julian-klode/apt

julian-klode


      Fix parsing of or groups in build-deps with ignored packages

If the last alternative(s) of an Or group is ignored, because it does
not match an architecture list, we would end up keeping the or flag,
effectively making the next AND an OR.

For example, when parsing (on amd64):

    debhelper (>= 9), libnacl-dev [amd64] | libnacl-dev [i386]
 => debhelper (>= 9), libnacl-dev |

Which can cause python-apt to crash.

Even worse:

     debhelper (>= 9), libnacl-dev [amd64] | libnacl-dev [i386], foobar
  => debhelper (>= 9), libnacl-dev [amd64] | foobar

By setting the previous alternatives Or flag to the current Or flag
if the current alternative is ignored, we solve the issue.

LP: #1694697

7ddf958

julian-klode


      Release 1.4.5

66d7b8b

julian-klode


      apt.systemd.daily: Pass --dry-run to unattended-upgrade, not -d

We want to download stuff:
  --dry-run             Simulation, download but do not install
not debug:
  -d, --debug           print debug messages

Confusion everywhere!

Closes: #863859

31c81a3

julian-klode


      apt.systemd.daily: Use unattend-ugrade --download-only if available

Using dry-run as in the previous commit is not really correct, as
it logs dpkg debugging output too. So, let's assume unattended-upgrade
gets a --download-only option and use that if it is available.

This lets us add the downloading part to unattended-upgrades later
on, without requiring versioned dependencies between the two.

Closes: #863859

cedf80c

julian-klode


      Release 1.4.6

1c562db

willismonroe


      Minor grammar fix

Modified the wording of an error message when a repository no longer has a release file.

170e9de

julian-klode


      pkgcache: Bump major version to 12

We need to be able to update 1.4.y in different ways than later
apt versions, and thus need to bump the major version so there
is no collision in the minor version at some point.

12a2f66

julian-klode


      Squashed 'triehash/' changes from 565fde4e7..0ca66b761

0ca66b761 Redefine ambiguous to be much more simple
3d9adfb3f Add more comments
2896e78c2 Render C code to match longest prefix
21e620cf0 fix various typos reported by spellintian

git-subtree-dir: triehash
git-subtree-split: 0ca66b761aa56d42d35c4cc254f455424764895a

bbd26e1

julian-klode


      Merge triehash v0.2

5318af3

DonKult


      tests: fix gpg-agent killing in testcases

We want to kill the agent if its home directory exists at that location,
not if it isn't there (leaving an army of processes around).

Gbp-Dch: Ignore

fe8c10a

DonKult


      schedule the correct side of the conflict for removal

In complex situations in which we want to unpack a package which has a
conflict/breaks on another package which must be removed due this
conflict apt can decide to perform this remove earlier than initially
planned.

Problem: For three years apt wouldn't remove that package, but the
package which has the conflict… The situation isn't very common and
easily hidden as the package which is removed is unpacked a few actions
later – it becomes visible for packages which protect themselves from
removal through like systemd as the running init resulting in upgrade
failures (#854041).

Note that the package isn't purged, so data shouldn't be lost even if a
user runs into a "hidden" case of it as long as the package sticks to
the policy of removing data only on purge.

Reaching this situation artificially is hard, which is why no testcase
is included, as the situation is highly state dependent. Testing with
"real" systems indicate that slight modifications in the installed
packages set can make the bug not trigger.

Regression-Of: 0eb4af9
Thanks: Michael Biebl for helping find this with countless tests

d0eb158

DonKult


      avoid explicit types for pkg counts by auto

Changes nothing on the program front and as the datatypes are
sufficently comparable fixes no bug either, but problems later on if we
ever change the types of those and prevent us using types which are too
large for the values we want to store waste (a tiny bit of) resources.

Gbp-Dch: Ignore

fc2055e

DonKult


      don't show incorrect 'How odd' errror in no-download mode

Showing messages related to downloading in a mode which can't download
is pretty pointless, so instead of trying harder to make it so that
these messages do not trigger just skip them entirely.

That the message triggered here is an artifact of the implementation in
which the download items are finished, while the code expects them to be
still pending – even the in a previous run completely downloaded files.

Closes: 863635

3243dc5

DonKult


      Add a few more Auto-Detect-Proxy tests

Gbp-Dch: Ignore

5f930f6

DonKult


      Call update from apt-key test for a strange path test

We setup a "horrible" environment in the apt-key testcase to check all
kinds of things, but we really should be making also at least a simple
apt update call, as that in turn will call apt-key which is how apt-key
is used in the non-testcase world, so that calling should be able to
deal with such environments as well.

Gbp-Dch: Ignore

a8b19ae

DonKult


      Refactor finding compressor by name to avoid code dup

Git-Dch: Ignore

b224b8d

DonKult


      Annotate intended switch fall through in https

Reported-By: gcc-7
Gbp-Dch: Ignore

e1d7276

DonKult


      Refactor to avoid loop/dangling gcc warnings

Gbp-Dch: Ignore

f78fb67

DonKult


      Show permission error if ProxyAutoDetect cmd can't be executed

As the proxy commands are not executed as root, a user can run into
permission errors (s)he isn't expecting – as our switching is an
implementation detail – so the error message in that case should really
be better than a generic "error code 100" sending the user in the wrong
direction as that implies the command was executed, but errored out.

Closes: 857885

e250df1

DonKult


      make the create-test-data script great again

Changes in the past to the buildsystem and the testing framework broke
this little helper script – lets fix those problems to restore
functionality.

Gbp-Dch: Ignore

0cbe571

DonKult


      Avoid chdir in acquire clean with unlinkat

POSIX.1-2008 gives us a range of *at calls to deal with files
including the unlinkat so we can remove a file from a directory
based on a path to the file relative to the directory.
(In our case here the path we have is just the filename)

We avoid changing directories in this way which e.g. fails if the
directory we started in no longer exists or is otherwise inaccessible.

Closes: 860738

24fbb6a

DonKult


      ident a CD without changing directory

e91dd46

DonKult


      clean archives without changing directory

Adopting this change in other frontends will require source changes as
well similar to our own changes in apt-private/.

6829c54

DonKult


      avoid changing directory in mirror method

07815d4

DonKult


      warn if an expected file can't be acquired

If we couldn't find an entry for a Sources file we would generate an
error while for a Packages file we would silently skip it due to
assuming it is missing because it is empty. We can do better by checking
if the repository declares that it supports a component we want to get
the file from and if not say so and hint at the user making a typo.

An example were this helps is mozilla.debian.net which dropped the
firefox-aurora component (as upstream did) meaning no upgrades until the
user notices manually that the repository doesn't provide packages
anymore. With this commit warnings are raised hopefully causing the user
to investigate what is wrong (sooner).

d7c9241

DonKult


      show .diff/Index properly as ignored if we fallback

Moving the code responsible for parsing the Index file from ::Done into
the slightly earlier ::VerifyDone allows us to still "fail" the download
if we can't make use of the Index for whatever reason, so that the
progress log correctly displays "Ign" instead of "Get" for the file.

This also makes quiet a few debug messages proper error messages (but
those are still hidden by default for Ign lines).

188f297

DonKult


      fail InRelease on non-404 HTTP errorcodes

There are very many HTTP errorcodes which indicate that the repository
isn't available at the moment or the connection has some kind of
problem. Given that we do not require Release files the result was that
these errors were ignored and the user presented with a message like
"Repository is no longer signed" which sends the user in the wrong
direction.

Instead of trying to figure out which http errorcodes indicate a global
problem we accept only 404 for ignoring and consider all the rest as
hard errors now causing us to stop instantly after the InRelease file
and print the errorcode (with short description from server) received.

cbbf185

DonKult


      deal with 3xx httpcodes as required by HTTP/1.1 spec

An unknown code should be handled the same as the x00 code of this
group, but for redirections we used to treat 300 (and a few others)
as an error while unknown codes were considered redirections.

Instead we check now explicitly for the redirection codes we support for
redirecting (and add the 308 defined in RFC 7538) to avoid future
problems if new 3xx codes are added expecting certain behaviours.

Potentially strange would have been e.g. "305 Use Proxy" sending a
Location for the proxy to use – which wouldn't have worked and resulted
in an error anyhow, but probably confused users in the process.

42654d0

DonKult


      fix some unlikely memory leaks in error cases

The error cases are just as unlikely as the memory leaks to ever cause
real problems, but lets play it safe for correctness.

Reported-By: scan-build & clang
Gbp-Dch: Ignore

f68167a

DonKult


      travis: ignore profiling warning in progress lines

On Travis CI running tests with code coverage enabled sometimes
generates profiling lines, which we filter out for a while now,
but that misses lines generated showing progress still causing test
failures, so more sed logic is added in the hopes to ignore them.

Extends: 5860894
Gbp-Dch: Ignore

fc251c8

julian-klode


      Add clang-format definitions

Also add git-clang-format helper to help with }}}

Gbp-Dch: ignore

3cb78ee

julian-klode


      methods: connect: Change PkgAcqMethod to aptMethod

This will allow us to access ConfigFind() and stuff which makes
it possible for us to implement TLS support.

Gbp-Dch: ignore

b4afd84

julian-klode


      methods: connect: Switch from int fds to new MethodFd

Use std::unique_ptr<MethodFd> everywhere we used an
integer-based file descriptor before. This allows us
to implement stuff like TLS support easily.

