Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-CC: deity@lists.debian.org Hi release team, I had hoped it wouldn't come to this, but to my dismay I have to propose yet another upgrade to apt as to be shipped in jessie. The update is intended to fix two ways of triggering a false-positive security (themed) warning by apt-transport-https (see 777565, 781509) and a crash in aptdaemon caused by dangling pointer usage (see 781858). Also included are four more fixes for: two (small) regressions and two more-or-less esoteric issues which aren't a problem for Debian per-se, but might be for derivatives. Not worthed it alone (even through their reporters likely disagree), but as we prepare an update anyway… The patches are heavily optimized for less line-change. A regression potentially realistically only exists for the https-change, but even there isn't much opportunity and its considered for backporting further. More details for each change individually in the commit messages as attached generated by "git log -p 1.0.9.7..debian/jessie" or cgit: https://anonscm.debian.org/cgit/apt/apt.git/log/?h=debian/jessie Thanks for considering an: unblock apt/1.0.9.8 and best regards David Kalnischkies (for the APT team)
commit d5cf8851753dde4f45bfd3b48fcdf34247a8752a
Author: David Kalnischkies <david@kalnischkies.de>
Date: Tue Apr 7 22:34:34 2015 +0200
keyids in "apt-key del" should be case-insensitive
gnupg is case-insensitive about keyids, so back then apt-key called it
directly any keyid was accepted, but now that we work more with the
keyid ourself we regressed to require uppercase keyids by accident.
This is also inconsistent with other apt-key commands which still use
gnupg directly. A single case-insensitive grep and we are fine again.
Closes: 781696
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index b4e0710..1da311d 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -180,7 +180,7 @@ update() {
remove_key_from_keyring() {
local GPG="$GPG_CMD --keyring $1"
# check if the key is in this keyring: the key id is in the 5 column at the end
- if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]*$2:"; then
+ if ! $GPG --with-colons --list-keys 2>&1 | grep -iq "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]*$2:"; then
return
fi
if [ ! -w "$1" ]; then
diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key
index 47230cb..b4f823e 100755
--- a/test/integration/test-apt-key
+++ b/test/integration/test-apt-key
@@ -111,3 +111,9 @@ cleanplate
cp -a keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg
testsuccess --nomsg aptkey --fakeroot del 5A90D141DBAC8DAE
testempty aptkey list
+
+msgtest 'Test key removal with' 'lowercase key ID' #keylength somewher between 8byte and short
+cleanplate
+cp -a keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg
+testsuccess --nomsg aptkey --fakeroot del d141dbac8dae
+testempty aptkey list
commit 7e9b7ea8236a79580c4ca47712558096d66bad53
Author: David Kalnischkies <david@kalnischkies.de>
Date: Tue Apr 7 18:31:12 2015 +0200
demote VectorizeString gcc attribute from const to pure
g++-5 generates a slightly broken libapt which doesn't split
architecture configurations correctly resulting in e.g. Packages files
requested for the bogus architecture 'amd64,i386' instead of for amd64
and i386.
The reason is an incorrectly applied attribute marking the function as
const, while functions with pointer arguments are not allowed to be
declared as such (note that char& is a char* in disguise). Demoting the
attribute to pure fixes this issue – better would be dropping the & from
char but that is an API change…
Neither earlier g++ versions nor clang use this attribute to generate
broken code, so we don't need a rebuild of dependencies or anything and
g++-5 isn't even included in jessie, but the effect is so strange and
apt popular enough to consider avoiding this problem anyhow.
diff --git a/apt-pkg/contrib/strutl.h b/apt-pkg/contrib/strutl.h
index 185cdc3..f4f8083 100644
--- a/apt-pkg/contrib/strutl.h
+++ b/apt-pkg/contrib/strutl.h
@@ -79,7 +79,7 @@ bool TokSplitString(char Tok,char *Input,char **List,
unsigned long ListMax);
// split a given string by a char
-std::vector<std::string> VectorizeString(std::string const &haystack, char const &split) APT_CONST;
+std::vector<std::string> VectorizeString(std::string const &haystack, char const &split) APT_PURE;
/* \brief Return a vector of strings from string "input" where "sep"
* is used as the delimiter string.
