summaryrefslogtreecommitdiff
path: root/apt-pkg/acquire-item.cc
Commit message (Collapse)AuthorAgeFilesLines
* Merge remote-tracking branch 'mvo/bugfix/coverity' into debian/sidMichael Vogt2013-08-221-0/+2
|\ | | | | | | | | Conflicts: apt-pkg/tagfile.h
| * some more coverity fixesMichael Vogt2013-08-121-0/+2
| |
* | fix: --print-uris removes authenticationDavid Kalnischkies2013-08-121-4/+27
|/ | | | | | | | | | | | | | | | | The constructors of our (clear)sign-acquire-items move a pre-existent file for error-recovery away, which gets restored or discarded later as the acquire progresses, but --print-uris never really starts the acquire process, so the files aren't restored (as they should). To fix this both get a destructor which checks for signs of acquire doing anything and if it hasn't the file is restored. Note that these virtual destructors theoretically break the API, but only with classes extending the sign-acquire-items and nobody does this, as it would be insane for library users to fiddle with Acquire internals – and these classes are internals. Closes: 719263
* pick up Translation-* even if only compressed availableDavid Kalnischkies2013-07-251-2/+13
| | | | | | | | | | | | | | | | On CD-ROMs Translation-* files are only in compressed form included in the Release file. This used to work while we had no record of Translation-* files in the Release file at all as APT would have just guessed the (compressed) filename and accepted it (unchecked), but now that it checks for the presents of entries and if it finds records it expects the uncompressed to be verifiable. This commit relaxes this requirement again to fix the regression. We are still secure "enough" as we can validate the compressed file we have downloaded, so we don't loose anything by not requiring a hashsum for the uncompressed files to double-check them. Closes: 717665
* do not redownload unchanged InRelease filesDavid Kalnischkies2013-06-201-1/+12
| | | | | | | | | | | | Before we download the 'new' InRelease file the old file will be moved out of the way with the name 'foobar_InRelease.reverify', so if no partial file for the 'new' file exists take the modification time from this reverify file, so that if we get an IMS hit for the InRelease file we can move back the reverify file as new file rather than downloading the 'new' file even though we already have it. We do the same for Release files and this happened to work until the reverify renaming was corrected for InRelease files.
* Fix English spelling error in a message ('A error'). Unfuzzybubulle@debian.org2013-04-101-1/+1
| | | translations. Closes: #705087
* merged bundle from davidMichael Vogt2013-04-081-2/+2
|\
| * various simple changes to fix cppcheck warningsDavid Kalnischkies2013-03-101-2/+2
| |
* | merged lp:~mvo/apt/fix-inrelease5Michael Vogt2013-04-021-10/+16
|\ \ | |/ |/|
| * * apt-pkg/acquire-item.cc:David Kalnischkies2013-03-151-10/+16
| | | | | | | | - keep the last good InRelease file around just as we do it with Release.gpg in case the new one we download isn't good for us
* | ensure sha512 is really used when available (thanks to Tyler Hicks )Michael Vogt2013-01-141-1/+1
|/
* add Debug::pkgAcqArchive::NoQueue to disable package downloadingDavid Kalnischkies2012-03-061-1/+12
|
* * apt-pkg/acquire-item.cc:David Kalnischkies2012-03-041-0/+7
| | | | | | | | | | | | | | | | | | | | | - remove 'old' InRelease file if we can't get a new one before proceeding with Release.gpg to avoid the false impression of a still trusted repository by a (still present) old InRelease file. Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214) Effected are all versions >= 0.8.11 Possible attack summary: - Attacker needs to find a user which has run at least one successful 'apt-get update' against an archive providing InRelease files. - Create a Packages file with his preferred content. - Attacker then prevents the download of InRelease, Release and Release.gpg (alternatively he creates a valid Release file and sends this, the other two files need to be missing either way). - User updates against this, getting the modified Packages file without any indication of being unsigned (beside the "Ign InRelease" and "Ign Release.gpg" in the output of 'apt-get update'). => deb files from this source are considered 'trusted' (and therefore the user isn't asked for an additional confirmation before install)
* use pdiff for Translation-* files if available (Closes: #657902)David Kalnischkies2012-02-181-1/+6
| | | | Beware: pdiffs for Translation-* are only acquired if their availability is advertised in the Release file.
* * apt-pkg/acquire-item.cc:David Kalnischkies2012-02-181-47/+20
| | | | | | | | | | | | | | | - drop support for i18n/Index file (introduced in 0.8.11) and use the Release file instead to get the Translations (Closes: #649314) * ftparchive/writer.cc: - add 'Translation-*' to the default patterns i18n/Index was never used outside debian - and even here it isn't used consistently as only 'main' has such a file. As the Release file now includes the Translation-* files we therefore drop support for i18n/Index. A version supporting it was never part of a debian release and still supporting it would mean that we get 99% of the time a 404 as response to the request anyway and confuse archive maintainers who want to provide all files APT tries to acquire.
