Bug#318630: apt: Small additions
Package: apt
Version: 0.6.38-0.0.0.1.mrvn
Followup-For: Bug #318630
Hi,
some small additions to the patch.
1. Accept broken Release files from [TRUSTED] sources
This might sound odd but I stumbled across this with:
deb [TRUSTED] copy:///mnt/mirror/debian dists/sarge/main/binary-i386/
This include the i386 architecture all packages on amd64. Since
'debian/dists/sarge/main/binary-i386/Release' exists it gets fetched
and parsed as MetaIndex but contains no md5sum entries. Normaly this
gets ignored as Release files are not scanned for md5sums but not with
trusted set.
2. Accept Packages files as trusted if they are VendorID == [TRUSTED]
Normaly Packages are trusted if the Release.gpg file exists. So far
the patch only allowed them to exists without verfication. By checking
the VendorID of their Index it now accepts sources without a
Release.gpg alltogether (also needed for the example above).
MfG
Goswin
-- System Information:
Debian Release: 3.1
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.8-frosties-1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages apt depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libgcc1 1:4.0.0-12 GCC support library
ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3
-- no debconf information
diff -Nru /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/acquire-item.cc /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/acquire-item.cc
--- /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/acquire-item.cc 2005-06-25 18:49:06.000000000 +0200
+++ /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/acquire-item.cc 2005-07-17 11:56:31.000000000 +0200
@@ -310,7 +310,7 @@
pkgAcqMetaSig::pkgAcqMetaSig(pkgAcquire *Owner,
string URI,string URIDesc,string ShortDesc,
string MetaIndexURI, string MetaIndexURIDesc,
- string MetaIndexShortDesc,
+ string MetaIndexShortDesc, bool Trust,
const vector<IndexTarget*>* IndexTargets,
indexRecords* MetaIndexParser) :
Item(Owner), RealURI(URI), MetaIndexURI(MetaIndexURI),
@@ -318,6 +318,7 @@
{
this->MetaIndexParser = MetaIndexParser;
this->IndexTargets = IndexTargets;
+ this->Trusted = Trust;
DestFile = _config->FindDir("Dir::State::lists") + "partial/";
DestFile += URItoFileName(URI);
@@ -389,7 +390,7 @@
// queue a pkgAcqMetaIndex to be verified against the sig we just retrieved
new pkgAcqMetaIndex(Owner, MetaIndexURI, MetaIndexURIDesc, MetaIndexShortDesc,
- DestFile, IndexTargets, MetaIndexParser);
+ DestFile, IsTrusted(), IndexTargets, MetaIndexParser);
}
/*}}}*/
@@ -402,7 +403,7 @@
// queue a pkgAcqMetaIndex with no sigfile
new pkgAcqMetaIndex(Owner, MetaIndexURI, MetaIndexURIDesc, MetaIndexShortDesc,
- "", IndexTargets, MetaIndexParser);
+ "", IsTrusted(), IndexTargets, MetaIndexParser);
if (Cnf->LocalOnly == true ||
StringToBool(LookupTag(Message,"Transient-Failure"),false) == false)
@@ -419,7 +420,7 @@
pkgAcqMetaIndex::pkgAcqMetaIndex(pkgAcquire *Owner,
string URI,string URIDesc,string ShortDesc,
- string SigFile,
+ string SigFile, bool Trust,
const vector<struct IndexTarget*>* IndexTargets,
indexRecords* MetaIndexParser) :
Item(Owner), RealURI(URI), SigFile(SigFile)
@@ -427,6 +428,7 @@
this->AuthPass = false;
this->MetaIndexParser = MetaIndexParser;
this->IndexTargets = IndexTargets;
+ this->Trusted = Trust;
DestFile = _config->FindDir("Dir::State::lists") + "partial/";
DestFile += URItoFileName(URI);
@@ -475,7 +477,42 @@
// Still more retrieving to do
return;
- if (SigFile == "")
+ if (IsTrusted())
+ {
+ // The sourses.list had VendorID = "TRUSTED".
+ // At this point we trust implicitly. We perform additional
+ // verification of its contents, and use them to verify the indexes
+ // we are about to download.
+ if (!MetaIndexParser->Load(DestFile))
+ {
+ // Queue Packages files anyway, we TRUST this source
+ for (vector <struct IndexTarget*>::const_iterator Target = IndexTargets->begin();
+ Target != IndexTargets->end();
+ Target++)
+ {
+ new pkgAcqIndex(Owner, (*Target)->URI, (*Target)->Description,
+ (*Target)->ShortDesc, "");
+ }
+ return;
+ }
+
+ if (_config->FindB("Debug::pkgAcquire::Auth", false))
+ std::cerr << "Signature implicitly trusted: "
+ << DestFile << std::endl;
+
+ // Download further indexes with verification
+ QueueIndexes(true);
+
+ // Done, move signature file into position
+ if (SigFile != "")
+ {
+ string VerifiedSigFile = _config->FindDir("Dir::State::lists") +
+ URItoFileName(RealURI) + ".gpg";
+ Rename(SigFile,VerifiedSigFile);
+ chmod(VerifiedSigFile.c_str(),0644);
+ }
+ }
+ else if (SigFile == "")
{
// There was no signature file, so we are finished. Download
// the indexes without verification.
