4 files changed, 61 insertions, 56 deletions
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc
index d956eaf00..28f3150c3 100644
--- a/apt-pkg/contrib/gpgv.cc
+++ b/apt-pkg/contrib/gpgv.cc
@@ -251,6 +251,9 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
       setenv("APT_CONFIG", conf.get(), 1);
    }
 
+   // Tell apt-key not to emit warnings
+   setenv("APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE", "1", 1);
+
    if (releaseSignature == DETACHED)
    {
       auto detached = make_unique_FILE(FileGPG, "r");
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index e9187b423..baf3df5c3 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -671,10 +671,10 @@ prepare_gpg_home() {
     # well as the script hopefully uses apt-key optionally then like e.g.
     # debian-archive-keyring for (upgrade) cleanup did
     if [ -n "$DPKG_MAINTSCRIPT_PACKAGE" ] && [ -z "$APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE" ]; then
-	if ! dpkg-query --show --showformat '${Pre-Depends}${Depends}${Recommends}\n' "$DPKG_MAINTSCRIPT_PACKAGE" 2>/dev/null | grep -q gnupg; then
+	if ! dpkg-query --show --showformat '${Pre-Depends}${Depends}${Recommends}\n' "$DPKG_MAINTSCRIPT_PACKAGE" 2>/dev/null | grep -E -q 'gpg|gnupg'; then
 	    cat >&2 <<EOF
 Warning: The $DPKG_MAINTSCRIPT_NAME maintainerscript of the package $DPKG_MAINTSCRIPT_PACKAGE
-Warning: seems to use apt-key (provided by apt) without depending on gnupg or gnupg2.
+Warning: seems to use apt-key (provided by apt) without depending on gpg, gnupg, or gnupg2.
 Warning: This will BREAK in the future and should be fixed by the package maintainer(s).
 Note: Check first if apt-key functionality is needed at all - it probably isn't!
 EOF
@@ -740,8 +740,18 @@ warn_on_script_usage() {
     # (Maintainer) scripts should not be using apt-key
     if [ -n "$DPKG_MAINTSCRIPT_PACKAGE" ]; then
 	echo >&2 "Warning: apt-key should not be used in scripts (called from $DPKG_MAINTSCRIPT_NAME maintainerscript of the package ${DPKG_MAINTSCRIPT_PACKAGE})"
-    elif [ ! -t 1 ]; then
-	echo >&2 "Warning: apt-key output should not be parsed (stdout is not a terminal)"
+    fi
+
+    echo >&2 "Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))."
+}
+
+warn_outside_maintscript() {
+    # In del, we want to warn in interactive use, but not inside maintainer
+    # scripts, so as to give people a chance to migrate keyrings.
+    #
+    # FIXME: We should always warn starting in 2022.
+    if [ -z "$DPKG_MAINTSCRIPT_PACKAGE" ]; then
+	echo >&2 "Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))."
     fi
 }
 
@@ -760,6 +770,7 @@ case "$command" in
         ;;
     del|rm|remove)
 	# no script warning here as removing 'add' usage needs 'del' for cleanup
+	warn_outside_maintscript
 	requires_root
 	foreach_keyring_do 'remove_key_from_keyring' "$@"
 	aptkey_echo "OK"
@@ -772,6 +783,7 @@ case "$command" in
 	merge_back_changes
 	;;
     net-update)
+	warn_on_script_usage
 	requires_root
 	setup_merged_keyring
 	net_update
diff --git a/doc/apt-key.8.xml b/doc/apt-key.8.xml
index 1ab4d784e..2c8c3f655 100644
--- a/doc/apt-key.8.xml
+++ b/doc/apt-key.8.xml
@@ -25,7 +25,7 @@
  <!-- Man page title -->
  <refnamediv>
     <refname>apt-key</refname>
-    <refpurpose>APT key management utility</refpurpose>
+    <refpurpose>Deprecated APT key management utility</refpurpose>
  </refnamediv>
 
  &synopsis-command-apt-key;
@@ -37,13 +37,15 @@
    authenticated using these keys will be considered trusted.
    </para>
    <para>
-   Note that if usage of <command>apt-key</command> is desired the additional
+   Use of <command>apt-key</command> is deprecated, except for the use of
+   <command>apt-key del</command> in maintainer scripts to remove existing
+   keys from the main keyring.
+   If such usage of <command>apt-key</command> is desired the additional
    installation of the GNU Privacy Guard suite (packaged in
-   <package>gnupg</package>) is required. For this reason alone the programmatic
-   usage (especially in package maintainer scripts!) is strongly discouraged.
-   Further more the output format of all commands is undefined and can and does
-   change whenever the underlying commands change. <command>apt-key</command> will
-   try to detect such usage and generates warnings on stderr in these cases.
+   <package>gnupg</package>) is required.
+   </para>
+   <para>
+   apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
    </para>
 </refsect1>
 
@@ -63,7 +65,7 @@
 
 <refsect1><title>Commands</title>
    <variablelist>
-     <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option></term>
+     <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option>  (deprecated)</term>
      <listitem>
      <para>
        Add a new key to the list of trusted keys.
@@ -85,7 +87,7 @@
      </listitem>
      </varlistentry>
 
-     <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option></term>
+     <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option>  (mostly deprecated)</term>
      <listitem>
      <para>
 
@@ -96,7 +98,7 @@
      </listitem>
      </varlistentry>
 
-     <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option></term>
+     <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option>  (deprecated)</term>
      <listitem>
      <para>
 
@@ -107,7 +109,7 @@
      </listitem>
      </varlistentry>
 
-     <varlistentry><term><option>exportall</option></term>
+     <varlistentry><term><option>exportall</option>  (deprecated)</term>
      <listitem>
      <para>
 
@@ -118,7 +120,7 @@
      </listitem>
      </varlistentry>
 
-     <varlistentry><term><option>list</option>, <option>finger</option></term>
+     <varlistentry><term><option>list</option>, <option>finger</option>  (deprecated)</term>
      <listitem>
      <para>
 
@@ -129,7 +131,7 @@
      </listitem>
      </varlistentry>
 
-     <varlistentry><term><option>adv</option></term>
+     <varlistentry><term><option>adv</option>  (deprecated)</term>
      <listitem>
      <para>
      Pass advanced options to gpg. With <command>adv --recv-key</command> you
@@ -160,7 +162,7 @@
      </listitem>
      </varlistentry>
      
-     <varlistentry><term><option>net-update</option></term>
+     <varlistentry><term><option>net-update</option>  (deprecated)</term>
      <listitem>
      <para>
 
@@ -183,7 +185,7 @@
  <refsect1><title>Options</title>
 <para>Note that options need to be defined before the commands described in the previous section.</para>
    <variablelist>
-      <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option></term>
+      <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option>  (deprecated)</term>
       <listitem><para>With this option it is possible to specify a particular keyring
       file the command should operate on. The default is that a command is executed
       on the <filename>trusted.gpg</filename> file as well as on all parts in the
diff --git a/methods/http.cc b/methods/http.cc
index 1d2c41337..9cfc91330 100644
--- a/methods/http.cc
+++ b/methods/http.cc
@@ -94,6 +94,7 @@ void CircleBuf::Reset()
    is non-blocking.. */
 bool CircleBuf::Read(std::unique_ptr<MethodFd> const &Fd)
 {
+   size_t ReadThisCycle = 0;
    while (1)
    {
       // Woops, buffer is full
@@ -131,7 +132,7 @@ bool CircleBuf::Read(std::unique_ptr<MethodFd> const &Fd)
 	 CircleBuf::BwTickReadData += Res;
     
       if (Res == 0)
-	 return false;
+	 return ReadThisCycle != 0;
       if (Res < 0)
       {
 	 if (errno == EAGAIN)
@@ -140,6 +141,7 @@ bool CircleBuf::Read(std::unique_ptr<MethodFd> const &Fd)
       }
 
       InP += Res;
+      ReadThisCycle += Res;
    }
 }
 									/*}}}*/
@@ -204,8 +206,6 @@ bool CircleBuf::Write(std::unique_ptr<MethodFd> const &Fd)
       ssize_t Res;
       Res = Fd->Write(Buf + (OutP % Size), LeftWrite());
 
-      if (Res == 0)
-	 return false;
       if (Res < 0)
       {
 	 if (errno == EAGAIN)
@@ -215,7 +215,7 @@ bool CircleBuf::Write(std::unique_ptr<MethodFd> const &Fd)
       }
 
       TotalWriten += Res;
-      
+
       if (Hash != NULL)
 	 Hash->Add(Buf + (OutP%Size),Res);
       
@@ -700,26 +700,18 @@ ResultState HttpServerState::Die(RequestState &Req)
 {
    unsigned int LErrno = errno;
 