* try to avoid direct usage of .Fd() if possible and do read()s and coDavid Kalnischkies2011-12-171-2/+2
| | | | on the FileFd instead
* use forward declaration in headers if possible instead of includesDavid Kalnischkies2011-09-191-0/+2
|
* merge with debian/sidDavid Kalnischkies2011-09-131-25/+22
|\
| * * apt-pkg/acquire-item.cc:David Kalnischkies2011-08-221-25/+22
| | | | | | | | - if no Release.gpg file is found try to verify with hashes, but do not fail if a hash can't be found
* | merge with debian/experimentalDavid Kalnischkies2011-09-131-23/+23
|\ \
| * | merged from the debian-sid branchMichael Vogt2011-08-151-13/+15
| |\|
| | * merged fixes from lp:~mvo/apt/mvoMichael Vogt2011-08-151-0/+1
| | |\
| | | * fix crash when P.Arch() was used but the cache got remappedMichael Vogt2011-08-081-1/+1
| | | |\
| | | * | apt-pkg/acquire-item.cc: add more debug outputMichael Vogt2011-08-081-0/+1
| | | | |
| | * | | cppcheck complains about some possible speed improvements which could beDavid Kalnischkies2011-08-111-11/+11
| | | |/ | | |/| | | | | | | | | | | | | | | | | done on the mirco-optimazation level, so lets fix them: (performance) Possible inefficient checking for emptiness. (performance) Prefer prefix ++/-- operators for non-primitive types.
| | * | * test/integration/test-hashsum-verification:Michael Vogt2011-08-051-2/+3
| | |\| | | | | | | | | | | | | | | | | | | | | - add regression test for hashsum verification * apt-pkg/acquire-item.cc: - if no Release.gpg file is found, still load the hashes for verification (closes: #636314) and add test
| | | * * apt-pkg/acquire-item.cc:Michael Vogt2011-08-051-2/+3
| | |/ | | | | | | | | | - if no Release.gpg file is found, still load the hashes for verification (closes: #636314) and add test
| * | apt-pkg/acquire-item.cc: always init VerifyMichael Vogt2011-08-051-0/+4
| | |
| * | * apt-pkg/acquire-item.{cc,h}:Michael Vogt2011-08-051-0/+4
| | | | | | | | | | | | - do not check for a "Package" tag in optional index targets like the translations index
| * | * [ABI break] apt-pkg/acquire-item.{cc,h}:Michael Vogt2011-07-281-10/+0
| | | | | | | | | - cleanup around OptionalIndexTarget and SubIndexTarget
* | | reorder includes: add <config.h> if needed and include it at firstDavid Kalnischkies2011-09-131-2/+4
|/ /
* | merged from http://bzr.debian.org/bzr/apt/apt/debian-sidMichael Vogt2011-07-151-2/+4
|\|
| * apt-pkg/acquire-item.cc: improve error message for valid-untilMichael Vogt2011-07-011-2/+4
| |
* | * apt-pkg/acquire*.{cc,h}:David Kalnischkies2011-07-051-15/+15
| | | | | | | | - try even harder to support really big files in the fetcher by converting (hopefully) everything to 'long long' (Closes: #632271)
* | merge lp:~mvo/apt/abi-breakMichael Vogt2011-06-291-1/+5
|\ \ | |/ |/|
| * merge lp:~mvo/apt/sha512-template to add support for sha512Michael Vogt2011-06-081-1/+5
| |\
| | * add sha512 support in the client now as wellMichael Vogt2011-02-251-1/+5
| | |
* | | apt-pkg/acquire-item.cc: only test packages file for correctness if its not ↵Michael Vogt2011-05-311-11/+14
| | | | | | | | | | | | empty (its ok to have empty packages files)
* | | Reject files known to be invalid (LP: #346386) (Closes: #627642)Julian Andres Klode2011-05-301-4/+4
| | |
* | | apt-pkg/acquire-item.cc: Reject files known to be invalid (LP: #346386) ↵Julian Andres Klode2011-05-301-0/+45
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (Closes: #195301) This commit deals with the following cases: - First section of index file (Packages,Sources,Translation) without Package field - Signed release files without GPG data (NODATA) - i18n/Index files without hash sums Handling unsigned Release files is more complicated, and the example code using indexRecords is disabled as it can reject correct Release files without hashes. How we can reliably check unsigned Release files is another question, and not urgent anyway, as it should have no dramatic effect (we could check that it is a valid RFC-822 section, but that's a bit too long to write)
* | * apt-pkg/acquire-item.cc:Ben Finney2011-04-261-1/+1
| | | | | | | | | | - apply fix for poorly worded 'locate file' error message from Ben Finney, thanks! (Closes: #623171)
* | apt-pkg/acquire-item.cc: Only try to rename existing Release files (Closes: ↵Julian Andres Klode2011-04-161-1/+1
| | | | | | | | #622912)
* | * apt-pkg/acquire-item.cc:Julian Andres Klode2011-04-081-0/+20
| | | | | | - Use Release files even if they cannot be verified (LP: #704595)
* | merged from lp:~donkult/apt/sidMichael Vogt2011-04-041-24/+0
|\ \
| * | * apt-pkg/vendor.cc, apt-pkg/vendorlist.cc:David Kalnischkies2011-03-161-24/+0
| | | | | | | | | - mark them as deprecated as they are unused
* | | apt-pkg/acquire-item.cc: Use stat buffer if stat wasJulian Andres Klode2011-04-021-1/+1
|/ / | | | | successful, not if it failed (Closes: #620546)
* | apt-pkg/acquire-item.cc: add some more missing Fail-IgnoreMichael Vogt2011-03-141-4/+10
| |
* | apt-pkg/acquire-item.{cc,h}: mark InRelease with Fail-Ignore to ensure the ↵Michael Vogt2011-03-141-0/+15
| | | | | | | | mirror methods does not retry on each mirror
* | * apt-pkg/acquire-item.cc:Michael Vogt2011-03-111-2/+2
|/ | | | - mark pkgAcqIndexTrans as Index-File to avoid asking the user to insert the CD on each apt-get update
* merged from lp:~donkult/apt/sidMichael Vogt2011-02-081-93/+310
|\