diff -Nru /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/acquire-item.h /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/acquire-item.h
--- /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/acquire-item.h 2004-12-14 13:52:45.000000000 +0100
+++ /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/acquire-item.h 2005-07-16 14:06:11.000000000 +0200
@@ -123,6 +123,7 @@
string RealURI,MetaIndexURI,MetaIndexURIDesc,MetaIndexShortDesc;
indexRecords* MetaIndexParser;
const vector<struct IndexTarget*>* IndexTargets;
+ bool Trusted;
public:
@@ -132,9 +133,11 @@
pkgAcquire::MethodConfig *Cnf);
virtual string Custom600Headers();
virtual string DescURI() {return RealURI; };
+ virtual bool IsTrusted() {return Trusted;};
pkgAcqMetaSig(pkgAcquire *Owner,string URI,string URIDesc, string ShortDesc,
- string MetaIndexURI, string MetaIndexURIDesc, string MetaIndexShortDesc,
+ string MetaIndexURI, string MetaIndexURIDesc,
+ string MetaIndexShortDesc, bool Trust,
const vector<struct IndexTarget*>* IndexTargets,
indexRecords* MetaIndexParser);
};
@@ -150,6 +153,7 @@
const vector<struct IndexTarget*>* IndexTargets;
indexRecords* MetaIndexParser;
bool AuthPass;
+ bool Trusted;
bool VerifyVendor();
void RetrievalDone(string Message);
@@ -164,10 +168,11 @@
pkgAcquire::MethodConfig *Cnf);
virtual string Custom600Headers();
virtual string DescURI() {return RealURI; };
+ virtual bool IsTrusted() {return Trusted;};
pkgAcqMetaIndex(pkgAcquire *Owner,
string URI,string URIDesc, string ShortDesc,
- string SigFile,
+ string SigFile, bool Trust,
const vector<struct IndexTarget*>* IndexTargets,
indexRecords* MetaIndexParser);
};
diff -Nru /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/deb/debmetaindex.cc /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/deb/debmetaindex.cc
--- /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/deb/debmetaindex.cc 2004-12-13 10:02:40.000000000 +0100
+++ /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/deb/debmetaindex.cc 2005-07-17 11:39:51.000000000 +0200
@@ -111,12 +111,13 @@
return URI + "dists/" + Dist + "/" + SourceIndexURISuffix(Type, Section);
}
-debReleaseIndex::debReleaseIndex(string URI,string Dist)
+debReleaseIndex::debReleaseIndex(string URI,string Dist,string VendorID)
{
this->URI = URI;
this->Dist = Dist;
this->Indexes = NULL;
this->Type = "deb";
+ this->VendorID = VendorID;
}
vector <struct IndexTarget *>* debReleaseIndex::ComputeIndexTargets() const
@@ -153,7 +154,8 @@
}
new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"),
MetaIndexInfo("Release.gpg"), "Release.gpg",
- MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
+ MetaIndexURI("Release"), MetaIndexInfo("Release"),
+ "Release", (VendorID == "TRUSTED"),
ComputeIndexTargets(),
new indexRecords (Dist));
@@ -167,6 +169,8 @@
if (FileExists(VerifiedSigFile))
return true;
+ if (VendorID == "TRUSTED")
+ return true;
return false;
}
@@ -201,7 +205,7 @@
bool CreateItemInternal(vector<metaIndex *> &List,string URI,
string Dist,string Section,
- bool IsSrc) const
+ string VendorID, bool IsSrc) const
{
for (vector<metaIndex *>::const_iterator I = List.begin();
I != List.end(); I++)
@@ -224,7 +228,7 @@
}
// No currently created Release file indexes this entry, so we create a new one.