commit 3af3768e1a0ae8519ac85fbe1eb4494eeb076fa2
Author: Michael Vogt <mvo@debian.org>
Date: Tue Apr 7 12:20:56 2015 +0200
fix crash in order writing in pkgDPkgPM::WriteApportReport()
libapt can be configured to write various bits of information to a file
creating a report via apport. This is disabled by default in Debian and
apport residing only in /experimental so far, but Ubuntu and other
derivatives have this (in some versions) enabled by default and there is
no regression potentially here.
The crash is caused by a mismatch of operations vs. strings for
operations, so adding the missing strings for these operations solves
the problem.
[commit message by David Kalnischkies]
LP: #1436626
diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc
index e23ca46..82e045f 100644
--- a/apt-pkg/deb/dpkgpm.cc
+++ b/apt-pkg/deb/dpkgpm.cc
@@ -1900,8 +1900,15 @@ void pkgDPkgPM::WriteApportReport(const char *pkgpath, const char *errormsg)
}
}
- // log the ordering
- const char *ops_str[] = {"Install", "Configure","Remove","Purge"};
+ // log the ordering, see dpkgpm.h and the "Ops" enum there
+ const char *ops_str[] = {
+ "Install",
+ "Configure",
+ "Remove",
+ "Purge",
+ "ConfigurePending",
+ "TriggersPending",
+ };
fprintf(report, "AptOrdering:\n");
for (vector<Item>::iterator I = List.begin(); I != List.end(); ++I)
if ((*I).Pkg != NULL)
commit 66c3875df391b1120b43831efcbe88a78569fbfe
Author: David Kalnischkies <david@kalnischkies.de>
Date: Tue Apr 7 16:58:44 2015 +0200
avoid depends on std::string implementation for pkgAcquire::Item::Mode
In /experimental this is resolved by deprecating Mode and moving to a
new std::string, but that breaks ABI of course, so that was out of
question. We can't change to a malloc/free style c-string either as
Mode is public and hence a library user could be setting this as well.
std::string implementors actually helped us out here with copy-on-write
which means that while the variable "obviously" runs out of scope here,
in reality you get the correct result as the string we work with here
comes from the configuration in which it is still valid. Such a
dependency on magic is bad of course, but its still interesting that
only python3 seems to have an issue with it…
With some silly explicit if-else assigning we can sidestep this issue
while retaining the same output for 99.99% of all users (= noone
actually configures additional compression algorithms which are also
provided by repositories…), but even for these 0.01% its just a small
change in the display as Mode can not be used for anything else.
Example: apt/aptitude uses it in its 'update' implementations in the
one-line progress at the bottom for specific items.
Closes: 781858
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 253cbda..0bcafdc 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1194,8 +1194,18 @@ void pkgAcqIndex::Done(string Message,unsigned long long Size,string Hash,
Desc.URI = decompProg + ":" + FileName;
QueueURI(Desc);
- // FIXME: this points to a c++ string that goes out of scope
- Mode = decompProg.c_str();
+ if (decompProg == "copy")
+ Mode = "copy";
+ else if (decompProg == "xz")
+ Mode = "xz";
+ else if (decompProg == "lzma")
+ Mode = "lzma";
+ else if (decompProg == "bzip2")
+ Mode = "bzip2";
+ else if (decompProg == "gzip")
+ Mode = "gzip";
+ else
+ Mode = "decomp";
}
/*}}}*/
// AcqIndexTrans::pkgAcqIndexTrans - Constructor /*{{{*/
commit a2679f55b5b14092db88fab3799f06e6b68e439e
Author: David Kalnischkies <david@kalnischkies.de>
Date: Tue Apr 7 14:34:04 2015 +0200
properly handle expected filesize in https
The worker expects that the methods tell him when they start or finish
downloading a file. Various information pieces are passed along in this report
including the (expected) filesize. https is using a "global" struct for
reporting which made it 'reuse' incorrect values in some cases like a
non-existent InRelease fallbacking to Release{,.gpg} resulting in an incorrect
size-mismatch warning scaring and desensitizing users as well as being subject
to a race between the write_data and progress callbacks generating incorrect
progress reporting and potentially the same error message.
