Bug#767339: dh-python: [patch] Please add Multi-Arch: foreign

[Michael Vogt]

Package: dh-python
Version: 1.20141026-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu vivid ubuntu-patch



*** /tmp/tmpoAZ0Kv/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/control:
- add Multi-Arch: foreign to dh-python


Thanks for considering the patch.

Cheers,
 Michael

-- System Information:
Debian Release: jessie/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru dh-python-1.20141026/debian/changelog dh-python-1.20141026/debian/changelog
diff -Nru dh-python-1.20141026/debian/control dh-python-1.20141026/debian/control
--- dh-python-1.20141026/debian/control	2014-10-26 23:41:17.0 +0100
+++ dh-python-1.20141026/debian/control	2014-10-30 11:12:37.0 +0100
@@ -14,6 +14,7 @@
 
 Package: dh-python
 Architecture: all
+Multi-Arch: foreign
 Depends: ${misc:Depends}, ${python3:Depends}
 Breaks:
 # due to /usr/bin/dh_python3 and debhelper files

Bug#767253: Please provide hashes for uncompressed Translation-*

[Michael Vogt]

Package: debian-cd
Version: 3.1.15

Please include the uncompressed hashes for the i18n/Translation-*
files in the cdrom Release file in addition to the compressed
ones. This is required so that apt can ensure that the hashes are
correct after uncompressing and will also allow us to unify the code
path for Packages/Translation verification in apt.

Cheeers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#767253: Acknowledgement (Please provide hashes for uncompressed Translation-* )

[Michael Vogt]

Hi,

I had a quick look at the debian-cd scripts and something like the
attached (and totally untested) patch is probably sufficient. 

The idea is that we keep both Translation-* and Translation-*.gz
around, then generate the Release file with the hashes and then remove
the uncompressed files from the CD. Apt should really not need the
uncompressed files on the cdrom, but it does need them in the Release
file for the verification.

Sorry that I have not tested this, I'm not familiar with the cd
building and I couldn't find unittests. But I'm happy to dig into it
if needed.

Thanks for your consideration,
 Michael
diff -Nru debian-cd-3.1.15/tools/make_disc_trees.pl debian-cd-3.1.16/tools/make_disc_trees.pl
--- debian-cd-3.1.15/tools/make_disc_trees.pl	2014-06-03 16:45:55.0 +0200
+++ debian-cd-3.1.16/tools/make_disc_trees.pl	2014-10-29 16:43:15.0 +0100
@@ -574,6 +574,16 @@
 	$st = stat($filename) || die Stat error on '$filename': $!\n;
 	return ($checksum, $st-size);
 }
+sub remove_uncompressed {
+	my ($filename);
+
+	$filename = $File::Find::name;
+if ($filename =~ m/\/.*\/(Packages|Sources)$/o ||
+$filename =~ m/\/.*\/i18n\/(Translation-[a-z]+)$/o)
+{
+unlink($filename);
+}
+}
 
 sub recompress {
 	# Recompress various files
@@ -588,7 +598,7 @@
 # Translation files need to be compressed in .gz format on CD?
 	if ($filename =~ m/\/.*\/i18n\/(Translation.*)$/o 
 ! ($filename =~ m/\/.*\/i18n\/(Translation.*gz)$/o)) {
-		system(gzip -9 $_);
+		system(gzip -9c  $_ $_.gz);
 	}
 }	
 
@@ -829,6 +839,7 @@
 	find (\recompress, .);
 	checksum_files_for_release();
 	close(RELEASE);
+find (\remove_uncompressed, .);
 	chdir(../..);
 
 	print   Finishing off md5sum.txt\n;

Bug#767253: Please provide hashes for uncompressed Translation-*

[Michael Vogt]

On Wed, Oct 29, 2014 at 04:28:42PM +, Steve McIntyre wrote:
 Hi Michael!
Hi Steve,

thanks for your quick reply!
 
 On Wed, Oct 29, 2014 at 04:31:13PM +0100, Michael Vogt wrote:
 Package: debian-cd
 Version: 3.1.15
 
 Please include the uncompressed hashes for the i18n/Translation-*
 files in the cdrom Release file in addition to the compressed
 ones. This is required so that apt can ensure that the hashes are
 correct after uncompressing and will also allow us to unify the code
 path for Packages/Translation verification in apt.
 
 OK, no problem. Would you also like the uncompressed files too, or is
 just the hashes OK? Also: if you're revisiting this area of code, are
 we still wanting .gz files or could/should we use stronger compression
 methods?

Having the uncompressed files on the cdrom should not be needed, apt
should simply fetch the compressed ones if the uncompressed ones are
missing. It does need the hash of the uncompressed one in the Release
so that it can verify that it matches after the uncompression.

Having something stronger than gzip is certainly a good idea, apt
should deal just fine with .xz. If its easy for you then maybe we
could generate a netinst image with the above changes (plus switching
to .xz) and I can test against the current apt and fix (potential)
issue on my side. Alternatively if you could give me a quick hint how
to generate a netinst (or similar iso) I can try to generate a
testimage myself.

Thanks,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#759693: unattended-upgrades: please document how to configure the logging options

[Michael Vogt]

On Wed, Oct 22, 2014 at 07:35:40AM +0200, Alexandre Detiste wrote:
 control: reopen -1
 
 Since this change, the mail I receive contains the changes from all previous 
 days.
 
 See multiple 'Log Started' in attached mail.

Thanks for your bugreport.

The attached patch should fix this problem. It will be part of the
next upload to unstable.

Cheers,
 Michael

=== modified file 'test/test_mail.py'
--- test/test_mail.py	2014-02-06 00:06:25 +
+++ test/test_mail.py	2014-10-28 10:49:03 +
@@ -5,6 +5,7 @@
 import apt_pkg
 import os
 import sys
+from textwrap import dedent
 import unittest
 
 from io import StringIO
@@ -18,9 +19,12 @@
 class CommonTestsForMailxAndSendmail(object):
 
 EXPECTED_MAIL_CONTENT_STRINGS = [
-logfile_dpkg text,
+random logfile_dpkg text,
 mem_log text,
 ]
+NOT_EXPECTED_MAIL_CONTENT_STRINGS = [
+old logfile text,
+]
 
 def common_setup(self):
 # monkey patch to make it testable
@@ -49,12 +53,25 @@
 )
 logfile_dpkg = ./apt-term.log
 with open(./apt-term.log, w) as fp:
-fp.write(logfile_dpkg text)
+# note that we intentionally not have a Log ended: here
+# because this may happen if something crashes power goes
+# down etc
+fp.write(dedent(\
+Log started: 2014-10-28  10:00
+random logfile_dpkg text
+
+Log started: 2013-01-01  12:00
+old logfile text
+Log ended: 2013-01-01  12:20
+))
 return (pkgs, res, pkgs_kept_back, mem_log, logfile_dpkg)
 
 def _verify_common_mail_content(self, mail_txt):
 for expected_string in self.EXPECTED_MAIL_CONTENT_STRINGS:
 self.assertTrue(expected_string in mail_txt)
+for not_expected_string in self.NOT_EXPECTED_MAIL_CONTENT_STRINGS:
+self.assertFalse(not_expected_string in mail_txt)
+self.assertEqual(mail_txt.count(Log started: ), 1)
 
 def test_summary_mail_reboot(self):
 with open(./reboot-required, w) as fp:

=== modified file 'unattended-upgrade'
--- unattended-upgrade	2014-10-15 08:05:10 +
+++ unattended-upgrade	2014-10-28 10:48:02 +
@@ -790,7 +790,10 @@
 if os.path.exists(logfile_dpkg):
 body += _(Package installation log:) + \n
 with open(logfile_dpkg) as fp:
-body += fp.read()
+for i, line in enumerate(fp.readlines()):
+if i  0 and line.startswith(Log started: ):
+break
+body += line
 body += \n\n
 body += _(Unattended-upgrades log:\n)
 body += mem_log.getvalue()

Bug#753892: Regular expressions are indeed mandatory

[Michael Vogt]

On Wed, Oct 22, 2014 at 02:08:19PM +0200, Kai Storbeck wrote:
 Dear Maintainer,
Hi Kai,

thanks for your bugreport.
 
 I tried adding this package to the package-blacklist:
 
   libstdc++6
 
 This will fail, as it is an invalid regular expression:
[..]
File /usr/lib/python2.7/re.py, line 242, in _compile
  raise error, v # invalid expression
  sre_constants.error: multiple repeat
 
 (this is on wheezy)
 
 
 Is this intentional, or is this a bug?