// XXX determine whether this release is trusted or not
- debReleaseIndex *Deb = new debReleaseIndex(URI,Dist);
+ debReleaseIndex *Deb = new debReleaseIndex(URI,Dist,VendorID);
Deb->PushSectionEntry (new debReleaseIndex::debSectionEntry(Section, IsSrc));
List.push_back(Deb);
return true;
@@ -236,9 +240,9 @@
public:
bool CreateItem(vector<metaIndex *> &List,string URI,
- string Dist,string Section) const
+ string Dist,string Section, string VendorID) const
{
- return CreateItemInternal(List, URI, Dist, Section, false);
+ return CreateItemInternal(List, URI, Dist, Section, VendorID, false);
}
debSLTypeDeb()
@@ -253,9 +257,9 @@
public:
bool CreateItem(vector<metaIndex *> &List,string URI,
- string Dist,string Section) const
+ string Dist,string Section, string VendorID) const
{
- return CreateItemInternal(List, URI, Dist, Section, true);
+ return CreateItemInternal(List, URI, Dist, Section, VendorID, true);
}
debSLTypeDebSrc()
diff -Nru /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/deb/debmetaindex.h /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/deb/debmetaindex.h
--- /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/deb/debmetaindex.h 2004-12-13 10:02:40.000000000 +0100
+++ /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/deb/debmetaindex.h 2005-07-16 14:25:42.000000000 +0200
@@ -21,11 +21,12 @@
};
private:
+ string VendorID;
vector <const debSectionEntry *> SectionEntries;
public:
- debReleaseIndex(string URI, string Dist);
+ debReleaseIndex(string URI, string Dist, string VendorID="");
virtual string ArchiveURI(string File) const {return URI + File;};
virtual bool GetIndexes(pkgAcquire *Owner, bool GetAll=false) const;
diff -Nru /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/sourcelist.cc /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/sourcelist.cc
--- /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/sourcelist.cc 2005-03-26 18:49:24.000000000 +0100
+++ /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/sourcelist.cc 2005-07-16 13:34:43.000000000 +0200
@@ -77,7 +77,8 @@
bool pkgSourceList::Type::ParseLine(vector<metaIndex *> &List,
const char *Buffer,
unsigned long CurLine,
- string File) const
+ string File,
+ string VendorID) const
{
string URI;
string Dist;
@@ -97,7 +98,7 @@
if (ParseQuoteWord(Buffer,Section) == true)
return _error->Error(_("Malformed line %lu in source list %s (absolute dist)"),CurLine,File.c_str());
Dist = SubstVar(Dist,"$(ARCH)",_config->Find("APT::Architecture"));
- return CreateItem(List,URI,Dist,Section);
+ return CreateItem(List,URI,Dist,Section,VendorID);
}
// Grab the rest of the dists
@@ -106,7 +107,7 @@
do
{
- if (CreateItem(List,URI,Dist,Section) == false)
+ if (CreateItem(List,URI,Dist,Section,VendorID) == false)
return false;
}
while (ParseQuoteWord(Buffer,Section) == true);
@@ -191,10 +192,9 @@
return _error->Error(_("Type '%s' is not known on line %u in source list %s"),LineType.c_str(),CurLine,File.c_str());
// Vendor name specified
+ string VendorID = "ANY";
if (C[0] == '[')
{
- string VendorID;
-
if (ParseQuoteWord(C,VendorID) == false)
return _error->Error(_("Malformed line %u in source list %s (vendor id)"),CurLine,File.c_str());
@@ -219,7 +219,7 @@
// VendorID.c_str(),CurLine,File.c_str());
}
- if (Parse->ParseLine(SrcList,C,CurLine,File) == false)
+ if (Parse->ParseLine(SrcList,C,CurLine,File,VendorID) == false)
return false;
}
return true;
diff -Nru /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/sourcelist.h /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/sourcelist.h
--- /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/sourcelist.h 2004-12-13 10:02:41.000000000 +0100
+++ /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/sourcelist.h 2005-07-16 13:34:59.000000000 +0200
@@ -60,9 +60,11 @@
bool FixupURI(string &URI) const;
virtual bool ParseLine(vector<metaIndex *> &List,
const char *Buffer,
- unsigned long CurLine,string File) const;
+ unsigned long CurLine,string File,
+ string VendorID) const;
virtual bool CreateItem(vector<metaIndex *> &List,string URI,
- string Dist,string Section) const = 0;
+ string Dist,string Section,
+ string VendorID) const = 0;
Type();
virtual ~Type() {};
};
diff -Nru /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/vendor.cc /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/vendor.cc
--- /tmp/6w0W0UbPMW/apt-0.6.38/apt-pkg/vendor.cc 2004-12-13 10:02:40.000000000 +0100
+++ /tmp/pEqbD9m7Hn/apt-0.6.38/apt-pkg/vendor.cc 2005-07-16 12:27:04.000000000 +0200
@@ -35,5 +35,6 @@
bool Vendor::CheckDist(string Dist)
{
+ std::cerr << "Vendor::CheckDist(" << Dist << ") == true" << std::endl;
return true;
}
diff -Nru /tmp/6w0W0UbPMW/apt-0.6.38/debian/changelog /tmp/pEqbD9m7Hn/apt-0.6.38/debian/changelog
--- /tmp/6w0W0UbPMW/apt-0.6.38/debian/changelog 2005-06-25 21:36:49.000000000 +0200
+++ /tmp/pEqbD9m7Hn/apt-0.6.38/debian/changelog 2005-07-17 10:20:26.000000000 +0200
@@ -1,3 +1,11 @@
+apt (0.6.38-0.0.0.1.mrvn) unstable; urgency=low
+
+ * Goswin von Brederlow
+ - add support for vendor [TRUSTED] in sources.list to implicily
+ trust a source
+
+ -- Matt Zimmerman <mdz@debian.org> Sun, 17 Jul 2005 10:20:00 +0200
+
apt (0.6.38) unstable; urgency=low
* Merge michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-6, a workaround
Reply to: