apt/test/integration, branch 1.8.0_beta1 Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.8.0_beta1 2019-01-22T15:02:36Z Merge branch 'pu/gpgvsignedby' into 'master' 2019-01-22T15:02:36Z Julian Andres Klode jak@debian.org 2019-01-22T15:02:36Z urn:sha1:690bc2923814b3620ace1ffcb710603f81fa217f Report keys used to sign file from gpgv method to acquire system See merge request apt-team/apt!44 SECURITY UPDATE: content injection in http method (CVE-2019-3462) 2019-01-22T11:50:59Z Julian Andres Klode julian.klode@canonical.com 2019-01-18T08:13:52Z urn:sha1:5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353 Communicate back which key(s) were used for signing 2019-01-22T11:24:22Z David Kalnischkies david@kalnischkies.de 2018-09-11T23:44:18Z urn:sha1:7bf533967fb385b9625a1ee4dd7c6542a84b489c Telling the acquire system which keys caused the gpgv method to succeed allows us for now just a casual check if the gpgv method really executed catching bugs like CVE-2018-0501, but we will make use of the information for better features in the following commits. Refactor internal Signers information storage in gpgv 2019-01-22T11:24:22Z David Kalnischkies david@kalnischkies.de 2018-09-11T14:45:06Z urn:sha1:6b01cd087e6f92c5511fe6eea73699e075aa699a Having a method take a bunch of string vectors is bad style, so we change this to a wrapping struct and adapt the rest of the code brushing it up slightly in the process, which results even in a slightly "better" debug output, no practical change otherwise. Gbp-Dch: Ignore Merge branch 'pu/dpkg-path' into 'master' 2018-12-10T17:35:33Z Julian Andres Klode jak@debian.org 2018-12-10T17:35:33Z urn:sha1:d57834a36e6adebbad28819360a984819995b376 Set PATH=/usr/sbin:/usr/bin:/sbin:/bin when running dpkg See merge request apt-team/apt!38 Set PATH=/usr/sbin:/usr/bin:/sbin:/bin when running dpkg 2018-12-10T16:31:24Z Julian Andres Klode julian.klode@canonical.com 2018-12-10T15:52:59Z urn:sha1:806e94dcd8dbdf7bf1909657fd4331cfe17b4ab0 This avoids a lot of problems from local installations of scripting languages and other stuff in /usr/local for which maintainer scripts are not prepared. [v3: Inherit PATH during tests, check overrides work] [v2: Add testing] Add support for /etc/apt/auth.conf.d/*.conf (netrcparts) 2018-12-04T16:48:41Z Julian Andres Klode julian.klode@canonical.com 2018-12-03T16:39:03Z urn:sha1:bbfcc05c1978decd28df9681fd73e2a7d9a8c2a5 This allows us to install matching auth files for sources.list.d files, for example; very useful. This converts aptmethod's authfd from one FileFd to a vector of pointers to FileFd, as FileFd cannot be copied, and move operators are hard. Merge branch 'bugfix/spaceinconfig' into 'master' 2018-12-04T11:53:05Z Julian Andres Klode jak@debian.org 2018-12-04T11:53:05Z urn:sha1:b9d405d4074bb1de10e869038fe9685bf660fd16 Use quoted tagnames in config dumps See merge request apt-team/apt!32 Provide a "autopurge" shortcut 2018-12-03T16:21:39Z Julian Andres Klode julian.klode@canonical.com 2018-12-03T08:19:46Z urn:sha1:14535446557cb8b4125e7badc5e67a9f7790ab53 This adds a new "autopurge" command that will is a shortcut for "autoremove --purge" Thanks: Michael Vogt for the initial work test-pdiff-usage: make transaction failure test case more robust 2018-12-03T16:21:39Z Julian Andres Klode julian.klode@canonical.com 2018-12-03T08:16:20Z urn:sha1:f35601e5d2b9fe8b99c6178cb9b160f1a42f432f Try 10 times in a row