+   Close();
+
    // Dump the buffer to the file
    if (Req.State == RequestState::Data)
    {
-      if (Req.File.IsOpen() == false)
-	 return ResultState::SUCCESSFUL;
       // on GNU/kFreeBSD, apt dies on /dev/null because non-blocking
       // can't be set
       if (Req.File.Name() != "/dev/null")
 	 SetNonBlock(Req.File.Fd(),false);
-      while (In.WriteSpace() == true)
-      {
-	 if (In.Write(MethodFd::FromFd(Req.File.Fd())) == false)
-	 {
-	    _error->Errno("write", _("Error writing to the file"));
-	    return ResultState::TRANSIENT_ERROR;
-	 }
-
-	 // Done
-	 if (In.IsLimit() == true)
-	    return ResultState::SUCCESSFUL;
+      if (In.WriteSpace()) {
+	 _error->Error(_("Data left in buffer"));
+	 return ResultState::TRANSIENT_ERROR;
       }
    }
 
@@ -727,7 +719,6 @@ ResultState HttpServerState::Die(RequestState &Req)
    if (In.IsLimit() == false && Req.State != RequestState::Header &&
        Persistent == true)
    {
-      Close();
       if (LErrno == 0)
       {
 	 _error->Error(_("Error reading from server. Remote end closed connection"));
@@ -746,7 +737,6 @@ ResultState HttpServerState::Die(RequestState &Req)
 	 return ResultState::TRANSIENT_ERROR;
 
       // We may have got multiple responses back in one packet..
-      Close();
       return ResultState::SUCCESSFUL;
    }
 
@@ -793,13 +783,11 @@ ResultState HttpServerState::Go(bool ToFile, RequestState &Req)
 				ToFile == false))
       return ResultState::TRANSIENT_ERROR;
 
-   // Handle server IO
-   if (ServerFd->HasPending() && In.ReadSpace() == true)
-   {
-      errno = 0;
-      if (In.Read(ServerFd) == false)
-	 return Die(Req);
-   }
+   // Record if we have data pending to read in the server, so that we can
+   // skip the wait in select(). This can happen if data has already been
+   // read into a methodfd's buffer - the TCP queue might be empty at that
+   // point.
+   bool ServerPending = ServerFd->HasPending();
 
    fd_set rfds,wfds;
    FD_ZERO(&rfds);
@@ -831,7 +819,7 @@ ResultState HttpServerState::Go(bool ToFile, RequestState &Req)
 
    // Select
    struct timeval tv;
-   tv.tv_sec = TimeOut;
+   tv.tv_sec = ServerPending ? 0 : TimeOut;
    tv.tv_usec = 0;
    int Res = 0;
    if ((Res = select(MaxFd+1,&rfds,&wfds,0,&tv)) < 0)
@@ -842,27 +830,20 @@ ResultState HttpServerState::Go(bool ToFile, RequestState &Req)
       return ResultState::TRANSIENT_ERROR;
    }
    
-   if (Res == 0)
+   if (Res == 0 && not ServerPending)
    {
       _error->Error(_("Connection timed out"));
-      return Die(Req);
+      return ResultState::TRANSIENT_ERROR;
    }
    
    // Handle server IO
-   if (ServerFd->Fd() != -1 && FD_ISSET(ServerFd->Fd(), &rfds))
+   if (ServerPending || (ServerFd->Fd() != -1 && FD_ISSET(ServerFd->Fd(), &rfds)))
    {
       errno = 0;
       if (In.Read(ServerFd) == false)
 	 return Die(Req);
    }
 
-   if (ServerFd->Fd() != -1 && FD_ISSET(ServerFd->Fd(), &wfds))
-   {
-      errno = 0;
-      if (Out.Write(ServerFd) == false)
-	 return Die(Req);
-   }
-
    // Send data to the file
    if (FileFD->Fd() != -1 && FD_ISSET(FileFD->Fd(), &wfds))
    {
@@ -873,6 +854,13 @@ ResultState HttpServerState::Go(bool ToFile, RequestState &Req)
       }
    }
 
+   if (ServerFd->Fd() != -1 && FD_ISSET(ServerFd->Fd(), &wfds))
+   {
+      errno = 0;
+      if (Out.Write(ServerFd) == false)
+	 return Die(Req);
+   }
+
    if (Req.MaximumSize > 0 && Req.File.IsOpen() && Req.File.Failed() == false && Req.File.Tell() > Req.MaximumSize)
    {
       Owner->SetFailReason("MaximumSizeExceeded");