This is sort-of intentional but I think you raise a interessting
usability issue here. The blacklist/whitelist consists of regular
expressions but that is actually not super user friendly as its not
obvious and they are also hard to use compared to something like
glob/fnmatch style matching (or plain packagenames). I can't change
this easily without breaking existing setups though. 

So I think better documenting it is the first step.

It could simply use it as a plain string if the regexp fails and
display a warning. Or I could add a new
Unattended-Upgrade::Package-Blacklist-Plain list for non-regexp
content (it really should be the other way around,
Unattended-Upgrade::Package-Blacklist-Regex and
Unattended-Upgrade::Package-Blacklist would be plain but that is
tricky due to the compatibility concerns I outlined earlier.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#767126: python-couchdb: [patch] ship couchdb-replicate as well and fix install failure

[Michael Vogt]

Package: python-couchdb
Version: 0.10-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu  ubuntu-patch



*** /tmp/tmp8IDN70/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * Merged from debian, remaining changes:
- ship couchdb-replicate
- fix postinst failure by disable pyexec in python3
  this needs a proper fix once py3 is supported by the packages

Thanks for considering the patch.

For the postinst failure a better fix is probably the patch that gentoo
did (and that really should go upstream IMO):
https://www.mail-archive.com/gentoo-commits@lists.gentoo.org/msg38169.html


-- System Information:
Debian Release: jessie/sid
  APT prefers utopic-updates
  APT policy: (500, 'utopic-updates'), (500, 'utopic-security'), (500, 
'utopic-proposed'), (500, 'utopic'), (100, 'utopic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-22-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru python-couchdb-0.10/debian/changelog python-couchdb-0.10/debian/changelog
diff -Nru python-couchdb-0.10/debian/install python-couchdb-0.10/debian/install
--- python-couchdb-0.10/debian/install	2014-09-28 18:14:36.0 +0200
+++ python-couchdb-0.10/debian/install	2014-10-28 17:02:46.0 +0100
@@ -1,5 +1,6 @@
 couchdb-dumpusr/bin/
 couchdb-loadusr/bin/
 couchpy usr/bin/
+couchdb-replicate usr/bin/
 
 debian/extra/python-couchdbetc/couchdb/default.d/
diff -Nru python-couchdb-0.10/debian/manpages python-couchdb-0.10/debian/manpages
--- python-couchdb-0.10/debian/manpages	2014-09-28 18:14:36.0 +0200
+++ python-couchdb-0.10/debian/manpages	2014-10-28 17:02:46.0 +0100
@@ -1,3 +1,4 @@
 couchdb-dump.1
 couchdb-load.1
 couchpy.1
+couchdb-replicate.1
diff -Nru python-couchdb-0.10/debian/patches/04-fix-py3 python-couchdb-0.10/debian/patches/04-fix-py3
--- python-couchdb-0.10/debian/patches/04-fix-py3	1970-01-01 01:00:00.0 +0100
+++ python-couchdb-0.10/debian/patches/04-fix-py3	2014-10-28 17:06:19.0 +0100
@@ -0,0 +1,13 @@
+Index: python-couchdb-0.10/couchdb/util3.py
+===
+--- python-couchdb-0.10.orig/couchdb/util3.py
 python-couchdb-0.10/couchdb/util3.py
+@@ -14,7 +14,7 @@ from urllib.parse import urlsplit, urlun
+ from urllib.parse import quote as urlquote
+ from urllib.parse import unquote as urlunquote
+ 
+-pyexec = exec
++#pyexec = exec
+ 
+ def funcode(fun):
+ return fun.__code__
diff -Nru python-couchdb-0.10/debian/patches/series python-couchdb-0.10/debian/patches/series
--- python-couchdb-0.10/debian/patches/series	2014-09-28 18:14:36.0 +0200
+++ python-couchdb-0.10/debian/patches/series	2014-10-28 17:04:15.0 +0100
@@ -1,2 +1,3 @@
 01-improve_bin_scripts.patch
 03-remove_module_shebang.patch
+04-fix-py3
diff -Nru python-couchdb-0.10/debian/rules python-couchdb-0.10/debian/rules
--- python-couchdb-0.10/debian/rules	2014-09-28 18:14:36.0 +0200
+++ python-couchdb-0.10/debian/rules	2014-10-28 17:02:46.0 +0100
@@ -19,10 +19,10 @@
 	help2man -N -n a CouchDB dump utility ./couchdb-dump  couchdb-dump.1
 	help2man -N -n a CouchDB load utility ./couchdb-load  couchdb-load.1
 	help2man -N -n a CouchDB Python view server ./couchpy  couchpy.1
+	help2man -N -n a CouchDB Python replication tool --version-string=$(UPVER)  ./couchdb-replicate  couchdb-replicate.1
 
 override_dh_auto_install:
 	dh_auto_install -- --single-version-externally-managed
-
 	-rm -rf $(CURDIR)/debian/usr/share/doc/python-couchdb/html/_static/jquery.js
 
 override_dh_clean:

