[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt security model

On Tue, Dec 07, 2004 at 09:59:13AM -0500, Daniel Burrows wrote:
[..]
> > The latest version does no longer contains that lines. It now starts
> > with Trusted=false and if it finds a trusted source, it will switch to
> > "package is trusted" mode. That means it will only download it from a
> > trusted source (for cases like when the package is available from
> > various sources).
> 
>   Oh, I see.  By the way, would it be possible for IsTrusted to (also) be a 
> method on VerIterators?  It looks to me like there's nothing that prevents 
> this, and it would be nice to not have to either generate AcquireItems or 
> reimplement it.  At the moment I'm reimplementing it.

Would something like the attached patch do? I don't like the fact that
it needs to pass a pkgSourceList* to the iterator so better ideas are
welcome :) 

>   And, to answer another question I was asking in case anyone is
> searching the archives, I discovered that the installed version of a
> package never has a corresponding IndexFile object.  So it's
> expected that some trusted packages have VersionFiles without an
> IndexFile.

It looks like this happens if you install a trusted package and it's
later no longer downloadable. So it only affects "Obsolete and Locally
Created Packages" I think.

>   I tried to use arch once and my head exploded :).  

It usually happens when people are exposed to arch for the first time ;)

bye,
 Michael

-- 
The first rule of holes is: when you find yourself in one, stop digging. - PJ
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

--- orig/apt-pkg/cacheiterators.h
+++ mod/apt-pkg/cacheiterators.h
@@ -35,6 +35,9 @@
 #pragma interface "apt-pkg/cacheiterators.h"
 #endif 
 
+class pkgSourceList;
+class pkgIndexFile;
+
 // Package Iterator
 class pkgCache::PkgIterator
 {
@@ -133,6 +136,7 @@
    inline VerFileIterator FileList() const;
    inline unsigned long Index() const {return Ver - Owner->VerP;};
    bool Downloadable() const;
+   bool IsTrusted(pkgSourceList *Source) const;
    inline const char *PriorityType() {return Owner->Priority(Ver->Priority);};
    string RelStr();
    


--- orig/apt-pkg/pkgcache.cc
+++ mod/apt-pkg/pkgcache.cc
@@ -26,6 +26,7 @@
 #endif 
 
 #include <apt-pkg/pkgcache.h>
+#include <apt-pkg/sourcelist.h>
 #include <apt-pkg/version.h>
 #include <apt-pkg/error.h>
 #include <apt-pkg/strutl.h>
@@ -465,6 +466,28 @@
 	 return true;
    return false;
 }
+
+// VerIterator::IsTrusted - Checks if the version is trusted	/*{{{*/
+// ---------------------------------------------------------------------
+/* */
+bool pkgCache::VerIterator::IsTrusted(pkgSourceList *Sources) const
+{
+   VerFileIterator i = FileList();
+   for (; i.end() == false; i++) {
+      pkgIndexFile *Index;
+      if (Sources->FindIndex(i.File(),Index) == false)
+         continue;
+      if (_config->FindB("Debug::pkgAcquire::Auth", false))
+      {
+         std::cerr << "Checking index: " << Index->Describe()
+                   << "(Trusted=" << Index->IsTrusted() << ")\n";
+      }
+      if (Index->IsTrusted()) 
+         return true;
+   }
+   return false;
+}
+
 									/*}}}*/
 // VerIterator::Automatic - Check if this version is 'automatic'	/*{{{*/
 // ---------------------------------------------------------------------
Reply to: