From 8580574ec63fedd39a3ab3b9f0025e08eae5f620 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Fri, 14 Jul 2017 17:07:22 +0200 Subject: suggest using auth.conf for sources with passwords The feature exists for a long while even if we get around to document it properly only now, so we should push for its adoption a bit to avoid the problems its supposed to solve like avoiding usage of non-world readable configuration files as they can cause strange behaviour for the unsuspecting user (like different solutions as root and non-root). --- apt-private/private-update.cc | 13 +++++++++++++ test/integration/test-apt-get-update-sourceslist-warning | 14 ++++++++++++++ test/integration/test-authentication-basic | 6 +++++- 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/apt-private/private-update.cc b/apt-private/private-update.cc index f235a6191..c9113ddd3 100644 --- a/apt-private/private-update.cc +++ b/apt-private/private-update.cc @@ -103,6 +103,19 @@ bool DoUpdate(CommandLine &CmdL) "See press release %s for details.", (*S)->GetURI().c_str(), "https://debian.org/News/2017/20170425"); } + for (pkgSourceList::const_iterator S = List->begin(); S != List->end(); ++S) + { + URI uri((*S)->GetURI()); + if (uri.User.empty() && uri.Password.empty()) + continue; + // we can't really predict if a +http method supports everything http does, + // so we play it safe and use a whitelist here. + char const *const affected[] = {"http", "https", "tor+http", "tor+https", "ftp"}; + if (std::find(std::begin(affected), std::end(affected), uri.Access) != std::end(affected)) + // TRANSLATOR: the first two are manpage references, the last the URI from a sources.list + _error->Notice(_("Usage of %s should be preferred over embedding login information directly in the %s entry for '%s'"), + "apt_auth.conf(5)", "sources.list(5)", URI::ArchiveOnly(uri).c_str()); + } } // show basic stats (if the user whishes) diff --git a/test/integration/test-apt-get-update-sourceslist-warning b/test/integration/test-apt-get-update-sourceslist-warning index b466e85eb..a99356b8b 100755 --- a/test/integration/test-apt-get-update-sourceslist-warning +++ b/test/integration/test-apt-get-update-sourceslist-warning @@ -29,3 +29,17 @@ Building dependency tree... All packages are up to date. W: Debian shuts down public FTP services currently still used in your sources.list(5) as 'ftp://ftp.tlh.debian.org/debian/'. See press release https://debian.org/News/2017/20170425 for details." apt update --no-download + + +echo 'deb http://apt:debian@ftp.tlh.debian.org/debian zurg main' > rootdir/etc/apt/sources.list.d/ftpshutdown.list +testsuccessequal "Reading package lists... +Building dependency tree... +All packages are up to date. +N: Usage of apt_auth.conf(5) should be preferred over embedding login information directly in the sources.list(5) entry for 'http://ftp.tlh.debian.org/debian'" apt update --no-download + + +echo 'deb tor+https://apt:debian@ftp.tlh.debian.org/debian zurg main' > rootdir/etc/apt/sources.list.d/ftpshutdown.list +testsuccessequal "Reading package lists... +Building dependency tree... +All packages are up to date. +N: Usage of apt_auth.conf(5) should be preferred over embedding login information directly in the sources.list(5) entry for 'tor+https://ftp.tlh.debian.org/debian'" apt update --no-download diff --git a/test/integration/test-authentication-basic b/test/integration/test-authentication-basic index d29b38256..011f205af 100755 --- a/test/integration/test-authentication-basic +++ b/test/integration/test-authentication-basic @@ -38,7 +38,11 @@ testauthsuccess() { fi rm -rf rootdir/var/lib/apt/lists - testsuccess aptget update + if expr index "$1" '@' >/dev/null; then + testsuccesswithnotice aptget update + else + testsuccess aptget update + fi testsuccessequal 'Reading package lists... Building dependency tree... The following NEW packages will be installed: -- cgit v1.2.3-70-g09d2