Bug#766524: dpkg: Please provide a way to install/unpack/configure without using argv[]

[Michael Vogt]

Package: dpkg
Severity: wishlist

Dear Dpkg Maintainer,

apt is currently unpacking/configuring packages by running
dpkg --unpack pkg1.deb pkg2.deb ... pkgN.deb
dpkg --configure pkg1 pkg2 ... pkgN

this can be problematic for big installations when the commandline
gets very long and exceeds _SC_ARG_MAX.

One possible solution might be to have something like --archivefiles-fd
or --arg-file argument where frontends to apt can feed data into.

If thats a direction that sounds sensible I can start working on a
patch for this.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#764678: dh-systemd: Please support systemd user services

[Michael Vogt]

Package: dh-systemd
Severity: wishlist

It would be very nice if dh-systemd would support systemd user
units (both for detecting them during build time and to add
something like systemctl --global enable my-user-unit to the
debian/postinst).

My use case is that the package installs a unit that
should run at login time for all users. In the past this was 
done via the upstart session support. 

If you agree with the general idea I can help and work on a
patch.

Thanks,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763780: apt-get: Insecure temporary changelog handling

[Michael Vogt]

On Thu, Oct 02, 2014 at 06:29:45PM +0200, Guillem Jover wrote:
 Package: apt
 Version: 0.8.7
 Severity: serious
 Tags: security patch

Thanks for your bugreport and your patch!
 
 I've found an instance of insecure temporary filenames handling. The
 problem is that the code correctly creates a temporary directory, but
 then uses that name as just a prefix for the created changelog
 filename, thus creating it alongside the tamporary directory (instead
 of inside of it), and making it very much predictable. This is worsened
 due to the time it takes apt-get to download the changelog from the net,
 which gives a very huge window to use that pathname.
 
 Attached a patch fixing this. This affects all versions starting from
 the one in squeeze.
 
 I'm not sure if this deserves a CVE or perhaps a lower severity?
[..]

I uploaded a fix for wheezy now, squeeze is not affected, this feature
got added in 0.8.11 in debian so we should be safe here.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#764442: apt: String overrun in RSHConn::WriteMsg() (transports rsh: and ssh:)

[Michael Vogt]

On Wed, Oct 08, 2014 at 02:49:40AM -0400, David Garfield wrote:
 Package: apt
 Version: 1.0.9.2
 Severity: normal

Thanks for your bugreport. 
 
 In examining the sources in method/rsh.cc I ran across the function
 RSHConn::WriteMsg()
 
 The first thing it does is make a buffer of 512 bytes, put up to 508
 bytes of data in it (the vsnprintf call), and then add at least 14
 more bytes of data (the strcat calls).

Good catch, thanks you!
 
[..]
 The simplest fix is probably to change the - 4 on the vsnprintf()
 to - 24 or thereabouts.  A more complex fix (probably not needed)
 might send the two strings separately.  It also might be wise to
 consider if the buffer should be enlarged.
 
 I have not fully examined other sources for similar code, but do see
 where this came from in method/ftp.cc.
[..]

I fixed this in git and replaced the strcat with a C++ std::string so
that we do not run into the fixed buffer issue. I also enlarged the
buffer while doing so. 

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763399: Hardening dpkg/apt

[Michael Vogt]

On Mon, Sep 29, 2014 at 09:24:35PM +, ban...@openmailbox.org wrote:
 Package: apt
 Version: all

Thanks for your bugreport. 
 
 Sometimes apt/dpkg can contain vulnerable, remotely exploitable bugs
 which s a big risk when used over the untrusted internet. 

 As it happens, anyone could have been in a position to run
 man-in-the-middle attacks with the latest security hole
 [CVE-2014-6273] in apt-get. What makes this bug cripling is that
 updating apt to fix it would have exposed it to what the fix was
 supposed to rpevent, so manually downloading the package out of band
 was the safest option this time.

