Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.2.1 2021-03-01T20:43:54Z 2021-03-01T20:43:54Z Julian Andres Klode julian.klode@canonical.com 2021-03-01T20:43:03Z urn:sha1:0d51cf142884801c903df0cddaec5545f0174553 Conflicts do require removing the package temporarily, so they really should not be used. We need to improve that eventually such that we can deconfigure packages when we have to remove their dependencies due to conflicts. 2021-02-23T18:10:29Z Julian Andres Klode julian.klode@canonical.com 2021-02-23T17:23:30Z urn:sha1:f8ff3afcd42d8b2e6506bc6f44a894149bf87442 dpkg will be changed in 1.20.8 to not require --force-remove for deconfiguration anymore, but we want to decouple our changes from the dpkg ones, so let's always pass --force-remove-protected when installing packages such that we can deconfigure protected packages. Closes: #983014 2021-02-09T22:49:31Z Julian Andres Klode julian.klode@canonical.com 2021-02-09T22:49:31Z urn:sha1:ea114447ee44908c75f4ddc19a0521260832668d Gbp-Dch: ignore 2021-02-09T22:33:47Z Julian Andres Klode julian.klode@canonical.com 2021-02-09T22:29:05Z urn:sha1:6284c8221da94ab6b4262795e6a7990fc3655848 We ignored the failure from strtoul() that those test cases had values out of range, hence they passed before, but now failed on 32-bit platforms because we use strtoull() and do the limit check ourselves. Move the tarball generator for test-github-111-invalid-armember to the createdeb helper, and fix the helper to set all the numbers for like uid and stuff to 0 instead of the maximum value the fields support (all 7s). Regression-Of: e0743a85c5f5f2f83d91c305450e8ba192194cd8 2021-02-04T10:00:00Z David Kalnischkies david@kalnischkies.de 2021-02-04T08:38:01Z urn:sha1:131d0e3a261076da715102cb79275988cac810d1 The grep for case-insensitive GPG finds also e.g. "/tmp/tmp.Kc5kKgPg0D" which is not the intention, so we simply eliminate the variation of the /tmp directory here from the output to prevent these false positives. Gbp-Dch: Ignore 2021-02-03T16:43:13Z David Kalnischkies david@kalnischkies.de 2021-02-03T16:40:05Z urn:sha1:c4da2ff42da55ffc38c77a9170dc151216d75962 Our configuration files are not security relevant, but having a parser which avoids crashing on them even if they are seriously messed up is not a bad idea anyway. It is also a good opportunity to brush up the code a bit avoiding a few small string copies with our string_view. 2021-02-03T16:36:46Z David Kalnischkies david@kalnischkies.de 2020-05-13T07:07:19Z urn:sha1:e0743a85c5f5f2f83d91c305450e8ba192194cd8 strtoul(l) surprises us with parsing negative values which should not exist in the places we use to parse them, so we can just downright refuse them rather than trying to work with them by having them promoted to huge positive values. 2021-02-03T16:36:45Z David Kalnischkies david@kalnischkies.de 2020-12-03T09:44:27Z urn:sha1:ed192f410da36aedf5e54bb3f967e6613ab4bb51 This has no attack surface though as the loop is to end very soon anyhow and the method only used while reading CD-ROM mountpoints which seems like a very unlikely attack vector… 2021-02-03T16:36:45Z David Kalnischkies david@kalnischkies.de 2020-12-03T09:41:43Z urn:sha1:10f13938bbf1474451fadcd62e1c31c4b5f5b3d7 For \xff and friends with the highest bit set and hence being a negative value on signed char systems the wrong encoding is produced as we run into undefined behaviour accessing negative array indexes. We can avoid this problem simply by using an unsigned data type. 2021-02-03T16:36:45Z David Kalnischkies david@kalnischkies.de 2020-12-03T09:35:29Z urn:sha1:1b3ad3891465f8b72bcedfb4edd513cb74eec7f3 References: 2497198e9599a6a8d4d0ad08627bcfc7ea49c644 Gbp-Dch: Ignore