Gbp-Dch: ignore

julian-klode


      methods: Add HTTPS support to http method, using GnuTLS

The http method will eventually replace the curl-based
https method, but for now, this is an opt-in experiment
that can be enabled by setting Dir::Bin::Methods::https
to "http".

Known issues:
- We do not support HTTPS proxies yet
- We do not support proxying HTTPS connections yet (CONNECT)
- IssuerCert and SslForceVersion are unsupported

Gbp-Dch: Full

2851ec6

julian-klode


      Allow building without curl

This makes testing easier and prepares us for the
transition.

0fe2161

julian-klode


      methods: http: Drain pending data before selecting

GnuTLS can already have data pending in its buffers, we need
to to drain that first otherwise select() might block
indefinitely.

Gbp-Dch: ignore

f806530

DonKult + julian-klode


      Fix https->http redirect issues

Gbp-Dch: ignore

29a08d8

julian-klode


      Fix test suite and enable non-curl testing on travis, shippable

Gbp-Dch: ignore

c81b838

julian-klode


      Introduce Acquire::AllowTLS to turn off TLS support

As requested by Henrique de Moraes Holschuh, here comes
an option to disable TLS support. If the option is set
to false, the internal TLS layer is disabled.

147ac0f

julian-klode


      Skip test-apt-download-progress

The test keeps failing continously on Ubuntu, so let's
fix it for now.

930e2df

julian-klode


      Merge branch 'feature/http-https'

11c3624

DonKult


      fail instead of warn on insecure repositories in apt-get

The exception was made to give (script) users a one-release grace period
to adapt their setup to deal with apt enforcing signing of repositories.
As we are now at the start of a new release cycle its as good a time as
any to lift it now.

Removes-Exception: 952ee63

cbaf353

DonKult


      error in update on Release information changes

The value of Origin, Label, Codename and co can be used in user
configuration from apts own pinning to unattended upgrades.
A repository changing this values can therefore have serious effects on
the behaviour of apt and other tools using these values.

In a first step we will generate error messages for these changes now
explaining the need for explicit confirmation and provide config options
and commandline flags to accept them.

081fbea

DonKult


      show a Release-Notes URI if infos were changed

This gives the repository owner a chance to explain why this change was
needed – e.g. explaining the organisational changes or simply detailing
the changes in the new release made. Note that this URI is also shown
if the change is accepted, so it also draws attention to release notes
of minor updates (if users watch apt output closely).

96ebab4

DonKult


      allow frontends to override releaseinfo change behaviour

Having messages being printed on the error stack and confirm them by
commandline flags is an okayish first step, but some frontends will
probably want to have a more interactive feeling here with a proper
question the user can just press yes/no for as for some frontends a
commandline flag makes no sense…

ca8da1b

DonKult


      ask for releaseinfo change interactively in apt

If we have a user sitting around we can let 'apt' ask the user for a
confirmation rather than print errors at the end and require the user to
figure out which commandline flags are needed to confirm the changes
non-interactively.

24b5bc4

DonKult


      Merge branch 'feature/releaseinfochange'

dfe0e75

julian-klode


      Strip 0: epochs from the version hash

This should fix some issues with dpkg normalizing such
values. Suprisingly enough apt treats the Version: field
the same, even with epoch vs without, but not when searching,
and does not strip the 0: from the output.

6edfda8

julian-klode


      Upload 1.5~alpha1 to experimental

c939016

DonKult


      support tor+https being handled by http

The apt-transport-tor package operates via simple symlinks which can
result in 'http' being called as 'tor+https', so it must pick up the
right configuration pieces and trigger https support also in plus names.

579f8f1

DonKult


      use port from SRV record instead of initial port

An SRV record includes a portnumber to use with the host given, but apt
was ignoring the portnumber and instead used either the port given by
the user for the initial host or the default port for the service.

In practice the service usually runs on another host on the default
port, so it tends to work as intended and even if not and apt can't get
a connection there it will gracefully fallback to contacting the initial
host with the right port, so its a user invisible bug most of the time.

9bdc090

Robert Luberda + DonKult


      fix a "critical" typo in old changelog entry

This typo exposes a bug in apt-listchanges that prevents commands like
`apt-listchanges --show-all apt_*.deb' from showing the changelog.
The bug will be fixed in next upload of apt-listchanges, but I think
it would be nice have the typo fixed as well.

Closes: 866358

ec0ebf7

julian-klode


      Improve error message if system CA store is empty

Tell the user to install ca-certificates.

Closes: #866377

5e9c1b3

julian-klode


      Have apt Recommend ca-certificates

The http method needs ca-certificates for TLS
support, so enable it.

617e315

julian-klode


      Demote gnupg to Suggests

stretch was the migration release for gpg->gpgv basically,
so let's demote it now.

22ee196

julian-klode


      http: Only use system CA store if CaInfo is not set

It turns out that curl only sets the system trust store if
the CaInfo option is not set, so let's do the same here.

58a1a72

julian-klode


      Bump Standards-Version (and wrap-and-sort a bit)

47e66f6

julian-klode


      Build-Depend on debhelper (>= 10) to shut up lintian

55db48d

julian-klode


      Upload 1.5~alpha2 to experimental

24f801b

julian-klode


      Don't read CaInfo if not specified (missing else)

This fixes a regression from ~alpha2.

Closes: #866559
Gbp-Dch: Full

425e2df

julian-klode


      Upload 1.5~alpha3 to experimental

af56ad0

julian-klode


      Reset failure reason when connection was successful

When APT was trying multiple addresses, any later error
somewhere else would be reported with ConnectionRefused
or ConnectionTimedOut as the FailReason because that
was set by early connect attempts. This causes APT to
handle the failures differently, leading to some weirdly
breaking test cases (like the changed one).

Add debugging to the previously failing test case so
we can find out when something goes wrong there again.

d3a70c3

julian-klode


      Allow running the TLS stack on any lower connection

This is especially needed if we use an HTTPS proxy to CONNECT
to an HTTPS URI, as we run TLS-inside-TLS then.

4b1d19f

julian-klode


      http: Add support for CONNECT proxying to HTTPS locations

Proxying HTTPS traffic requires the proxy providing the
CONNECT method. This implements the client side of it,
although it is a bit hacky.

HTTP connect is a normal HTTP CONNECT request, followed
by a normal HTTP response, just that the body of the
response is the TCP stream of the target host.

We use a special wrapper in case there are data bytes
in the header packets - in that case, the bytes are
stored in a buffer and the buffer will be drained first,
afterwards the connection continues directly with the
TCP stream (with one more vcall).

Also: Do not send full URI to https destinations when proxying,
as we are directly interfacing with the destination data stream.

64207da

julian-klode


      http: Add support for https:// proxies

HTTPS proxies just require unwrapping the TLS layer at the proxy
connection, that's easy, and of course sending proxy-specific
headers that are sent on "http" proxies.

bafebf1

julian-klode


      Allow http(s) and socks5h for http and https in proxy auto detect

This makes it possible to write sensible auto detect scripts.

535c06a

julian-klode


      travis: Switch to Docker

This runs parallel builds on docker, based on debian:testing
docker images, with ccache enabled and parallel running of the
test suite (ccache supports coverage builds these days, and
parallel testing just needs unbuffer to handle the stty stuff)

This is a huge step up from building on a mix of trusty, wily,
and xenial. Most importantly, coverage now correctly detects
partial covered lines instead of just reporting almost all of
them as fully covered.

We use ftp.de.debian.org as deb.debian.org backed by Amazon
503s too often.

Gbp-Dch: ignore

46c3134

julian-klode


      Switch to 'http' as the default https method

The old curl based method is still available as 'curl',
'curl+http', and 'curl+https'.

c6a428e

julian-klode


      Improve closing the TLS connection

If gnutls_session_bye() exited with an error, we never closed
the underlying file descriptor, causing the method to think the
connection was still open. This caused problems especially in
test-partial-file-support where we checked that a "complete"
file and an incomplete file work. The first GET returns a 416
with Connection: close, and the next GET request then accidentally
reads the body of the 416 as the header for its own request.

8f5db6b

julian-klode


      TLS support: Error out on unsupported curl options

Silently ignoring the options might be a security issue,
so produce an error instead.

6a0e7ac

julian-klode


      CMake: Do not allow FORCE_CURL=ON with WITH_CURL=OFF

This makes no sense. We need both entries in the cache, as
we check FORCE_CURL in the test suite.

Gbp-Dch: ignore

julian-klode


      shippable: Run tests in parallel

Gbp-Dch: ignore

d6bcfa4

julian-klode


      Upload 1.5~alpha4 to experimental

3be04d3

julian-klode


      Make Verify-Host and Verify-Peer independent again

We can actually just pass null as a hostname, so let's just
do that when Verify-Host is set to false.

9a34c85

julian-klode


      http: A response with Content-Length: 0 has no content

APT considered any response with a Content-Length to have a
body, even if the value of the header was 0. A 0 length body
however, is equal to no body.

d47fb34

julian-klode


      Ignore download order in test-apt-update-failure-propagation

This caused spurious test failures.

c72cc1c

julian-klode


      travis/docker: Various improvements

- Use a tmpfs for /tmp - not really a benefit here,
  except for travis as it's writing less now.
- Use the fastly CDN - about twice as fast as ftp.de,
  and seems more stable than cloudfront
- Run apt-get clean to keep container smaller - should
  not be needed really, but let's just do it.

Gbp-Dch: ignore

d34f0e2

julian-klode


      tls: Add more details to error messages, and detect more errors

This should make it easier to figure out what was
going on.

a742bac

julian-klode


      Do not error out, only warn if ca certificates are not available

This probably makes more sense if Verify-Peer is set to off.

55673e5

julian-klode


      Swap file descriptors before the handshake

This makes more sense. If the handshake failed midway, we still
should run the gnutls bye stuff. The thinking here is to only
set the fd after the session setup, as we do not modify it
before, so if it fails in session setup, you retain a usable
file descriptor.

Gbp-Dch: ignore

f3b9e58

DonKult + julian-klode


      don't set ip addresses as server names for SNI

It is kinda unlikely that apt will ever encounter a certificate for an
IP and a user actually using it, but the API documentation for
gnutls_server_name_set explicitly says that "IPv4 or IPv6 addresses are
not permitted to be set by this function.", so we should follow it.

[jak@d.o: Slightly rebased]

405189f

DonKult + julian-klode


      formatter: support running from subdirectories

Gbp-Dch: Ignore

b42836a

julian-klode


      Stop bragging about old speeds in http.cc comments

That's just ridiculous these days.

Gbp-Dch: ignore

239d008

Алексей Шилин + julian-klode


      Russian translation update

63c5e6b

julian-klode


      Release 1.5~beta1

28380ed

CDLuminate


      zh_CN.po: update Simplified Chinese programs translation

418a8a4

DonKult


      don't expect more downloads from failed transactions

Progress only shows if we have an idea of how much files we will
acquire, but if a transaction fails before we have got an idea we ended
up never showing progress even through we know that a failed transaction
will not download additional files.

d10502c

Beatrice Torracca + DonKult


      Italian manpage translation update

Closes: 858877

ff26d24

DonKult


      fix various typos reported by codespell & spellintian

Reported-By: codespell & spellintian
Gbp-Dch: Ignore

4a9c136

apoikos + julian-klode


      Handle supported components with slashes in sources.list

Commit d7c9241 parses the Components
section of (In)Release and attempts to detect the distribution's
supported components. While doing so, it handles component names with
slashes in a special manner, assuming that the actual component is only
the part after the final slash. This is done to handle
security.debian.org, which usually appears in sources.list as follows:

 deb http://s.d.o/debian-security stretch/updates main contrib non-free

while the actual release file has:
 Codename: stretch
 Components: updates/main updates/contrib updates/non-free

While this special handing on APTs part indeed works for
debian-security, it emits spurious warnings on repositories that
actually use slashes in the component names *and* appear so in
sources.list.

We fix this by adding both component versions (whole and final part) to
the SupportedComponents array.

Closes: #868127

5caf6ee

julian-klode


      Drop cacheiterators.h include

Including cacheiterators.h before pkgcache.h fails because
pkgcache.h depends on cacheiterators.h.

c46f94a

julian-klode


      methods/aptmethod.h: Add missing fileutl.h include

78fcdd9

julian-klode


      Reformat and sort all includes with clang-format

This makes it easier to see which headers includes what.

The changes were done by running

    git grep -l '#\s*include'  \
        | grep -E '.(cc|h)$' \
        | xargs sed -i -E 's/(^\s*)#(\s*)include/\1#\2 include/'

To modify all include lines by adding a space, and then running
./git-clang-format.sh.

87274d0

julian-klode


      cacheiterators: Warn about direct include and don't include pkgcache.h

This adds a warning so existing working code will still
work (as it includes pkgcache.h first anyway), but it will
know that it's not right to include this file directly.

51da612

julian-klode


      Update gitignore with new files

46e1aa6

julian-klode


      Merge branch 'misc/include-cleanup'

This should make it easier to read includes.

11f92b1

pabs3 + julian-klode


      Support zero delay for the various APT::Periodic activities

[squashed:]

apt.systemd.daily: check_stamp: check for 'always' before numerical values

Prevents a crash when the configuration actually uses 'always':

apt.systemd.daily: 402: [: Illegal number: always

ca90c38

pabs3 + julian-klode


      Support seconds, minutes, hours and days for APT::Periodic intervals

1d9e29c

pabs3 + julian-klode


      Fix some more crashes when APT::Periodic options are set to always

Gbp-Dch: ignore

0f3f9e6

pabs3 + julian-klode


      Switch from /org to /srv in example apt-ftparchive configuration

/org has been obsoleted by /srv for many years on debian.org hosts.

da2dd02

julian-klode


      Merge pull request Debian/apt#44 from willismonroe/patch-1

Minor grammar fix

[jak@d.o: Fixed up po/]

e0204f0

julian-klode


      Use C++11 threading support instead of pthread

This makes the code easier to read.

b28636e

julian-klode


      Fix memory leak in C++-thread-local _error implementation

We can't allocate a pointer here, it would not get released - use
an object instead.

Gbp-Dch: ignore

414b7d5

rbalint + julian-klode


      Gracefully terminate process when stopping apt-daily-upgrade

The main process is guessed by systemd. This prevents killing dpkg
run by unattended-upgrades in the middle of installing packages
and ensures graceful shutdown.

The timeout of 900 seconds after which apt-daily-upgrade.service
is killed is in sync with unattended-upgrades's timer.

LP: #1690980

78bc10d

DonKult


      remove reference to a-t-debtorrent in description

debtorrent and its helper apt-transport-debtorrent were removed from
Debian in 2013 based on the bugreports #730459 and #731281. As they
aren't available, we shouldn't make references to them anymore. a-t-tor
is picked as replacement for the example.

49a81c2

DonKult


      ignore SIGPIPE in dump solver if forwarding

Our test-external-dependency-solver-protocol test sometimes fails on the
immediately 'crashing' solver exit1withoutmsg with the message that it
got SIGPIPE from the solver. That isn't really possible as the solver
produces no output, but on inspection its not this solver getting the
signal but the wrapping provided by the dump-solver as the wrapped
solver instantly exits. Simply ignoring the signal helps in perhaps
extracting the last words of another solver (as this one has none), but
at the very least we get the exit code of the wrapped solver we
interested in as output.

b1165a6

DonKult


      support compressed extended_states file for bug triage

This file isn't compressed by default, but it might be compressed by a
bugreporter and uncompressing it is extra work apt could do just as well
on the fly as needed just like it does for the dpkg/status file.

ee32009

DonKult


      don't try to rename failed pdiff patches twice

RenameOnError does the rename already, so the check for existence will
always fail making this some completely harmles but also completely
pointless two lines of code we are better of removing.

Gbp-Dch: Ignore

245b9b0

DonKult


      don't move failed pdiff indexes out of partial

The comment says this is intended, but looking at the history reveals
that the comment comes from a different era. Nowadays we don't really
need it anymore (and even back then it was disputeable) as we haven't
used that file for our update in the end and nothing really needs this
file after the update.

Triggered is this by 188f297 which
moves various error conditions forward including this code expecting the
file to exist – but it doesn't need to as download could have failed.
We could fix that by simple checking if the file exists and only stage
it if it does, but instead we don't stage it and instead even rename it
out of the way with our conventional FAILED name (if it exists).

That restores support for partial mirrors (= in this case mirrors which
don't ship pdiff files). Note that apt heals itself even if only such a
mirror is used as the update is successful even if that error is shown.

Closes: 869425

8df85a4

DonKult


      don't try to parse all fields starting with HTTP as status-line

It is highly unlikely to encounter fields which start with HTTP in
practice, but we should really be a bit more restrictive here.

1c5f13d

DonKult


      send weak-only hashes to methods

Weak hashes like filesize can be used by methods for basic checks and
early refusals even if we can't use them for hard security proposes.

Normal apt operations are not affected by this as they fail if no strong
hash is available, but if apt is forced to work with weak-only files or
e.g. in apt-helper context it can have benefits as weak is better than
no hash for the methods.

85f4a65

DonKult


      fail earlier if server answers with too much data

We tend to operate on rather large static files, which means we usually
get Content-Length information from the server. If we combine this
information with the filesize we are expecting (factoring in pipelining)
we can avoid reading a bunch of data we are ending up rejecting anyhow
by just closing the connection saving bandwidth and time both for the
server as well as the client.

d7518db

DonKult


      fail early in http if server answer is too small as well

Failing on too much data is good, but we can do better by checking for
exact filesizes as we know with hashsums how large a file should be, so
if we get a file which has a size we do not expect we can drop it
directly, regardless of if the file is larger or smaller than what we
expect which should catch most cases which would end up as hashsum
errors later now a lot sooner.

f2f8e89

DonKult


      use FileFd to parse all apt configuration files

Using different ways of opening files means we have different behaviour
and error messages for them, so by the same for all we can have more
uniformity for users and apt developers alike.

3317ad8

DonKult


      show warnings instead of errors if files are unreadable

We used to fail on unreadable config/preferences/sources files, but at
least for sources we didn't in the past and it seems harsh to refuse to
work because of a single file, especially as the error messages are
inconsistent and end up being silly (like suggesting to run apt update
to fix the problem…).

LP: #1701852

DonKult


      reimplement and document auth.conf

We have support for an netrc-like auth.conf file since 0.7.25 (closing
518473), but it was never documented in apt that it even exists and
netrc seems to have fallen out of usage as a manpage for it no longer
exists making the feature even more arcane.

On top of that the code was a bit of a mess (as it is written in c-style)
and as a result the matching of machine tokens to URIs also a bit
strange by checking for less specific matches (= without path) first.
We now do a single pass over the stanzas.

In practice early adopters of the undocumented implementation will not
really notice the differences and the 'new' behaviour is simpler to
document and more usual for an apt user.

Closes: #811181

ea408c5

DonKult


      lookup login info for proxies in auth.conf

On HTTP Connect we since recently look into the auth.conf file for login
information, so we should really look for all proxies into the file as
the argument is the same as for sources entries and it is easier to
document (especially as the manpage already mentions it as supported).

6291fa8

DonKult


      allow the auth.conf to be root:root owned

Opening the file before we drop privileges in the methods allows us to
avoid chowning in the acquire main process which can apply to the wrong
file (imagine Binary scoped settings) and surprises users as their
permission setup is overridden.

There are no security benefits as the file is open, so an evil method
could as before read the contents of the file, but it isn't worse than
before and we avoid permission problems in this setup.

881ec04

DonKult


      update URI scheme descriptions in sources.list(5)

afd7cd6

DonKult


      show a warning for Debian shutting down FTP services

We detect the effected sources by matching Release info – that has
potential by-catch of repositories which have incorrect field values,
but those are better fixed now anyhow. The bigger incorrectness is that
this message will not only be printed for the Debian services itself but
also for all mirrors not under Debian control but serving Debian like more
local/private mirrors which will not (directly) shutdown. It is likely
through that many of them will follow suite with less visible
announcements or break downright if their upstream source disappears, so
having false-positives here seems benefitial for the user in the end.

054243f

DonKult


      suggest using auth.conf for sources with passwords

The feature exists for a long while even if we get around to document
it properly only now, so we should push for its adoption a bit to avoid
the problems its supposed to solve like avoiding usage of non-world
readable configuration files as they can cause strange behaviour for the
unsuspecting user (like different solutions as root and non-root).

DonKult


      Merge branch 'feature/authconf'

2920e94

Dominik-K + julian-klode


      doc: Add '--allow-unauthenticated' to '--force-yes'

e1d66c9

julian-klode


      Always warn if --force-yes is validly specified, not just if used

The code only used to warn when it came into a situation where
something actually had to be forced. Warn directly after parsing
the command-line instead, that's more accurate.

eb0ccb0

DonKult


      ftparchive: sort discovered filenames before writing indexes

If 'apt-ftparchive packages /path/to/files/' (or sources) is used the
files to include in the generated index (on stdout) were included in the
order in which they were discovered, which isn't a very stable order
which could lead to indexes changing without actually changing content
causing needless changes in the repository changing hashsums, pdiffs,
rsyncs, downloads, ….

This does not effect apt-ftparchive calls which already have an order
defined via a filelist (like generate) which will still print in the
order given by the filelist.

Note that a similar effect can be achieved by post-processing index
files with apt-sortpkgs.

Closes: 869557
Thanks: Chris Lamb for initial patch & Stefan Lippers-Hollmann for testing

d108e01

DonKult


      don't keep configuration files open needlessly

Regression-Of: 3317ad8

898d53a

DonKult


      don't hang if multiple sources use unavailable method

APT clients always noticed if a method isn't supported and nowadays
generate a message of the form:
	E: The method driver …/foobar could not be found.
	N: Is the package apt-transport-foobar installed?

This only worked if a single source was using such an unavailable method
through as we were registering the failed config the first round and
the second would try to send requests to the not started method, which
wouldn't work and hang instead (+ hiding the error messages as they would
be shown only at the end of the execution).

Closes: 870675

e250a8d

julian-klode


      Work around float rounding change in gcc 7 on i386

This caused a build failure in the test suite.

79c0a12

julian-klode


      Handle GCC 7 std::string operator ABI break

We now require gcc 7 on the packaging side, and add an appropriate
symbol to our symbols file.

Also adjust prepare-release to ignore g++ version requirements
when setting up build dependencies on CI.

Closes: #871275

f63b3e0

julian-klode


      debian: Update symbols for libapt-pkg5.0

The version is probably wrong for most, but oh well,
let's just pretend we are introducing them now.

550907a

julian-klode


      doc: Fix validity error in apt_auth.conf.5.xml

It contained raw text inside a refsect1

Gbp-Dch: ignore

ea7581c

julian-klode


      Release 1.5~beta2

d64ef1c

julian-klode


      Redefine APT_CONST to mean APT_PURE

Functions marked with the const attribute may not inspect
any global memory. This includes targets of pointers or
references passed as arguments. A pure function however
is free to inspect memory, but may not have any side
effects.

The function StringSplit() was marked as const, but took
two references to strings. When the second one was passed
as a literal as in StringSplit(name, "::") the compiler
cleverly figured out that we only inspect the address of
"::" (since StringSplit is const) and thus optimized away
the "::" content.

While patching out individual broken uses of APT_CONST
would be possible, this is already the second case, and
there might be more, so let's redefine APT_CONST to use
the pure attribute, so we don't end up with the same
situation again in some time.

03590fb

julian-klode


      Replace APT_CONST with APT_PURE everywhere

As a follow up to the last commit, let's replace APT_CONST
with APT_PURE everywhere to clean stuff up.

0e4ac83

julian-klode


      Make test-bug-818628-unreadable-source work on !amd64

It was broken because apt.conf.d was not readable, but that's
where the architecture is defined...

427828d

julian-klode


      Release 1.5~rc1

d885930

julian-klode


      Actually install apt_auth.conf manual page

Seems we forgot to update the packaging when adding the manual
page. Once we have translations for it, we need to add them
as well...

Closes: #873934

90bfc5b

ctrochalakis + julian-klode


      doc: correct '--allow-releaseinfo-change-*' typos

Closes: #873914

c711cb7

Frans Spiesschaert + julian-klode


      Dutch program translation update

Closes: #874285

3d60161

Frans Spiesschaert + julian-klode


      Dutch manpage translation update

Closes: #874293

f763f14

julian-klode


      test: Workaround gpgv warning

gpgv: WARNING: This key is not suitable for signing in --compliance=gnupg mode

4d4459a

DonKult


      don't write & chmod /dev/null log files

APT by default logs terminal (term.log) and actions (history.log), but
if either or Dir::Log directly is set to /dev/null it continues to do
so, which isn't too bad – just wasted effort – but term.log is
chmodded to protect it from the general public (as it may contain
otherwise private data the admin entired in the terminal) which
shouldn't happen for /dev/null.

149ee40

DonKult


      add test for bug 870675 (hang on unsupported method)

Commit e250a8d implemented the fix and
should have included already this testcase for it.

Gbp-Dch: Ignore

8130f39

DonKult


      don't ask an uninit _system for supported archs

A libapt user who hasn't initialized _system likely has a reason, so we
shouldn't greet back with a segfault usually deep down in the callstack
for no reason. If the user had intended to pick up information from the
system, _system wouldn't be uninitialized after all.

LP: #1613184
SRU: 1.4.y

cba5c5a

DonKult


      drop unused/unimplemented & hidden LoadReleaseInfo

The relevant calling code as well as the implementation for the deb
system was removed 2 years ago with the refactoring of release
information storage (b07aeb1).
This commit removes the the unused remains of this change with no
practical effect on anybody (expect codesize) as the methods were
declared as hidden and hence only libapt could have called it.

Gbp-Dch: Ignore

julian-klode


      apt-daily: Wait for network before daily updates

Introduce a new helper, apt-helper wait-online that uses
NetworkManager and/or systemd-networkd to wait for them
reporting online, with a time out of 30 seconds; and run
that helper before running the daily update script.

LP: #1699850
Gbp-Dch: Full

669e9a9

julian-klode


      apt-daily: Pull in network-online.target in service, not timer

There's no real point in pulling it in in the timer already,
and it it somewhat saver to do so in the service.

11417c1

julian-klode


      Do not warn about duplicate "legacy" targets

If a source has a legacy Contents file, and two lines mention
the same archive but different components, a warning would be
issued that is confusing. So, as the field is named Contents-deb-legacy,
let's just not print warnings for fields containing "legacy".

LP: #1697120
Closes: #839259

5a74746

julian-klode


      cdrom: Don't hardcode "Files" field for copying source files

This fails if no Files field exists anymore, for example, because
the Sources index only contains SHA256 hashes. Instead check all
hashes.

03ba8fc

julian-klode


      ftparchive: Do not pass through disabled hashes in Sources

When writing a Sources files hashes that were already present
in the .dsc were always copied through (or modified), even if
disabled. Remove them instead when they are disabled, otherwise
we end up with hashes for tarballs and stuff but not for dsc
files (as the dsc obviously does not hash itself).

Also adjust the tests: test-compressed-indexes relied on Files
being present in showsrc, and test-apt-update-weak-hashes expected
the tarball to be downloaded when an archive only has MD5 and we
are requiring SHA256 because that used to work because the tarball
was always included.

Closes: #872963

8d23827

julian-klode


      Directly link against libudev on Linux systems

We previously dlopen()ed it, but it seems painful to do that
without any real gain, except for possibly not having libudev
in the address space and not having code #ifdefed for Linux.

The latter means that we are a bit more likely to break stuff
for non-Linux systems now if we play with udev, but at least
we don't end up with it silently breaking because of a libudev
ABI break.

The existing function pointers in the struct were renamed and
kept for compat purposes.

Fixes Debian/apt#48

Also adjust prepare-release to strip [linux-any] from build-depends
for travis.

96b4580

julian-klode


      Release 1.5~rc2

a670cee

julian-klode


      CMake: Properly handle Udev missing

When udev is not available, the variables for libraries and
include paths are set to NOTFOUND rather than an empty string
and CMake exits with an error. Use a generator expression to
only use these variables when UDEV_FOUND is true.

b13861f

julian-klode


      CMake: Mark BZip2, LZMA, and LZ4 as required

We do not actually test without these libraries, and it likely
would not build without them due to them being NOTFOUND and CMake
exiting with an error, so let's just mark them as required.

53f7fb3

julian-klode


      apt-helper: Add connman support to wait-online

28afe64

julian-klode


      clang-format: Set ContinuationIndentWidth: 3

This fixes the indentation of struct members, for
example, which were previously indented by 4 spaces.

Gbp-Dch: ignore

8e222df

julian-klode


      Release 1.5~rc3

5a72bf3

julian-klode


      apt-daily: Do not Wants=network-online, and add some more After=

We now wait for being online ourselves, so all we need to wait
on is for services we are using to be online first. This avoids
severe boot slowdowns by other services having specified an
After=network-online.target without a Wants=.

Gbp-Dch: Full

8b50b10

julian-klode


      Release 1.5~rc4

julian-klode


      Fix translator comment location for legacy target warning

In commit Do not warn about duplicate "legacy" targets, we
we added an if, that changed the .po files...

e9db5ba

julian-klode


      Release 1.5

e178f78

julian-klode


      Bump Standards-Version to 4.1.0

8bf1c39

julian-klode


      Drop obsolete dh-systemd build-dep

710ae24

julian-klode


      Drop obsolute Testsuite: autopkgtest header

6d44f50

julian-klode


      Drop curl method and apt-transport-https package

This automatically removes any old apt-transport-https, as
apt now Breaks it unversioned.

5e770a0

DonKult


      proper error reporting for v3 onion services

APT connects just fine to any .onion address given, only if the connect
fails somehow it will perform checks on the sanity of which in this case
is checking the length as they are well defined and as the strings are
arbitrary a user typing them easily mistypes which apt should can be
slightly more helpful in figuring out by saying the onion hasn't the
required length.

f3e3483

DonKult


      allow empty build-dependency fields in the parser

APT used to parse only wellformed files produced by repository creation
tools which removed empty files as pointless before apt would see them.

Now that apt can be told to parse e.g. debian/control files directly, it
needs to be a little more accepting through: We had this with comments
already, now let it deal with the far more trivial empty fields.

Closes: #875363

7ea3c67

DonKult


      use pkgTagSection::Key in srcRecords parser

Using hardcoded array-indexes in the build-dependency parsing is
efficient, but less discoverable and easier to break. We can avoid
this by making it even more efficient (not that it would be noticeable)
allowing us to do explicitly named comparisons instead.

Gbp-Dch: Ignore

d006da1

DonKult


      send the hashes for alternative file correctly

This isn't really used by the acquire system at all at the moment and
the only method potentially sending this information is file://, but
that used to be working correctly before broken in 2013, so better fix
it now and worry about maybe using the data some day later.

Regression-Of: b3501ed

19e525a

DonKult


      ignore unsupported key formats in apt-key

gpg2 generates keyboxes by default and users end up putting either those
or armored files into the trusted.gpg.d directory which apt tools
neither expect nor can really work with without fortifying backward
compatibility (at least under the ".gpg" extension).

A (short) discussion about how to deal with keyboxes happened in
https://lists.debian.org/deity/2017/07/msg00083.html
As the last message in that thread is this changeset lets go ahead
with it and see how it turns out.

The idea is here simply that we check the first octal of a gpg file to
have one of three accepted values. Testing on my machines has always
produced just one of these, but running into those values on invalid
files is reasonabily unlikely to not worry too much.

Closes: #876508

DonKult


      remove pointless va_copy to avoid cleanup dance

A va_copy call needs to be closed in all branches with va_end, so these
functions would need to be reworked slightly, but we don't actually need
to copy the va_list as we don't work on it, we just push it forward, so
dropping the copy and everyone is happy.

Reported-By: cppcheck
Gbp-Dch: Ignore

50920fc

DonKult


      avoid using NULL in varadic function for cmdline parsing

cppcheck reports:
(portability) Passing NULL after the last typed argument to a variadic
function leads to undefined behaviour.

We don't ship on any platform which has this as undefined behaviour
through – or it would be pretty well defined "bad" behaviour which
always works, so even through UB is a trigger word, its hardly
noteworthy as a change (and as a bonus the scanners of gcc/clang
don't consider it UB).

The commonly accepted method of fixing that seems to be (const
char*)NULL, but it is in fact much simpler to just switch to the varadic
functions C++ provides resolving the warning and reducing code.

Reported-By: cppcheck
Gbp-Dch: Ignore

bf6c329

CDLuminate


      zh_CN.po: Update Simplified Chinese programs translation

91c9066

Frans Spiesschaert + julian-klode


      Dutch program translation update

Closes: #879137

f7281c4

julian-klode


      Fix testsuite for and add new fields from dpkg 1.19

tagfile-order.c: Add missing fields from dpkg 1.19

For binary packages, this is Build-Essential; for source packages,
it is Description.

test-bug-718329-...: Ignore control.tar.*, changes in dpkg 1.19

test-apt-extracttemplates: Fix for dpkg 1.19

404dece

julian-klode


      Run Proxy-Auto-Detect script from main process

This avoids running the Proxy-Auto-Detect script inside the
untrusted (well, less trusted for now) sandbox. This will allow
us to restrict the http method from fork()ing or exec()ing via
seccomp.

1a76517

julian-klode


      Run the ProxyAutoDetect script in the sandbox again

The previous change moved running the proxy detection program from the
method to the main process, so it runs as root and not as _apt. This
brings it back into the sandbox.

Gbp-Dch: ignore

0934b6b

julian-klode


      methods/mirror: Enable sandboxing and other aptMethod features

Sandboxing was turned off because we called pkgAcqMethod's
Configuration() instead of aptMethod's.

8616c21

julian-klode


      methods/basehttp.cc: Remove proxy autodetect debugging code

This was a left over from the autodetect move.

Gbp-Dch: ignore

9130b5f

julian-klode


      Sandbox methods with seccomp-BPF; except cdrom, gpgv, rsh

This reduces the number of syscalls to about 140 from about
350 or so, significantly reducing security risks.

Also change prepare-release to ignore the architecture lists
in the build dependencies when generating the build-depends
package for travis.

We might want to clean up things a bit more and/or move it
somewhere else.

32bcbd7

julian-klode


      seccomp: Add missing syscalls for ppc64el, i386, and others

These are a few overlooked syscalls. Also add readv(), writev(),
renameat2(), and statx() in case libc uses them.

Gbp-Dch: ignore

f5572ef

julian-klode


      Release 1.6~alpha1

abe4290

julian-klode


      seccomp: Conditionalize statx() whitelisting

statx was introduced in 4.11, so it fails to build in stretch if
we just unconditionally use it.

669b310

julian-klode


      CMake: methods: Cleanup link libraries, use OBJECT libraries

Use OBJECT libraries for http and connect stuff, and move the
seccomp link expression into a global link_libraries() call.

This also fixes a bug where only the http target pulled in
the gnutls header arguments despite gnutls being used in
connect.cc, and thus by mirror and ftp as well.

Adjust translation support to ignore TARGET_OBJECTS sources
and add the OBJECT libraries to the translated files.

43b9eb5

julian-klode


      methods: Enable additional syscalls (SYSV IPC) in fakeroot

If FAKED_MODE is set, enable SYSV IPC so we don't crash when
running in fakeroot.

Closes: #879662

cf1a98b

julian-klode


      Don't segfault if receiving a method warning on empty queue

We would like to issue a warning about seccomp support in
Configuration(), but since the queue is empty, there is no
current item to show the URL for and we get a segfault. Show
the protocol instead.

e04bed5

julian-klode


      Only warn about seccomp() EINVAL (normal) and EFAULT (qemu) errors

If seccomp is disabled, we fallback to running without it. Qemu fails
in the seccomp() call, returning ENOSYS and libseccomp falls back to
prctl() without adjusting the pointer, causing the EFAULT. I hope
qemu gets fixed at some point to return EINVAL for seccomp via
prctl.

Bug-Qemu: https://bugs.launchpad.net/qemu/+bug/1726394

230b057

julian-klode


      Print syscall number and arch to stderr when trapped by seccomp

This should help debugging crashes. The signal handler is a C++11
lambda, yay! Special care has been taken to only use signal handler
-safe functions inside there.

39656a6

julian-klode


      CMake: Get rid of some debugging messages

This fixes a regression introduced in

commit 43b9eb5

  CMake: methods: Cleanup link libraries, use OBJECT libraries

Gbp-Dch: ignore

924eaf3

julian-klode


      Release 1.6~alpha2

b8061d5

julian-klode


      debian/tests/control: Add dpkg so we get triggered by it

We do want to get our autopkgtests triggered by dpkg uploads
in Ubuntu, but this does not happen because we don't have
an explicit dependency on it. Add one.

b1989ab

julian-klode


      seccomp: Allow ipc() for fakeroot, and allow sysinfo() for sort

Sorting apparently calls sysconf() which calls sysinfo() to get
free pages or whatever.

Closes: #879814, #879826

b514128

julian-klode


      Drop unused gzip, lzma, bzip2, and xz symlinks of store

The store method replaced them all, the symlinks where mostly
for partial upgrades or whatever, they should not be needed
any longer.

cc1f94c

julian-klode


      seccomp: Allow clock_nanosleep() and nanosleep() syscalls

We sleep in http.cc, so we should allow the sleeping syscalls.

cfb6061

julian-klode


      Prevent overflow in Installed-Size (and Size) in apt show

Installed-Size for linux-image-4.13.0-1-amd64-dbg and friends
are larger than 4 GB, but read as a signed integer - that's
fine so far, as the value is in KB, but it's multiplied with
1024 which overflows. So let's read it as unsigned long long
instead.

While we're at it, also use unsigned long long for Size, in
case that is bigger than 2 GB.

a637547

julian-klode


      Also use FindULL for checking if the size tags is valid

It used FindI() > 0, but if it is too big, FindI() would
cause an error "Cannot convert %s to integer: out of range",
so let's also use FindULL() here.

Gbp-Dch: ignore

197a813

DonKult


      use store: instead of gzip: to open local changelogs

Regression-Of: cc1f94c

cd54ff9

julian-klode


      Release 1.6~alpha3

d1f0472

julian-klode


      debian: Set Rules-Requires-Root: no

We don't need fakeroot for building!

cf10563

julian-klode


      debian: Bump Standards-Version to 4.1.1

No further changes required.

20cb61e

julian-klode


      Re-introduce a transitional apt-transport-https

This fixes issues with debootstrap. The package will disappear
after the release of buster.

afe3cd6

julian-klode


      Add ${misc:Depends} to apt-transport-https depends

Makes lintian happy, but is basically useless

Gbp-Dch: ignore

6857ce0

julian-klode


      Release 1.6~alpha4

dd8c374

julian-klode


      [amend] Use a versioned breaks for a-t-https in apt

We need to use a versioned breaks again, otherwise the
transitional package would not be installable.

Gbp-Dch: ignore

32b39bf

julian-klode


      Do not attempt seccomp under qemu-user and drop EFAULT workaround

qemu-user passes prctl()-based seccomp through to the kernel,
umodified. That's bad, as it blocks the wrong syscalls.

We ignored EFAULT which fixed the problem for targets with different
pointer sizes from the host, but was a bad hack. In order to identify
qemu we can rely on the fact that qemu-user prints its version and
exits with 0 if QEMU_VERSION is set to an unsupported value. If we
run a command that should fail in such an environment, and it exits
with 0, then we are running in qemu-user.

apt-helper is an obvious command to run. The tests ensure it exits
with 1, and it only prints usage information. We also could not use
/bin/false because apt might just as well be from a foreign arch
while /bin/false is not.

Closes: #881519

243acde

Frans Spiesschaert + julian-klode


      Dutch manpage translation update

Closes: #881402

cae922e

julian-klode


      Release 1.6~alpha5

8a7aeea

julian-klode


      Add Breaks: aptitude (<< 0.8.10) for gzip method removal

aptitude used to use gzip:// for changelog URLs, but is now
fixed to use store.

e15d2e7

julian-klode


      Also look at https_proxy for https URLs

We accidentally regressed here in 1.5 when replacing the https
method.

191b235

julian-klode


      Run wrap-and-sort

Clean up the control file a bit.

5f6da84

DonKult


      allow multivalue fields in deb822 sources to be folded

The documentation said "spaces", but there is no real reason to be so
strict and only allow spaces to separate values as that only leads to
very long lines if e.g. multiple URIs are specified which are again hard
to deal with from a user PoV which the deb822 format is supposed to
avoid. It also deals with multiple consecutive spaces and strange things
like tabs users will surely end up using in the real world.

The old behviour on encountering folded lines is the generation of URIs
which end up containing all these whitespace characters which tends to
mess really bad with output and further processing.

Closes: 881875

7fba4e0

DonKult


      support COLUMNS environment variable in apt tools

apt usually gets the width of the window from the terminal or failing
that has a default value, but especially for testing it can be handy
to control the size as you can't be sure that variable sized content
will always be linebreaked as expected in the testcases.

3f86640

DonKult


      allow apt_auth.conf(5) to be translated

Adding manpages is really hard it seems.

References: ea408c5,
 ea7581c,
 90bfc5b

871f334

julian-klode


      Translate shared documentation parts again

We accidentally did not translate the entity file, but should
have. This makes apt.ent translatable again. This generates the
target multiple times, but surprisingly, that works just fine, so
let's just keep it that way, as it's clean code otherwise.

dfb4c17

julian-klode


      tests: Improve handling profiling messages on CI

We did not strip away profiling messages when we were diffing
from stdin (-). Just always write temporary files and strip from
them.

We also had a problem when stripping ...profiling: from a line
and the next line starts with profiling. Split the sed into two
calls so we first remove complete profiling: lines before fixing
the ...profiling: cases.

b85851e

DonKult


      if insecure repo is allowed continue on all http errors

If a InRelease file fails to download with a non-404 error
we assumed there is some general problem with repository like
a webportal or your are blocked from access (wrong auth, Tor, …).

Turns out some server like S3 return 403 if a file doesn't exist.
Allowing this in general seems like a step backwards as 403 is a
reasonable response if auth failed, so failing here seems better
than letting those users run into problems.

What we can do is show our insecure warnings through and allow the
failures for insecure repos: If the repo is signed it is easy to add
an InRelease file and if not you are setup for trouble anyhow.

References: cbbf185

197c539

DonKult


      don't auto-switch candidate if installed is good enough

If we perform candidate switching in requests like "apt install foo/bar"
we should first check if the dependencies of foo from release bar are
already satisfied by what is already installed before checking if the
candidate (or switched candidate) would.

b857d58

DonKult


      use the newest available git-clang-format in PATH

Hardcoding a specific version is sad as default versions change over
time, so instead of tying us to a specific clang version we let the
script figure out a good version by looking at what is available in
PATH.

Gbp-Dch: Ignore

fd9f75b

DonKult


      update libapt-pkg symbols file

Beside adding the relatively new Item::Proxy method we are also slightly
preparing for gcc-8.

d30b30a

DonKult


      explicitly name token in auth.conf parsing error

Reported-By: gcc -Wsign-promo

bb3a032

DonKult


      fix over-calculating dpkg commandline length

Mostly harmless as it just means that apt thinks that the dpkg
commandline it is building is slightly longer than it actually is and we
have various ways of avoiding generating very long lines nowadays, but
calculating the right value can't hurt.

Reported-By: gcc -Wmultistatement-macros

594ee57

DonKult


      clearing object via constructor instead of memset

Reported-By: gcc -Wclass-memaccess
Gbp-Dch: Ignore

d812245

DonKult


      don't name unused parameter in apt-helper waitonline

Reported-By: gcc -Wunused-parameter
Gbp-Dch: Ignore

17cc2fd

DonKult


      deprecate the single-line deprecation ignoring macro

gcc has problems understanding this construct and additionally thinks it
would produce multiple lines and stuff, so to keep using it isn't really
worth it for the few instances we have: We can just write the long form
there which works better.

Reported-By: gcc
Gbp-Dch: Ignore

5d5ca1a

DonKult


      convert various c-style casts to C++-style

gcc was warning about ignored type qualifiers for all of them due to the
last 'const', so dropping that and converting to static_cast in the
process removes the here harmless warning to avoid hidden real issues in
them later on.

Reported-By: gcc
Gbp-Dch: Ignore

957381a

DonKult


      avoid some useless casts reported by -Wuseless-cast

The casts are useless, but the reports show some where we can actually
improve the code by replacing them with better alternatives like
converting whatever int type into a string instead of casting to a
specific one which might in the future be too small.

Reported-By: gcc -Wuseless-cast

1adcf56

DonKult


      deal with floats without old-style cast

We have no speed problem with handling floats/doubles in our progress
handling, but that shouldn't prevent us from cleaning up the handling
slightly to avoid unclean casting to ints.

Reported-By: gcc -Wdouble-promotion -Wold-style-cast

0b5e329

DonKult


      Merge branch 'feature/happy-gcc'

Fixing various real and imagined bugs reported by gcc warnings

99813a2

DonKult


      support multiline values in LookupTag

LookupTag is a little helper to deal with rfc822-style strings we use in
apt e.g. to pass acquire messages around for cases in which our usual
rfc822 parser is too heavy. All the fields it had to deal with so far
were single line, but if they aren't it should really produce the right
output and not just return the first line. Error messages are a prime
candidate for becoming multiline as at the moment they are stripped of
potential newlines due to the previous insufficiency of LookupTag.

