| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
| |
LP: #2150631 is a bug where trying to access an authentication-locked repo without root sends a 401 error, which is misleading since the authentication information could be in auth.conf.d, but just inaccessible without root. This adds a warning in that scenario, as well as an integration test.
|
| |
|
|
| |
Static analysis has shown that there are many minor memleaks.
|
| |
|
|
|
|
|
| |
References:
- https://stackoverflow.com/questions/79700634/pros-and-cons-of-make-unique-vs-direct-constructor-call-in-c17
- https://towardsdev.com/why-std-make-unique-beats-new-in-modern-c-7e2ba653737e
- https://www.sololearn.com/en/Discuss/3334779/where-make_unique-is-better-than-unique_ptrraw-pointer
|
| |
|
|
|
|
| |
References:
- https://www.reddit.com/r/cpp_questions/comments/pm63yx/why_clangtidy_says_use_emplace_back_instead_of/
- https://clang.llvm.org/extra/clang-tidy/checks/modernize/use-emplace.html
|
| |
|
|
|
|
|
|
| |
Benchmark:
- https://stackoverflow.com/questions/62058906/why-my-performance-benchmark-gives-me-wrong-results
References:
- https://clang.llvm.org/extra/clang-tidy/checks/performance/prefer-single-char-overloads.html
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
In HasPending(), we assert that there is an open connection
object (ssl), but it seems we can end up calling HasPending()
after calling Close().
Therefore, remove the assertion and include ssl != nullptr as
the first requirement.
Closes: #1107827
|
| |
|
|
|
|
|
|
| |
This commit fixes the following compiler errors.
apt-pkg/acquire.cc:833:51: error: no template named 'function' in namespace 'std'
apt-pkg/contrib/error.cc:198:59: error: no member named 'front_inserter' in namespace 'std'
apt-pkg/solver3.h:44:22: error: no template named 'is_trivially_constructible_v' in namespace 'std'
methods/http.cc:1029:24: error: no member named 'inserter' in namespace 'std'
|
| |
|
|
|
|
|
|
| |
ftparchive/contents.h failed with operator< defined only,
so define operator<=> instead.
The operator and FileCopyType constructor both had a warning
about not throwing and adding a noexcept, so add one
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This implements a simple check where we first run `sqv` with
`--policy-as-of` 1 year in the future. If the file is validly
signed one year in the future, it is validly signed now.
If the file is not validly signed 1 year in the future, we check
if it is validly signed now, and otherwise print an error message.
The --policy-as-of feature was added in sqv 1.3.0, hence we add a
version requirement to the dependency.
|
| | |
|
| |
|
|
| |
string{=> _view})
|
| |
|
|
|
|
|
|
|
|
|
| |
The change from the GNUTLS backend to the OpenSSL backend only loads
the first certificate from a client certificate file. As a result it
is no longer possible to send intermediate client certificates to the
server to assist in certificate verification. Instead call
ssl_ctx_use_certificate_chain_file so intermediate certificates can be
sent.
Signed-off-by: Sam Hartman <hartmans@debian.org>
|
| |
|
|
|
|
|
|
|
|
| |
This should remain a warning case for now. So push the errors
to a stack and see if we can find any file.
Explictly warn again if Dir::Etc::trusted is set, as it is like
_super_ deprecated.
Reported-By: Cyril Brulebois <kibi@debian.org> in Bug#1032131
|
| |
|
|
|
|
|
|
|
|
| |
This warning has been superseded by the missing sources.list
notice (which will also become a warning shortly)
Adjust the sqv exit to avoid introducing a new spurious
"No good signature" that we did not reach before.
moo
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 14.2.0-9 causes vector instructions to be emitted in the
constructor when it is being inlined into BaseHttpMethod::Loop(),
which seemingly only on Graviton instances, causes the field to
be initialized to 0 (Chunked) instead of 2 (Closes), causing the
code to fail later when it tries to interpret file data as the
chunk size. It's plausible we are missing some register saving
here - that is, the q31 register overrides an x register.
Work around this by making Closes element 0, such that 0
initialisation results in the correct Closes value.
