summaryrefslogtreecommitdiff
path: root/methods
Commit message (Collapse)AuthorAgeFilesLines
* rred: Allow passing files as arguments for compressor testingJulian Andres Klode2015-12-261-2/+14
| | | | | | | | This introduces a -t mode in which the first argument is input, the second is output and the remaining are diffs. This allows us to test patching compressed files, which are detected using their file extension.
* disable privilege dropping for rsh/ssh method by defaultDavid Kalnischkies2015-11-281-0/+4
| | | | | | | | | ssh expects various configuration bits to be usable like known hosts, possibly keys and co. Setting this up needs some user work for probably not a whole lot of benefits, so instead of forcing it upon users on upgrade disable dropping for it by default. Closes: 806511
* fix program name detection in rsh methodDavid Kalnischkies2015-11-282-6/+6
| | | | Regression intoduced in 23e64f6d0facf9610c1042326ad9850e071e8349
* ignore lost+found in private directory cleanupDavid Kalnischkies2015-11-191-0/+1
| | | | | | | | | | In ce1f3a2c we started warning about failing unlinking, which we consistently do for directories. That isn't a problem as directories usually aren't in the places we do want to clean up – with the potential exeception of "lost+found", so lets ignore it like we ignore our own partial/ subdirectory. Closes: 805424
* activate AI_IDN by default to support IDN domainsDavid Kalnischkies2015-11-051-0/+2
| | | | | | | AI_IDN is a glibc extension, but we can worry about this at the time actually anyone is seriously trying apt on non-glibc systems. Closes: 763437
* apply various suggestions made by cppcheckDavid Kalnischkies2015-11-057-12/+10
| | | | | Reported-By: cppcheck Git-Dch: Ignore
* allow acquire method specific options via Binary scopeDavid Kalnischkies2015-11-0512-109/+65
| | | | | | | | Allows users who know what they are getting themselves into with this trick to e.g. disable privilege dropping for e.g. file:// until they can fix up the permissions on those repositories. It helps also the test framework and people with a similar setup (= me) to run in less modified environments.
* drop privileges in copy:// method as we do for file://David Kalnischkies2015-11-053-38/+54
| | | | | | | | | | | Continueing on the track of dropping privileges in all methods, lets drop it in copy, too, as the reasoning for it is very similar to file and the interaction between the too quiet interesting as copy kinda surfed as a fallback for file not being able to read the file. Both now show a better error message as well as it was previously claiming to have a hashsum mismatch, given that it couldn't read the file. Git-Dch: Ignore
* allow getaddrinfo flag AI_ADDRCONFIG to be disabledDavid Kalnischkies2015-11-041-1/+6
| | | | | | | | | This flags is generally handy to avoid having to deal with ipv6 results on an ipv4-only system, but it prevents e.g. the testcases from working if the testsystem has no configured address at the moment (expect loopback), so allow it to be sidestepped and let the testcases sidestep it. Git-Dch: Ignore
* wrap every unlink call to check for != /dev/nullDavid Kalnischkies2015-11-045-8/+8
| | | | | | | | | | | | | | | | Unlinking /dev/null is bad, we shouldn't do that. Also, we should print at least a warning if we tried to unlink a file but didn't manage to pull it of (ignoring the case were the file is /dev/null or doesn't exist in the first place). This got triggered by a relatively unlikely to cause problem in pkgAcquire::Worker::PrepareFiles which would while temporary uncompressed files (which are set to keep compressed) figure out that to files are the same and prepare for sharing by deleting them. Bad move. That also shows why not printing a warning is a bad idea as this hide the error for in non-root test runs. Git-Dch: Ignore
* set failreasons similar to connect.cc based on curl errorsDavid Kalnischkies2015-11-041-3/+18
| | | | | | | | | | Detecting network errors has some benefits in the acquire system as if we can't connect to a host trying it for a million files is pointless. http and co which use connect.cc deal with this, but https which uses curl had connection failures as "normal" errors which could potentially be worked around (like trying Release instead of the failed InRelease). Git-Dch: Ignore