07cd990

DonKult


      mark some 500 HTTP codes as transient acquire errors

If retries are enabled only transient errors are retried, which are very
few errors. At least for some HTTP codes it could be beneficial to retry
them through so adding them seems like a good idea if only to be more
consistent in what we report.

2f6aed7

DonKult


      report transient errors as transient errors

The Fail method for acquire methods has a boolean parameter indicating
the transient-nature of a reported error. The problem with this is that
Fail is called very late at a point where it is no longer easily
identifiable if an error is indeed transient or not, so some calls were
and some weren't and the acquire system would later mostly ignore the
transient flag and guess by using the FailReason instead.

Introducing a tri-state enum we can pass the information about fatal or
transient errors through the callstack to generate the correct fails.

47c0bdc

DonKult


      implement Acquire::Retries support for all items

Moving the Retry-implementation from individual items to the worker
implementation not only gives every file retry capability instead of
just a selected few but also avoids needing to implement it in each item
(incorrectly).

dff555d

DonKult


      give the methods more metadata about the files to acquire

We have quite a bit of metadata available for the files we acquire, but
the methods weren't told about it and got just the URI. That is indeed
fine for most, but to avoid methods trying to parse the metadata out of
the provided URIs (and fail horribly in edgecases) we can just as well
be nice and tell them stuff directly.

9f572c0

DonKult


      implement fallback to alternative URIs for all items

For deb files we always supported falling back from one server to the
other if one failed to download the deb, but that was hardwired in the
handling of this specific item. Moving this alongside the retry
infrastructure we can implement it for all items and allow methods to
use this as well by providing additional URIs in a redirect.

355e1ac

DonKult


      Merge branch 'feature/altretries'

Generalizing the behaviour of retrying a download on the same server (if
enabled via options) as well as retrying a download via a different
alternative server from the acquire item responsible for deb files to
the handling of items in general so that all are effected.

56f5df0

DonKult


      relax test to accept various connection failures

For the failure propagation testing we try to connect to a port which
isn't open – you would think that this has a rather limited set of
failure modes but it turns out that there are various ways this can
fail, so instead of trying to guess all error message we just accept
any.

Reported-By: travis-ci
Gbp-Dch: Ignore

8876bf3

DonKult


      remove pointless APT_PURE from void functions

Earlier gcc versions used to complain that you should add them althrough
there isn't a lot of point to it if you think about it, but now gcc (>= 8)
complains about the attribute being present.

warning: ‘pure’ attribute on function returning ‘void’ [-Wattributes]

Reported-By: gcc -Wattributes
Gbp-Dch: Ignore

a6c7b26

DonKult


      do not remap current files if nullptrs in cache generation

If the cache needs to grow to make room to insert volatile files like
deb files into the cache we were remapping null-pointers making them
non-null-pointers in the process causing trouble later on.

Only the current Releasefile pointer can currently legally be a
nullpointer as volatile files have no release file they belong to, but
for safety the pointer to the current Packages file is equally guarded.

The option APT::Cache-Start can be used to workaround this problem.

Reported-By: Mattia Rizzolo on IRC

5ba048a

DonKult


      unfuzzy Progress l10n change due to format modifier

References: 0b5e329
Gbp-Dch: Ignore

ea65823

MiloCasagrande + DonKult


      Italian program translation update

Closes: 882850

2bcc73f

DonKult


      apt.daily: remove unused dbus signal for apt update

The signal was introduced with the introduction of the script itself,
but seems to have never got any user as all references to it I can find
are references to other code appearing in the cronjob.

It is also the wrong place nowadays as the cronjob is just one place an
update can be triggered by, so if notifications about an update being
run are desired it is better to use a hook which will be called by all
update calls (script, cron, user, …).

Removing this code solves also the problem of improving the check to
avoid running into problems with security systems like SELinux.

References: 0c13268
Closes: 849636

06a03c9

cgzones + DonKult


      apt.daily: fix several "shellcheck" annotations

Various corrections, mostly quoting, which shouldn't be a problem for us
as we tend to act in "sane" environments, but just to be sure.

[commit message written by committer]

References: Debian bugreport #849636

b20fd95

DonKult


      Support cleartext signed InRelease files with CRLF line endings

Commit 89c4c58 ("fix from David Kalnischkies for the InRelease gpg
verification code (LP: #784473)") amended verification of cleartext
signatures by a check whether the file to be verified actually starts
with "-----BEGIN PGP SIGNATURE-----\n".

However cleartext signed InRelease files have been found in the wild
which use \r\n as line ending for this armor header line, presumably
generated by a Windows PGP client.  Such files are incorrectly deemed
unsigned and result in the following (misleading) error:

    Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)

RFC 4880 specifies in 6.2 Forming ASCII Armor:

    That is to say, there is always a line ending preceding the
    starting five dashes, and following the ending five dashes.  The
    header lines, therefore, MUST start at the beginning of a line, and
    MUST NOT have text other than whitespace following them on the same
    line.

RFC 4880 does not seem to specify whether LF or CRLF is used as line
ending for armor headers, but CR is generally considered whitespace
(e.g. "man perlrecharclass"), hence using CRLF is legal even under
the assumption that LF must be used.

SplitClearSignedFile() is stripping whitespace (including CR) on lineend
already before matching the string, so StartsWithGPGClearTextSignature() is
adapted to use the same ignoring. As the earlier method is responsible
for what apt will end up actually parsing nowadays as signed/unsigned this
change has no implications for security.

Thanks: Lukas Wunner for detailed report & initial patch!
References: 89c4c58
Closes: 884922

dcc0759

julian-klode


      connect: Alternate address families for addresses

As a first step to implementing Happy Eyeballs version 2, we
need to order the list of hosts getaddrinfo() gave us so it
alternates between preferred and other address families.

RFC: https://tools.ietf.org/html/rfc8305
Gbp-Dch: ignore

23ddea7

julian-klode


      connect: Extract a Connection struct

This struct holds information about a connection attempt, like
the addrinfo, the resolved address, the fd for the connection,
and so on.

Gbp-Dch: ignore

2369d12

julian-klode


      connect: Store the IP used when picking a connection

There's no real point in storing the IP address while resolving
it - failure messages include the IP address in any case. Do this
when picking the connection for actual use instead.

c9a5a6f

julian-klode


      connect: Extract Connection::CheckError() method

Extracting the error checking method allows us to reuse it
in different places, so we can move the waiting and checking
out of DoConnect() eventually.

Gbp-Dch: ignore

53bdec3

julian-klode


      Add rapid "happy eyeballs" connection fallback (RFC 8305)

Try establishing connections in alternating address families in
rapid intervals of 250 ms, adding more connections to the wait
list until one succeeds (RFC 8305, happy eyeballs 2).

It is important that WaitAndCheckErrors() waits until it has
a successful connection, a time out, or all connections failed
- otherwise the timing between tries might be wrong, and the
final long wait might exit early because one connection failed
without trying the others. Timing wise, this only works correctly
on Linux, as select() counts down there. But we rely on that in
some other places too, so this is not the time to fix that.

Timeouts are only reported in the final long wait - the short
inner waits are expected to time out more often, and multiple
times, we do not want to report them.

Closes: #668948
LP: #1308200
Gbp-Dch: paragraph

3bbd328

julian-klode


      Merge branch 'pu/happy-eyeballs2a'

Happy Eyeballs are coming, yay!

8d5f26a

julian-klode


      Correctly report transient errors again

Commit 47c0bdc ("report transient
errors as transient error") accidentally changed some connection
failures to become non-transient, because the result of the error
checks where being ignored and then fatal error was returned if an
error was pending - even if that error was trivial.

After the merge of pu/happy-eyeballs2a this becomes a lot clearer,
and easy to fix.

Gbp-Dch: ignore
Regression-Of: 47c0bdc

5b197e9

@@ -0,0 +1,25 @@
+    +Language: Cpp
+    +# BasedOnStyle
+    +
+    +TabWidth:          8
+    +UseTab:            Always
+    +IndentWidth:       3
+    +ContinuationIndentWidth: 3
+    +ColumnLimit:       0
+    +BreakBeforeBraces: Allman
+    +AccessModifierOffset: 0
+    +IncludeCategories:
+    +  - Regex:           'apti18n.h'
+    +    Priority:        9999
+    +  - Regex:           'apt-[^/]*/'
+    +    Priority:        20
+    +  - Regex:           '^"'
+    +    Priority:        10
+    +  - Regex:           'config.h'
+    +    Priority:        0
+    +  - Regex:           '(zlib|bzlib|lzma|lz4frame|gtest/gtest|db|gnutls/.*)\.h'
+    +    Priority:        30
+    +  - Regex:           '\.h'
+    +    Priority:        100
+    +  - Regex:           '.*'
+    +    Priority:        99

@@ @@ -51,6 +51,9 @@ docbook-text-style.xsl @@
      **/methods/file
      **/methods/copy
+    +**/methods/curl
+    +**/methods/curl+http
+    +**/methods/curl+https
      **/methods/store
      **/methods/gpgv
      **/methods/cdrom
@@ @@ -99,7 +102,9 @@ Makefile @@
      /debian/*.log
      /debian/*.substvars
      /debian/*.debhelper
+    +/debian/debhelper-build-stamp
      /debian/files
+    +/debian/tmp/
      /debian/apt/
      /debian/apt-doc/
      /debian/apt-utils/