Reported-By: Myon on IRC
|
| | |
|
| |\
| |
| |
| |
| | |
Drop unused and obsolete macros as well as documentation
See merge request apt-team/apt!428
|
| | |
| |
| |
| | |
References: a00fbbdb28cc31e78882301c2efe7218583ab4cb
|
| | |
| |
| |
| |
| | |
[[noreturn]] is a C++11 feature and so we can just use it
unconditionally.
|
| | |
| |
| |
| |
| |
| | |
That macro is not that useful as it might perhaps once was. Lets prepare
dropping it now in favour of more standard ways of working with arrays
now.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
We were rather inconsistent in using it and as our public headers
contain deduction guides (a c++17 feature) it seems silly to try to hide
a c++11 feature in a macro, so lets stop this charade and drop the
macro and while we are changing all these lines lets apply [[nodiscard]]
(another c++17 feature) and other suggestions from clang-tidy and
formatting for a little more consistency.
|
| | |
| |
| |
| |
| |
| | |
SSL_read() and SSL_write may return 0 for errors, whereas our
callers only expect -1 for errors and 0 for closed connections,
so map this accordingly.
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
The OpenSSL docs say:
> For socket I/O on Unix systems, consult errno for details
but also:
> This value can also be returned for other errors,
> check the error queue for details.
This means it's possible errno isn't set, in which case
we may appear to have reached an EOF when we did not.
|
| |\
| |
| |
| |
| | |
http: seccomp: Allow reading directories
See merge request apt-team/apt!421
|
| | |
| |
| |
| |
| |
| | |
This is needed by OpenSSL.
Closes: #1091351
|
| |/
|
|
|
|
|
|
|
|
|
| |
We inadvertently did not discard pending errors when the
fallback to Dir::Etc::trusted succeeded, do so.
Also add some quick safety checks to make sure we enter the
verification in a good state, and that if somehow errors are
pending after a verification we return false.
Closes: #1091679
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new sqv method uses sequoia's sqv tool to verify files. The
tool's interface is quite simple: It returns 0 on success, and
prints one line per good signer with the fingerprint.
sqv has a configurable crypto policy. We have defined apt-specific
override mechanisms for sequoia's standard policy, allowing both
users, distributions, and apt package to provide overrides for
Sequoia's default policy in meaningful ways.
The sqv method will be built and be the standard method for
verifying OpenPGP signatures provided that `sqv` is in the
PATH during building. It is not built if there was no sqv
at build time, so you need a rebuild to enable sqv later
on.
On the flip side, the gpgv method is always built, but it
does need to be always built: If APT::Key::GPGVCommand is
set, we need to fallback to it - this is important to
support existing users of that interface such as
mmdebstrap. Also we want to fall back to it when /usr/bin/sqv
disappears - for example in our CI :D
A couple of concessions have been made for test suite purposes:
- Failure to split a clearsigned file only shows the summary,
as the gpgv method also only showed it, and no details why
it failed.
- We write "Got GOODSIG <fingerprint>" in debug mode to mimic
the gpgv code to keep the test suite happy.
- In various places in the test suite we assert minimal output
from sqv, but sqv's human output is not intended to be stable.
This will incur additional work when it breaks. However we do
not _parse_ the output, so actual operation of apt is unaffected.
A couple of things are suboptimal here:
- We are still doing clearsigned splitting ourselves. sqv only
has support for detached signatures right now, whereas sqopv
has support for clearsigned files as well (but sqopv does not
provide any reasons for why signature verification fails or
means to set a policy).
- Deprecation of algorithms happens on a timebomb basis in
sequoia. We have no means to give users warnings ahead of
time if their configuration is outdated.
We have implemented various bits that probably should be going away:
- Fallback to trusted.gpg
This is just annoying...
- Support for fingerprints in Signed-By (no subkey matching though)
The extra work here is arguably less compared to gpgv.
- Check the keyring for correctness.
With Signed-By everywhere, we should just error out rather than
skip broken keyrings.
Moo
|
| |
|
|
|
| |
OpenSSL is mandatory now, it is no longer possible to build
without https support either.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce an OpenSSL::Crypto backend for the hashes library
and an OpenSSL::SSL backend for the TLS support in our https
method.
Many thanks to curl for showing the way with how to handle
a CRL file. There are some memory leaks here with the
TlsFd itself as well as the proxy support; and we should
reorganize the code to generate the ssl object as late
as possible.
A peculiar aspect of OpenSSL is that SSL_has_pending() returns
1 even if SSL_read() will fail to read anything and return the
equivalent of EAGAIN. We work around this here by also peeking
ahead 1 byte. I was running a very high RTT connection from
Germany to Australia for testing, and with the peeking it's
using negligible amounts of CPU; before that, it was busy
looping at 100%. Bad OpenSSL!