* unbreak the copy-method claiming hashsum mismatch since ~exp9David Kalnischkies2015-11-042-23/+35
| | | | | | | | | | | | | | | | Commit 653ef26c70dc9c0e2cbfdd4e79117876bb63e87d broke the camels back in sofar that everything works in terms of our internal use of copy:/, but external use is completely destroyed. This is kinda the reverse of what happened in "parallel" in the sid branch, where external use was mostly fine, internal and external exploded on the GzipIndexes option. We fix this now by rewriting our internal use by letting copy:/ only do what the name suggests it does: Copy files and not uncompress them on-the-fly. Then we teach copy and the uncompressors how to deal with /dev/null and use it as destination file in case we don't want to store the uncompressed files on disk. Closes: 799158
* drop privileges in file:// method as we do for decompressorsDavid Kalnischkies2015-11-041-2/+12
| | | | | | | | | We drop it in decompressors, which are the natural next step, so if an archive is used which isn't worldreadable (= not accessible by _apt) it doesn't work anyway, so we just fail a bit earlier now and avoid all the bad things which can happen over file (which could very well still be a network resourc via NFS mounts or similar stuff, so hardly as safe as the name might suggest at first).
* fix two memory leaks reported by gccDavid Kalnischkies2015-09-146-18/+21
| | | | | Reported-By: gcc -fsanitize=address -fno-sanitize=vptr Git-Dch: Ignore
* avoid using global PendingError to avoid failing too often too soonDavid Kalnischkies2015-09-141-1/+1
| | | | | | | | | | | | | | | | | | | Our error reporting is historically grown into some kind of mess. A while ago I implemented stacking for the global error which is used in this commit now to wrap calls to functions which do not report (all) errors via return, so that only failures in those calls cause a failure to propergate down the chain rather than failing if anything (potentially totally unrelated) has failed at some point in the past. This way we can avoid stopping the entire acquire process just because a single source produced an error for example. It also means that after the acquire process the cache is generated – even if the acquire process had failures – as we still have the old good data around we can and should generate a cache for (again). There are probably more instances of this hiding, but all these looked like the easiest to work with and fix with reasonable (aka net-positive) effects.
* fix some unused parameter/variable warningsDavid Kalnischkies2015-08-311-6/+4
| | | | | Reported-By: gcc Git-Dch: Ignore
* implement PDiff patching for compressed filesDavid Kalnischkies2015-08-281-37/+47
| | | | | | | | | | | | | | | | | | Some additional files like 'Contents' are very big and should therefore kept compressed on the disk, which apt-file did in the past. It also implemented pdiff patching of these files by un- and recompressing these files on-the-fly, with this commit we can do the same – but we can do this in both pdiff patching styles (client and server merging) and secured by hashes. Hashes are in so far slightly complicated as we can't compare the hashes of the compressed files as we might compress them differently than the server would (different compressor versions, options, …), so we must compare the hashes of the uncompressed content. While this commit has changes in public headers, the classes it changes are marked as hidden, so nobody can use them directly, which means the ABI break is internal only.
* fix various typos reported by codespellDavid Kalnischkies2015-08-273-4/+4
| | | | Reported-By: codespell
* Fix typoMichael Vogt2015-08-241-1/+1
| | | | | Thanks: Julian Andres Klode Git-Dch: ignore
* Add basic (non weight adjusted) shuffling for SrvRecords selectionMichael Vogt2015-08-201-2/+3
| | | | | Also add "Debug::Acquire::SrvRecs" debug option and the option "Acquire::EnableSrvRecods" to allow disabling this lookup.