@@ -1,33 +1,20 @@
      language: cpp
      cache: ccache
      sudo: required
-    -dist: trusty
+    +services:
+    +  - docker
      env:
-    - - TEST_SUITE=user CMAKE_FLAGS=
-    - - TEST_SUITE=root CMAKE_FLAGS=-DWITH_DOC=OFF
-    -before_install:
-    - - sudo add-apt-repository 'deb http://archive.ubuntu.com/ubuntu/ wily main universe' -y
-    - - sudo add-apt-repository 'deb http://archive.ubuntu.com/ubuntu/ xenial main' -y
-    - - |
-    -   sudo sh -c '/bin/echo -e "Package: *\nPin: release n=wily\nPin-Priority: 1" > /etc/apt/preferences.d/wily'
-    -   sudo sh -c '/bin/echo -e "Package: *\nPin: release n=xenial\nPin-Priority: 1" > /etc/apt/preferences.d/xenial'
-    - - sudo apt-get update -qq
+    + - USER=travis CMAKE_FLAGS=
+    + - USER=root CMAKE_FLAGS=-DWITH_DOC=OFF
      install:
-    - - sudo apt-get -qq -y -t wily install gettext liblz4-dev python3-apt
-    - - sudo apt-get -qq -y -t xenial install cmake ninja-build
-    - - sudo ./prepare-release travis-ci
+    + - sed -i -e "s#1000#$(id -u)#g" Dockerfile
+    + - docker build --tag=apt-ci .
      before_script:
-    - - ( mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Coverage -G Ninja $CMAKE_FLAGS .. )
-    - - ninja -C build
+    + - docker run --rm -w $PWD -v $HOME/.ccache:$HOME/.ccache -v $PWD:$PWD --user=travis apt-ci sh -e -c "mkdir build && cd build && env PATH=/usr/lib/ccache:\$PATH cmake -DCMAKE_BUILD_TYPE=Coverage -G Ninja $CMAKE_FLAGS .."
+    + - docker run --rm -w $PWD -v $HOME/.ccache:$HOME/.ccache -v $PWD:$PWD --user=travis apt-ci ninja -C build
      script:
-    - - CTEST_OUTPUT_ON_FAILURE=1 ninja -C build test
-    - - DESTDIR=$PWD/rootdir chronic ninja -C build install
-    - - test "$TEST_SUITE" != "user"  || ./test/integration/run-tests -qq
-    - - sudo adduser --force-badname --system --home /nonexistent --no-create-home --quiet _apt || true
-    - - sudo chmod  go+x /home/travis
-    - - sudo chmod -R go+rwX /home/travis/build
-    - - test "$TEST_SUITE" != "root" || sudo ./test/integration/run-tests -qq
+    + - docker run --rm -w $PWD -v $PWD:$PWD --user=travis apt-ci env CTEST_OUTPUT_ON_FAILURE=1 ninja -C build test
+    + - docker run --rm -w $PWD -v $PWD:$PWD --user=travis apt-ci env DESTDIR=$PWD/rootdir chronic ninja -C build install
+    + - docker run --rm -w $PWD -v $PWD:$PWD --user=$USER --tmpfs /tmp:suid,exec apt-ci unbuffer ./test/integration/run-tests -qq -j 4
      after_script:
-    - - cd build
-    - - gcov -r $(find -name '*.gcno')
-    - - bash <(curl -s https://codecov.io/bash)
+    + - docker run --rm -w $PWD/build -v $PWD:$PWD --user=$USER `bash <(curl -s https://codecov.io/env)` apt-ci bash -c 'bash <(curl -s https://codecov.io/bash)'

@@ @@ -89,12 +89,18 @@ endfunction() @@
      # Process one document
      function(po4a_one stamp_out out full_document language deps)
          path_join(full_path "${CMAKE_CURRENT_SOURCE_DIR}" "${full_document}")
-    -    po4a_components(document _ section ext "${full_document}")
+    +    if (full_document MATCHES "\.ent$")
+    +        set(dest "${language}/${full_document}")
+    +        set(full_dest "${dest}")
+    +    else()
+    +        po4a_components(document _ section ext "${full_document}")
-    -    # Calculate target file name
-    -    set(dest "${language}/${document}.${language}")
-    -    if(section)
-    -        set(dest "${dest}.${section}")
+    +        # Calculate target file name
+    +        set(dest "${language}/${document}.${language}")
+    +        if(section)
+    +            set(dest "${dest}.${section}")
+    +        endif()
+    +        set(full_dest "${dest}.${ext}")
          endif()
          # po4a might drop files not translated enough, so build a stamp file
                           --package-name='${PROJECT_NAME}-doc'
                           --package-version='${PACKAGE_VERSION}'
                           --msgid-bugs-address='${PACKAGE_MAIL}'
-    -                     --translate-only ${dest}.${ext}
+    +                     --translate-only ${full_dest}
                           --srcdir ${CMAKE_CURRENT_SOURCE_DIR}
                           --destdir ${CMAKE_CURRENT_BINARY_DIR}
                            ${CMAKE_CURRENT_SOURCE_DIR}/po4a.conf
              COMMAND ${CMAKE_COMMAND} -E touch ${stamp}
-    -        COMMENT "Generating ${dest}.${ext} (or dropping it)"
+    +        COMMENT "Generating ${full_dest} (or dropping it)"
              DEPENDS ${full_document} ${deps} po/${language}.po
          )
          # Return result
          set(${stamp_out} ${stamp} PARENT_SCOPE)
-    -    set(${out} ${CMAKE_CURRENT_BINARY_DIR}/${dest}.${ext} PARENT_SCOPE)
+    +    set(${out} ${CMAKE_CURRENT_BINARY_DIR}/${full_dest} PARENT_SCOPE)
      endfunction()
      function(xsltproc_one)
@@ @@ -251,7 +257,7 @@ function(add_docbook target) @@
          set(generated "")
          set(options HTML TEXT MANPAGE ALL)
          set(oneValueArgs)
-    -    set(multiValueArgs INSTALL DOCUMENTS LINGUAS DEPENDS)
+    +    set(multiValueArgs INSTALL DOCUMENTS LINGUAS TRANSLATED_ENTITIES DEPENDS)
          cmake_parse_arguments(DOC "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN})
          if (DOC_HTML)
@@ @@ -264,6 +270,13 @@ function(add_docbook target) @@
              list(APPEND formats MANPAGE)
          endif()
+    +    foreach(document ${DOC_TRANSLATED_ENTITIES})
+    +        foreach(lang ${DOC_LINGUAS})
+    +            po4a_one(po4a_stamp po4a_out ${document} "${lang}" "")
+    +            list(APPEND DOC_DEPENDS ${po4a_stamp})
+    +        endforeach()
+    +    endforeach()
+    +
          foreach(document ${DOC_DOCUMENTS})
              foreach(lang ${DOC_LINGUAS})
                  po4a_one(po4a_stamp po4a_out ${document} "${lang}" "${DOC_DEPENDS}")

@@ -0,0 +1,25 @@
+    +# - Try to find SECCOMP
+    +# Once done, this will define
+    +#
+    +#  SECCOMP_FOUND - system has SECCOMP
+    +#  SECCOMP_INCLUDE_DIRS - the SECCOMP include directories
+    +#  SECCOMP_LIBRARIES - the SECCOMP library
+    +find_package(PkgConfig)
+    +
+    +pkg_check_modules(SECCOMP_PKGCONF libseccomp)
+    +
+    +find_path(SECCOMP_INCLUDE_DIRS
+    +  NAMES seccomp.h
+    +  PATHS ${SECCOMP_PKGCONF_INCLUDE_DIRS}
+    +)
+    +
+    +
+    +find_library(SECCOMP_LIBRARIES
+    +  NAMES seccomp
+    +  PATHS ${SECCOMP_PKGCONF_LIBRARY_DIRS}
+    +)
+    +
+    +include(FindPackageHandleStandardArgs)
+    +find_package_handle_standard_args(SECCOMP DEFAULT_MSG SECCOMP_INCLUDE_DIRS SECCOMP_LIBRARIES)
+    +
+    +mark_as_advanced(SECCOMP_INCLUDE_DIRS SECCOMP_LIBRARIES)

julian-klode/apt forked from Debian/apt

Comparing changes

Open a pull request

No commit comments for this range

julian-klode/apt forked from Debian/apt

Comparing changes

Open a pull request

Some checks haven’t completed yet

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

All checks have failed

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

All checks have failed

Some checks were not successful

All checks have failed

All checks have passed

Some checks were not successful

Some checks were not successful

All checks have passed

All checks have passed

Some checks were not successful

Some checks were not successful

All checks have passed

Some checks were not successful

All checks have passed

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

All checks have passed

All checks have passed

All checks have passed

Some checks were not successful

Some checks were not successful

All checks have passed

All checks have passed

All checks have passed

Some checks were not successful

All checks have passed

Some checks were not successful

All checks have passed

Some checks were not successful

All checks have passed

All checks have passed

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

All checks have passed

All checks have passed

Some checks were not successful

All checks have passed

Some checks were not successful

Some checks were not successful

All checks have passed

Some checks were not successful

Some checks were not successful

Some checks were not successful

Some checks were not successful

All checks have passed

Some checks were not successful

Some checks were not successful

Some checks were not successful

All checks have passed

Some checks were not successful

Some checks were not successful