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This gains us support for not using an absolute path, which
is nice, and we can now cache the invocation across fork() in
the method.
Still keep preferring absolute paths, this avoids execvp() having
to iterate the path and reduces bug potential with custom gpgv in
/usr/local.
Fix the last entry in the list of gpgvs to say gpgv1
|
| |
|
|
| |
Converting it to a comma-separated string and back loses precision.
|
| |\
| |
| |
| |
| | |
Support uncompressed indexes from partial file:/ mirrors
See merge request apt-team/apt!235
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Ideally copy and file mirrors would support by-hash as well, but its
harder to setup and maintain especially if you want to cache an online
mirror who has by-hash enabled.
We can avoid unneeded roundtrips (in the best case) and entire cache
misses (in the usual worst case) by "just" telling methods that the URI
we passed it has the requested file perhaps also in other paths.
This is done in pseudo-relative paths as we would otherwise need to
teach redirection code to rewrite those URIs as well. A method like http
can easily ignore this value and await explicit instructions to look at
that file, but inspecting the path in local sources via file or copy is
(comparatively) free, so we just do it immediately. If that ends up
being the wrong version of the file as by-hash would have protected us
from we are in this feature branch now falling back to other mirrors
which are like the ones online and in support of by-hash.
|
| | |
| |
| |
| |
| |
| |
| | |
In practice most of them will, but making the acquire process hang in
response if they don't seems like an overly excessive response if we can
just support it gracefully to reply with an error (or actually succeed
in the unlikely event this URI is actually correct).
|
| | |
| |
| |
| |
| |
| |
| | |
If we do not have the requested file we haven't calculated the hashes
for it either and it is likely that the alternative file will be used,
so to save the main thread from being busy with calculating hashes we
do the calculation here in the method.
|
| |/
|
|
|
|
|
| |
gcc reports `warning: Declaring type ‘class X’ final would
enable devirtualization of Y calls [-Wsuggest-final-types]`.
Not that this would massively improve performance, but it
shouldn't hurt telling the compiler what is obvious for a human.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some mirrors like snapshot.debian.org apply strict http rate limits.
While apt already has an exponential backoff mechanism implemented, this
is not sufficient due to the following reasons:
1. all retries happen roughly at the same time
2. the retry-after information from the server is not used
We fix this by improving the algorithm: First, if present, the timestamp
or duration of the Retry-After header is added to the exponential
backoff, optimizing for success-on-second-try. Second, a random delay is
added (delay += [0, delay]) to distribute the retries to not immediately
run into the limit again. To avoid super-long delays, this is capped by
the configured maximum delay. This logic only becomes active if the
option Acquire::Retries::HandleRetryAfter is enabled.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
These methods have been unsupported and disabled since 1.8, remove
them for the 3.0 cleanup.
Please migrate to http instead. If you need ad-hoc access to a remote
repository, you can run `python3 -m http.server` on that machine and
use SSH port forwarding to run http over ssh.
|
| |
|
|
| |
FileFdPrivate's read()/discard buffer from 1k to APT_BUFFER_SIZE (64k)
|
| |
|
|
|
|
|
|
|
|
|
| |
Algorithms not in the next level give a warning, algorithms
in not in the future level introduce an audit message for
the --audit flag.
next: >=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512
future: >=rsa3072,ed25519,ed448
LP: #2073126
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We temporarily downgraded the errors to warnings to give the
launchpad PPAs time to be fixed, but warnings are not safe:
Untrusted keys could be hiding on your system, but just not
used at the moment. Hence revert this so we get the errors we
want.
This reverts commit 66998ed3d299bede651ad40368bdb270f5f5b0f9.
LP: #2060721
Gbp-Dch: full
|
| |
|
|
|
|
|
|
|
| |
Once in a generation, it may be necessary to bootstrap apt in an
environment where gnutls is not yet available. This makes gnutls
support in apt optional.
You may also want a configure flag to force gnutls to be required from
outside the buildsystem (e.g. debian/rules).
|
| |
|
|
|
| |
This will only issue warnings instead of errors while we continue
cleaning up our repositories.
|
| |
|
|
| |
This allows us to render public key algorithms as weak as well.
|