* cleanupMichael Vogt2015-08-181-10/+8
|
* Merge remote-tracking branch 'upstream/debian/experimental' into ↵Michael Vogt2015-08-1814-118/+286
|\ | | | | | | feature/srv-records
| * Make apt compile with clang++ againMichael Vogt2015-08-141-1/+1
| | | | | | | | | | This allows us to run the clang static analyzer and to run the testsuite with the clang MemorySanitizer.
| * support setting a port for rsh:// in sources.listDaniel Hartwig2015-08-122-2/+21
| | | | | | | | | | | | | | [Commiter comment: Untested, but looks and compiles fine, so what could possibly go wrong] Closes: 624727
| * add c++11 override marker to overridden methodsDavid Kalnischkies2015-08-1013-56/+57
| | | | | | | | | | | | | | | | | | C++11 adds the 'override' specifier to mark that a method is overriding a base class method and error out if not. We hide it in the APT_OVERRIDE macro to ensure that we keep compiling in pre-c++11 standards. Reported-By: clang-modernize -add-override -override-macros Git-Dch: Ignore
| * implement Signed-By without using gpg for verificationDavid Kalnischkies2015-08-101-9/+60
| | | | | | | | | | | | | | | | | | | | The previous commit returns to the possibility of using just gpgv for verification proposes. There is one problem through: We can't enforce a specific keyid without using gpg, but our acquire method can as it parses gpgv output anyway, so it can deal with good signatures from not expected signatures and treats them as unknown keys instead. Git-Dch: Ignore
| * allow individual targets to be kept compressedDavid Kalnischkies2015-08-101-6/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is an option to keep all targets (Packages, Sources, …) compressed for a while now, but the all-or-nothing approach is a bit limited for our purposes with additional targets as some of them are very big (Contents) and rarely used in comparison, so keeping them compressed by default can make sense, while others are still unpacked. Most interesting is the copy-change maybe: Copy is used by the acquire system as an uncompressor and it is hence expected that it returns the hashes for the "output", not the input. Now, in the case of keeping a file compressed, the output is never written to disk, but generated in memory and we should still validated it, so for compressed files copy is expected to return the hashes of the uncompressed file. We used to use the config option to enable on-the-fly decompress in the method, but in reality copy is never used in a way where it shouldn't decompress a compressed file to get its hashes, so we can save us the trouble of sending this information to the method and just do it always.
| * implement Signed-By option for sources.listDavid Kalnischkies2015-08-101-8/+10
| | | | | | | | | | | | | | | | | | | | Limits which key(s) can be used to sign a repository. Not immensely useful from a security perspective all by itself, but if the user has additional measures in place to confine a repository (like pinning) an attacker who gets the key for such a repository is limited to its potential and can't use the key to sign its attacks for an other (maybe less limited) repository… (yes, this is as weak as it sounds, but having the capability might come in handy for implementing other stuff later).
| * call URIStart in cdrom and file methodDavid Kalnischkies2015-06-152-9/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | All other methods call it, so they should follow along even if the work they do afterwards is hardly breathtaking and usually results in a URIDone pretty soon, but the acquire system tells the individual item about this via a virtual method call, so even through none of our existing items contains any critical code in these, maybe one day they might. Consistency at least once… Which is also why this has a good sideeffect: file: and cdrom: requests appear now in the 'apt-get update' output. Finally - it never made sense to hide them for me. Okay, I guess it made before the new hit behavior, but now that you can actually see the difference in an update it makes sense to see if a file: repository changed or not as well.
| * ensure valid or remove destination file in file methodDavid Kalnischkies2015-06-151-11/+33
| | | | | | | | | | | | | | 'file' isn't using the destination file per-se, but returns another name via "Filename" header. It still should deal with destination files as they could exist (pkgAcqFile e.g. creates links in that location) and are potentially bogus.
