We can fix those after an ABI break.
The code also adds a check to acquire-item.cc to not use the
specified repository as a download source, mimicking NotSource.
Introduce experimental 'never' pinning for sources2019-02-01T16:51:35ZJulian Andres Klodejulian.klode@canonical.com2018-12-18T13:50:25Zurn:sha1:8bb2a91a070170d7d8e71206d1c66a26809bdbc3
This allows disabling a repository by pinning it to 'never',
which is internally translated to a value of -32768 (or whatever
the minimum of short is).
This overrides any other pin for that repository. It can be used
to make sure certain sources are never used; for example, in
unattended-upgrades.
To prevent semantic changes to existing files, we substitute
min + 1 for every pin-priority: <min>. This is a temporary
solution, as we are waiting for an ABI break.
To add pins with that value, the special Pin-Priority
"never" may be used for now. It's unclear if that will
persist, or if the interface will change eventually.
Merge branch 'pu/refuseunsignedlines' into 'master'2019-02-01T14:40:06ZJulian Andres Klodejak@debian.org2019-02-01T14:40:06Zurn:sha1:d5dcc2e9d3008b57c3fae0bcb5b1c2a197f5430c
Fail if InRelease or Release.gpg contain unsigned lines
See merge request apt-team/apt!45Step over empty sections in TagFiles with comments2019-02-01T13:51:56ZDavid Kalnischkiesdavid@kalnischkies.de2019-02-01T13:51:56Zurn:sha1:5caa8cac3bc0ffa8b5360f3e5d5c84e710eb394b
Implementing a parser with recursion isn't the best idea, but in
practice we should get away with it for the time being to avoid
needless codechurn.
Closes: #920317 #921037
Merge and reuse tmp file handling across the board2019-01-23T23:33:16ZDavid Kalnischkiesdavid@kalnischkies.de2019-01-23T21:50:45Zurn:sha1:73e3459689c05cd62f15c29d2faddb0fc215ef5e
Having many rather similar implementations especially if one is exported
while others aren't (and the rest of it not factored out at all) seems
suboptimal.
Fail on non-signature lines in Release.gpg2019-01-23T21:48:16ZDavid Kalnischkiesdavid@kalnischkies.de2019-01-23T19:50:29Zurn:sha1:e2965b0b6bdd68ffcad0e06d11755412a7e16e50
The exploit for CVE-2019-3462 uses the fact that a Release.gpg file can
contain additional content beside the expected detached signature(s).
We were passing the file unchecked to gpgv which ignores these extras
without complains, so we reuse the same line-reading implementation we
use for InRelease splitting to detect if a Release.gpg file contains
unexpected data and fail in this case given that we in the previous
commit we established that we fail in the similar InRelease case now.
Fail instead of warn for unsigned lines in InRelease2019-01-23T18:10:47ZDavid Kalnischkiesdavid@kalnischkies.de2019-01-23T16:47:49Zurn:sha1:3734cceb44b02ca4d5ee3c6f5cbfe1e12f17cffb
The warnings were introduced 2 years ago without any reports from the
wild about them actually appearing for anyone, so now seems to be an as
good time as any to switch them to errors.
This allows rewritting the code by failing earlier instead of trying to
keep going which makes the diff a bit hard to follow but should help
simplifying reasoning about it.
References: 6376dfb8dfb99b9d182c2fb13aa34b2ac89805e3