Other branches as well as the bugreports contain 'better' fixes making the
struct local and other sensible changes, but are larger as a result, so in
this version we opted for short diff with minimal effect above else instead.
Closes: 777565, 781509
Thanks: Robert Edmonds and Anders Kaseorg for initial patchs
diff --git a/methods/https.cc b/methods/https.cc
index 3a5981b..cb11159 100644
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -68,6 +68,8 @@ HttpsMethod::parse_header(void *buffer, size_t size, size_t nmemb, void *userp)
me->File->Truncate(me->Server->StartPos);
me->File->Seek(me->Server->StartPos);
+
+ me->Res.Size = me->Server->Size;
}
else if (me->Server->HeaderLine(line) == false)
return 0;
@@ -97,17 +99,6 @@ HttpsMethod::write_data(void *buffer, size_t size, size_t nmemb, void *userp)
return buffer_size;
}
-int
-HttpsMethod::progress_callback(void *clientp, double dltotal, double /*dlnow*/,
- double /*ultotal*/, double /*ulnow*/)
-{
- HttpsMethod *me = (HttpsMethod *)clientp;
- if(dltotal > 0 && me->Res.Size == 0) {
- me->Res.Size = (unsigned long long)dltotal;
- }
- return 0;
-}
-
// HttpsServerState::HttpsServerState - Constructor /*{{{*/
HttpsServerState::HttpsServerState(URI Srv,HttpsMethod * /*Owner*/) : ServerState(Srv, NULL)
{
@@ -201,10 +192,8 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
curl_easy_setopt(curl, CURLOPT_WRITEHEADER, this);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_data);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, this);
- curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progress_callback);
- curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, this);
// options
- curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false);
+ curl_easy_setopt(curl, CURLOPT_NOPROGRESS, true);
curl_easy_setopt(curl, CURLOPT_FILETIME, true);
// only allow curl to handle https, not the other stuff it supports
curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
@@ -357,6 +346,7 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
// go for it - if the file exists, append on it
File = new FileFd(Itm->DestFile, FileFd::WriteAny);
Server = new HttpsServerState(Itm->Uri, this);
+ Res = FetchResult();
// keep apt updated
Res.Filename = Itm->DestFile;
commit 7fddeb55af9c022fd96343d9cd700c946dbf8a01
Author: David Kalnischkies <david@kalnischkies.de>
Date: Sat Mar 7 13:11:49 2015 +0100
fix another d(e)select-upgrade typo
You would think one instance of this is enough, but
80e8d923ebc8d5f3f84eb3f922b28ca309c25026 wasn't as
globally applied as the commit message suggested…
LP: #1399037
diff --git a/apt-private/private-cmndline.cc b/apt-private/private-cmndline.cc
index 0b5ba5b..c0f631a 100644
--- a/apt-private/private-cmndline.cc
+++ b/apt-private/private-cmndline.cc
@@ -165,7 +165,7 @@ static bool addArgumentsAPTGet(std::vector<CommandLine::Args> &Args, char const
addArg(0, "color", "APT::Moo::Color", 0);
if (CmdMatches("install", "remove", "purge", "upgrade", "dist-upgrade",
- "deselect-upgrade", "autoremove", "clean", "autoclean", "check",
+ "dselect-upgrade", "autoremove", "clean", "autoclean", "check",
"build-dep", "full-upgrade", "source"))
{
addArg('s', "simulate", "APT::Get::Simulate", 0);
Attachment:
signature.asc
Description: Digital signature