| * replace ULONG_MAX with c++ style std::numeric_limitsDavid Kalnischkies2015-06-091-2/+2
| | | | | | | | | | | | | | For some reason travis seems to be unhappy about it claiming it is not defined. Well, lets not think to deeply about it… Git-Dch: Ignore
| * support hashes for compressed pdiff filesDavid Kalnischkies2015-06-091-1/+1
| | | | | | | | | | | | | | | | At the moment we only have hashes for the uncompressed pdiff files, but via the new '$HASH-Download' field in the .diff/Index hashes can be provided for the .gz compressed pdiff file, which apt will pick up now and use to verify the download. Now, we "just" need a buy in from the creators of repositories…
| * add more parsing error checking for rredDavid Kalnischkies2015-06-091-21/+49
| | | | | | | | | | | | | | The rred parser is very accepting regarding 'invalid' files. Given that we can't trust the input it might be a bit too relaxed. In any case, checking for more errors can't hurt given that we support only a very specific subset of ed commands.
| * check patch hashes in rred worker instead of in the handlerDavid Kalnischkies2015-06-091-10/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | rred is responsible for unpacking and reading the patch files in one go, but we currently only have hashes for the uncompressed patch files, so the handler read the entire patch file before dispatching it to the worker which would read it again – both with an implicit uncompress. Worse, while the workers operate in parallel the handler is the central orchestration unit, so having it busy with work means the workers do (potentially) nothing. This means rred is working with 'untrusted' data, which is bad. Yet, having the unpack in the handler meant that the untrusted uncompress was done as root which isn't better either. Now, we have it at least contained in a binary which we can harden a bit better. In the long run, we want hashes for the compressed patch files through to be safe.
| * rework hashsum verification in the acquire systemDavid Kalnischkies2015-06-091-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Having every item having its own code to verify the file(s) it handles is an errorprune process and easy to break, especially if items move through various stages (download, uncompress, patching, …). With a giant rework we centralize (most of) the verification to have a better enforcement rate and (hopefully) less chance for bugs, but it breaks the ABI bigtime in exchange – and as we break it anyway, it is broken even harder. It shouldn't effect most frontends as they don't deal with the acquire system at all or implement their own items, but some do and will need to be patched (might be an opportunity to use apt on-board material). The theory is simple: Items implement methods to decide if hashes need to be checked (in this stage) and to return the expected hashes for this item (in this stage). The verification itself is done in worker message passing which has the benefit that a hashsum error is now a proper error for the acquire system rather than a Done() which is later revised to a Failed().
* | Merge branch 'debian/experimental' into feature/srv-recordsMichael Vogt2015-08-1816-269/+466
|\| | | | | | | | | | | Conflicts: cmdline/apt-helper.cc cmdline/makefile
| * Merge branch 'debian/sid' into debian/experimentalMichael Vogt2015-05-224-22/+39
| |\ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: apt-pkg/pkgcache.h debian/changelog methods/https.cc methods/server.cc test/integration/test-apt-download-progress
| | * Update methods/https.cc now that ServerState::Size is renamedMichael Vogt2015-05-221-1/+1
| | | | | | | | | | | | Git-Dch: ignore
| | * Merge remote-tracking branch 'upstream/debian/jessie' into debian/sidMichael Vogt2015-05-221-14/+4
| | |\ | | | | | | | | | | | | | | | | Conflicts: apt-pkg/deb/dpkgpm.cc
| | | * properly handle expected filesize in httpsDavid Kalnischkies2015-04-071-14/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The worker expects that the methods tell him when they start or finish downloading a file. Various information pieces are passed along in this report including the (expected) filesize. https is using a "global" struct for reporting which made it 'reuse' incorrect values in some cases like a non-existent InRelease fallbacking to Release{,.gpg} resulting in an incorrect size-mismatch warning scaring and desensitizing users as well as being subject to a race between the write_data and progress callbacks generating incorrect progress reporting and potentially the same error message. Other branches as well as the bugreports contain 'better' fixes making the struct local and other sensible changes, but are larger as a result, so in this version we opted for short diff with minimal effect above else instead. Closes: 777565, 781509 Thanks: Robert Edmonds and Anders Kaseorg for initial patchs
| | * | Rename "Size" in ServerState to TotalFileSizeMichael Vogt2015-05-223-16/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The variable "Size" was misleading and caused bug #1445239. To avoid similar issues in the future, rename it to make the meaning more obvious. git-dch: ignore
| | * | Fix endless loop in apt-get update that can cause disk fillupMichael Vogt2015-05-223-7/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The apt http code parses Content-Length and Content-Range. For both requests the variable "Size" is used and the semantic for this Size is the total file size. However Content-Length is not the entire file size for partital file requests. For servers that send the Content-Range header first and then the Content-Length header this can lead to globbing of Size so that its less than the real file size. This may lead to a subsequent passing of a negative number into the CircleBuf which leads to a endless loop that writes data. Thanks to Anton Blanchard for the analysis and initial patch. LP: #1445239
| | * | Revert "HttpsMethod::Fetch(): Zero the FetchResult object when leaving due ↵Michael Vogt2015-04-131-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | to 404" This reverts commit 1296bc7c466181a7978c313c40a041b34ce3eaeb.
| | * | HttpsMethod::Fetch(): Zero the FetchResult object when leaving due to 404Robert Edmonds2015-04-071-0/+2
| | |/
| * | detect Releasefile IMS hits even if the server doesn'tDavid Kalnischkies2015-05-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Not all servers we are talking to support If-Modified-Since and some are not even sending Last-Modified for us, so in an effort to detect such hits we run a hashsum check on the 'old' compared to the 'new' file, we got the hashes for the 'new' already for "free" from the methods anyway and hence just need to calculated the old ones. This allows us to detect hits even with unsupported servers, which in turn means we benefit from all the new hit behavior also here.
| * | detect 416 complete file in partial by expected hashDavid Kalnischkies2015-05-123-11/+46
| | | | | | | | | | | | | | | | | | | | | If we have the expected hashes we can check with them if the file we have in partial we got a 416 for is the expected file. We detected this with same-size before, but not every server sends a good Content-Range header with a 416 response.
| * | calculate hashes while downloading in httpsDavid Kalnischkies2015-04-196-22/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We do this in HTTP already to give the CPU some exercise while the disk is heavily spinning (or flashing?) to store the data avoiding the need to reread the entire file again later on to calculate the hashes – which happens outside of the eyes of progress reporting, so you might ended up with a bunch of https workers 'stuck' at 100% while they were busy calculating hashes. This is a bummer for everyone using apt as a connection speedtest as the https method works slower now (not really, it just isn't reporting done too early anymore).
| * | calculate only expected hashes in methodsDavid Kalnischkies2015-04-1913-23/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Methods get told which hashes are expected by the acquire system, which means we can use this list to restrict what we calculate in the methods as any extra we are calculating is wasted effort as we can't compare it with anything anyway. Adding support for a new hash algorithm is therefore 'free' now and if a algorithm is no longer provided in a repository for a file, we automatically stop calculating it. In practice this results in a speed-up in Debian as we don't have SHA512 here (so far), so we practically stop calculating it.
| * | handle servers closing encoded connections correctlyDavid Kalnischkies2015-04-191-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Servers who advertise that they close the connection get the 'Closes' encoding flag, but this conflicts with servers who response with a transfer-encoding (e.g. encoding) as it is saved in the same flag. We have a better flag for the keep-alive (or not) of the connection anyway, so we check this instead of the encoding. This is in practice not much of a problem as real servers we talk to are HTTP1.1 servers (with keep-alive) and there isn't much point in doing chunked encoding if you are going to close anyway, but our simple testserver stumbles over this if pressed and its a bit cleaner, too. Git-Dch: Ignore
| * | send Alt-* info for uncompressed based on any compressionsDavid Kalnischkies2015-04-191-19/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | file sends information about the uncompressed file if it can find it as well as for the compressed file. This was done only for gzip so far, but we support more compression types. That this information isn't used a lot is a different story. Git-Dch: Ignore