I totally agree that we need to do more to protect the downloaders
(and Julian pointed to some efforts for this already).

In this particular case got some protection from the fact that we
build apt with the default dpkg-buildflags which include
_FORITY_SOURCE=2 [1].

This helps to mitigate the recent apt buffer overflow, the sprintf()
call is translated to sprintf_chk() and I'm not aware of a way to
exploit this other than to trigger a abort(). I checked the generated
assembler for the __sprintf_chk call and the max buffer size is
correctly loaded into %edx so it seems like the protection is
working. If there is a way to circumvent this, then I would love to
hear more about the details of such a attack!

 In order to drastically limit an attackers options I recommend
 creating a seccomp-bpf filter for apt and dpkg to limit what they
 can do should a weak function be remotely exploited. Other options
 include enabling any and all compile-time binary hardening such as
 PIE, RELRO, CANARY etc.
[..]

All hardening except for PIE and ld -z are currently enabled, these
two will be enabled with the next upload (probably in experimental
first).

We do want to go further and protect the downloaders but there is some
more work involved here, we need to move the proxy auto-detection out
of the acquire method first but once that is done, we can further lock
down the downloader code.

Help with this effort is of course very welcome :) !

Thanks,
 Michael

[1] Apt has all hardening features enabled in the debian/experimenal
branch now and we plan to move this to unstable soon.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#710924: bug still exists

[Michael Vogt]

On Sun, Sep 28, 2014 at 11:21:29AM +0800, 積丹尼 Dan Jacobson wrote:
 # aptitude update
[..]
 Err http://ftp.tw.debian.org experimental/main i386 Packages
   406  Not Acceptable
 Err http://ftp.tw.debian.org experimental/contrib i386 Packages
[..]
 E: Some index files failed to download. They have been ignored, or old ones 
 used instead.
 E: Couldn't rebuild package cache

Thanks for your bugreport. What version of apt are you using? And how
can we reproduce it (i.e. is using your sources.list enough in a clean
chroot, does that trigger the bug for you as well?).

Thanks,
 michael 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#762178: apt: massive a-g update slowdowns due to recent security fixes

[Michael Vogt]

On Fri, Sep 19, 2014 at 09:00:43AM +, Thorsten Glaser wrote:
 Package: apt
 Version: 1.0.9.1
 Severity: minor

Thanks for your bugreport.
 
 Michael Vogt requested I file this as official bugreport:
 
 The recent revalidation changes lead to a simple apt-get update
 on my buildd machine (m68k VM with 198 MHz CPU) with only the
 incoming.d-p.o repository modified, but not unstable, taking:
 
 Fetched 156 kB in 8min 33s (304 B/s)
 
 The sources.list on that chroot is just:
 
 deb http://ftp.de.debian.org/debian-ports unstable main
 deb http://ftp.de.debian.org/debian-ports unreleased main
 deb-src http://ftp.de.debian.org/debian unstable main
 # plus the “incoming” repository
 
 With almost 200 MHz, this is one of the faster “machines”.
 Our regular buildds have 25, 33, 50 MHz.
[..]

This is indeed a pretty big hit on this hardware :/

The following patch should fix most of this:

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 5df4372..28ede30 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1558,8 +1558,9 @@ void pkgAcqMetaIndex::AuthDone(string Message)
/*{{{*/
}
 
 
-   // Download further indexes with verification
-   QueueIndexes(true);
+   // Download further indexes with verification if something has   changed
+   if(IMSHit == false)
+  QueueIndexes(true);
 
// is it a clearsigned MetaIndex file?
if (DestFile == SigFile)


The downside if of course that if a Packages file is missing (because
of a earlier download error for example) then it won't be fetched
again, so the patch is probably too simplistic. But I think something
like this should be done to avoid the extra verify step if we know
that nothing has changed.

Cheers,
 Michael


 The cause for this is that even a not-modified now triggers
 reverification of all downloaded files. The visible effect
 is a process called “copy” taking 90% CPU for minutes, in
 top(1).
 
 Michael and I think that apt should, when the Release and
 Release.gpg (or InRelease, but we aren’t using them any
 more, IIRC?) files are not modified, just reverify these,
 and, if they pass, assume the other data on the disc is
 valid/verified (because the files only get moved out of
 partial/ once verified AFAIK, and because if an unmodified
 Release file passes reverification, it would have passed
 initial verification as well, normally).
 
 Michael also thinks apt could cache more information, such
 as the original hashes, to speed up things more.
 
 
 -- Package-specific info:
 
 -- apt-config dump --
 
 APT ;
 APT::Architecture m68k;
 APT::Build-Essential ;
 APT::Build-Essential:: build-essential;
 APT::Install-Recommends 0;
 APT::Install-Suggests 0;
 APT::NeverAutoRemove ;
 APT::NeverAutoRemove:: ^firmware-linux.*;
 APT::NeverAutoRemove:: ^linux-firmware$;
 APT::NeverAutoRemove:: ^linux-image-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^linux-image-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^linux-headers-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^linux-headers-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^linux-image-extra-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^linux-image-extra-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^linux-signed-image-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^linux-signed-image-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^kfreebsd-image-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^kfreebsd-image-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^kfreebsd-headers-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^kfreebsd-headers-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^gnumach-image-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^gnumach-image-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^.*-modules-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^.*-modules-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^.*-kernel-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^.*-kernel-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^linux-backports-modules-.*-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^linux-backports-modules-.*-3\.16-1-m68k$;
 APT::NeverAutoRemove:: ^linux-tools-3\.14-2-m68k$;
 APT::NeverAutoRemove:: ^linux-tools-3\.16-1-m68k$;
 APT::VersionedKernelPackages ;
 APT::VersionedKernelPackages:: linux-image;
 APT::VersionedKernelPackages:: linux-headers;
 APT::VersionedKernelPackages:: linux-image-extra;
 APT::VersionedKernelPackages:: linux-signed-image;
 APT::VersionedKernelPackages:: kfreebsd-image;
 APT::VersionedKernelPackages:: kfreebsd-headers;
 APT::VersionedKernelPackages:: gnumach-image;
 APT::VersionedKernelPackages:: .*-modules;
 APT::VersionedKernelPackages:: .*-kernel;
 APT::VersionedKernelPackages:: linux-backports-modules-.*;
 APT::VersionedKernelPackages:: linux-tools;
 APT::Never-MarkAuto-Sections ;
 APT::Never-MarkAuto-Sections:: metapackages;
 APT::Never-MarkAuto-Sections:: restricted/metapackages;
 APT::Never-MarkAuto-Sections:: universe/metapackages;
 APT::Never-MarkAuto-Sections:: multiverse/metapackages;
 APT::Never-MarkAuto-Sections:: oldlibs;
 APT::Never-MarkAuto-Sections:: restricted/oldlibs;
 APT::Never-MarkAuto-Sections:: universe/oldlibs;
 APT::Never-MarkAuto

Bug#762160: apt: [regression] 406 Not acceptable errors

[Michael Vogt]

On Fri, Sep 19, 2014 at 01:31:04PM +0800, Paul Wise wrote:
 Package: apt
 Version: 0.9.7.9+deb7u4
 Severity: important

Thanks for your bugreport and sorry for the trouble this is causing you.
 
 The recent apt security updates broke the Debian derivatives census
 scripts, various sites now return 406 Not acceptable errors.
 
 The set of instructions below produces the errors on the second apt-get
 update run with apt 0.9.7.9+deb7u4 but not with apt 0.9.7.9+deb7u2.

I debugged this issue and it turns out apt does no longer deal well
with the relative path for Dir (in the new ReverifyAfterIMSHit
step).  Thats a regression and need fixing, I look into this.

In the meantime you can set:
 Dir $(pwd)/apt;
to unblock your script.

Cheers,
 Michael
 
 I also note that if I use the same sources.list with chdist from
 devscripts I do *not* get the same errors.

 Looking at the wireshark log, the difference is that chdist only gets
 304 and 404 HTTP codes but plain apt gets 304, 404, 416 and 406 codes.
 
 These sources.list files exhibit the issue:
 
 https://dex.alioth.debian.org/census/Aptosid/sources.list
 https://dex.alioth.debian.org/census/ArcheOS/sources.list
 https://dex.alioth.debian.org/census/AstraLinux/sources.list
 https://dex.alioth.debian.org/census/BCCD/sources.list
 https://dex.alioth.debian.org/census/HandyLinux/sources.list
 https://dex.alioth.debian.org/census/Ordissimo/sources.list
 https://dex.alioth.debian.org/census/SteamOS/sources.list
 https://dex.alioth.debian.org/census/Tucunare/sources.list
 https://dex.alioth.debian.org/census/sources.list
 https://dex.alioth.debian.org/census/sources.list
 
 rm -rf sources.list apt.conf apt
 cat EOF  sources.list
 deb [arch=i386,amd64] http://aptosid.com/debian/ sid main fix.main
 deb-src http://aptosid.com/debian/ sid main fix.main
 EOF
 cat EOF  apt.conf
 Dir apt;
 Dir::State::status ./apt/var/lib/dpkg/status;
 Dir::Etc::sourcelist ./sources.list;
 EOF
 mkdir --parents apt/var/lib/dpkg apt/etc/apt/apt.conf.d 
 apt/etc/apt/trusted.gpg.d apt/etc/apt/preferences.d 
 apt/etc/apt/sources.list.d apt/var/lib/apt/lists/partial 
 apt/var/cache/apt/archives/partial
 touch apt/var/lib/dpkg/status apt/etc/apt/trusted.gpg
 export APT_CONFIG=`pwd`/apt.conf
 apt-get update
 apt-get update
 
 -- System Information:
 Debian Release: 7.6
   APT prefers stable
   APT policy: (500, 'stable')
 Architecture: amd64 (x86_64)
 
 Kernel: Linux 3.16-1-amd64 (SMP w/4 CPU cores)
 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages apt depends on:
 ii  debian-archive-keyring  2012.4
 ii  gnupg   1.4.12-7+deb7u6
 ii  libapt-pkg4.12  0.9.7.9+deb7u4
 ii  libc6   2.13-38+deb7u4
 ii  libgcc1 1:4.7.2-5
 ii  libstdc++6  4.7.2-5
 
 apt recommends no packages.
 
 Versions of packages apt suggests:
 pn  apt-doc none
 ii  aptitude0.6.8.2-1
 ii  dpkg-dev1.16.15
 pn  python-apt  none
 ii  xz-utils5.1.1alpha+20120614-2
 
 -- no debconf information
 
 -- 
 bye,
 pabs
 
 https://wiki.debian.org/PaulWise
 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#762160: apt: [regression] 406 Not acceptable errors

[Michael Vogt]

On Fri, Sep 19, 2014 at 01:31:04PM +0800, Paul Wise wrote:
 The recent apt security updates broke the Debian derivatives census
 scripts, various sites now return 406 Not acceptable errors.
 
 The set of instructions below produces the errors on the second apt-get
 update run with apt 0.9.7.9+deb7u4 but not with apt 0.9.7.9+deb7u2.

This patch should fix it, if you could double check, that would be
great. I'm also curious if your second bugreport is fixed with this too:


diff --git a/methods/copy.cc b/methods/copy.cc
index 5570f31..b78053d 100644
--- a/methods/copy.cc
+++ b/methods/copy.cc
@@ -55,8 +55,8 @@ void CopyMethod::CalculateHashes(FetchResult Res)
 /* */
 bool CopyMethod::Fetch(FetchItem *Itm)
 {
-   URI Get = Itm-Uri;
-   std::string File = Get.Path;
+   // this ensures that relative paths work in copy
+   std::string File = Itm-Uri.substr(Itm-Uri.find(':')+1);
 
// Stat the file and send a start message
struct stat Buf;

 
Thanks,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#762079: apt: Hash Sum mismatch while sum checks since security update

[Michael Vogt]

On Thu, Sep 18, 2014 at 10:26:41AM +0200, b...@debian.org wrote:
 Package: apt
 Version: 0.9.7.9+deb7u3
 Severity: important

Thanks for your bugreport.

[..] 
 W: Failed to fetch file:/usr/src/debian-repository/local/Packages  Hash Sum 
 mismatch
 
 E: Some index files failed to download. They have been ignored, or old ones 
 used instead.
[..]
 Interestingly, right after building the local packages, my autobuild
 script issue a 'apt-get update' that completes successfully.  But when
 I issue another 'apt-get update' even one second later I get the above
 behavior.  Regenerating the packages produced the same behavior.

 
 But everything checks! What's wrong?

There is a regression in the recent security update that causes
file:/// uris that are on a different partition (or nfs) than the apt
lists dir to misbehave. The fix is commited as 
http://anonscm.debian.org/cgit/apt/apt.git/commit/?h=debian/wheezyid=3fa61cd604da1a4d744cebf3fbb747bf7c80bf91

and we will upload fixed packages shortly. If you could test the fix
that would be much appreciated.

Sorry for the trouble,
 Michael
 
 Cheers!
 Sylvain
 
 -- Package-specific info:
 
 -- apt-config dump --
 
 APT ;
 APT::Architecture amd64;
 APT::Build-Essential ;
 APT::Build-Essential:: build-essential;
 APT::Install-Recommends 1;
 APT::Install-Suggests 0;
 APT::Authentication ;
 APT::Authentication::TrustCDROM true;
 APT::NeverAutoRemove ;
 APT::NeverAutoRemove:: ^firmware-linux.*;
 APT::NeverAutoRemove:: ^linux-firmware$;
 APT::NeverAutoRemove:: ^linux-image.*;
 APT::NeverAutoRemove:: ^kfreebsd-image.*;
 APT::NeverAutoRemove:: ^linux-restricted-modules.*;
 APT::NeverAutoRemove:: ^linux-ubuntu-modules-.*;
 APT::NeverAutoRemove:: ^gnumach$;
 APT::NeverAutoRemove:: ^gnumach-image.*;
 APT::Never-MarkAuto-Sections ;
 APT::Never-MarkAuto-Sections:: metapackages;
 APT::Never-MarkAuto-Sections:: restricted/metapackages;
 APT::Never-MarkAuto-Sections:: universe/metapackages;
 APT::Never-MarkAuto-Sections:: multiverse/metapackages;
 APT::Never-MarkAuto-Sections:: oldlibs;
 APT::Never-MarkAuto-Sections:: restricted/oldlibs;
 APT::Never-MarkAuto-Sections:: universe/oldlibs;
 APT::Never-MarkAuto-Sections:: multiverse/oldlibs;
 APT::Periodic ;
 APT::Periodic::Update-Package-Lists 1;
 APT::Periodic::Download-Upgradeable-Packages 0;
 APT::Periodic::AutocleanInterval 0;
 APT::Update ;
 APT::Update::Post-Invoke ;
 APT::Update::Post-Invoke:: touch /var/lib/apt/periodic/update-success-stamp 
 2/dev/null || true;
 APT::Archives ;
 APT::Archives::MaxAge 30;
 APT::Archives::MinAge 2;
 APT::Archives::MaxSize 500;
 APT::Architectures ;
 APT::Architectures:: amd64;
 APT::Compressor ;
 APT::Compressor::. ;
 APT::Compressor::.::Name .;
 APT::Compressor::.::Extension ;
 APT::Compressor::.::Binary ;
 APT::Compressor::.::Cost 1;
 APT::Compressor::gzip ;
 APT::Compressor::gzip::Name gzip;
 APT::Compressor::gzip::Extension .gz;
 APT::Compressor::gzip::Binary gzip;
 APT::Compressor::gzip::Cost 2;
 APT::Compressor::gzip::CompressArg ;
 APT::Compressor::gzip::CompressArg:: -9n;
 APT::Compressor::gzip::UncompressArg ;
 APT::Compressor::gzip::UncompressArg:: -d;
 APT::Compressor::bzip2 ;
 APT::Compressor::bzip2::Name bzip2;
 APT::Compressor::bzip2::Extension .bz2;
 APT::Compressor::bzip2::Binary bzip2;
 APT::Compressor::bzip2::Cost 3;
 APT::Compressor::bzip2::CompressArg ;
 APT::Compressor::bzip2::CompressArg:: -9;
 APT::Compressor::bzip2::UncompressArg ;
 APT::Compressor::bzip2::UncompressArg:: -d;
 APT::Compressor::xz ;
 APT::Compressor::xz::Name xz;
 APT::Compressor::xz::Extension .xz;
 APT::Compressor::xz::Binary xz;
 APT::Compressor::xz::Cost 4;
 APT::Compressor::xz::CompressArg ;
 APT::Compressor::xz::CompressArg:: -6;
 APT::Compressor::xz::UncompressArg ;
 APT::Compressor::xz::UncompressArg:: -d;
 APT::Compressor::lzma ;
 APT::Compressor::lzma::Name lzma;
 APT::Compressor::lzma::Extension .lzma;
 APT::Compressor::lzma::Binary xz;
 APT::Compressor::lzma::Cost 5;
 APT::Compressor::lzma::CompressArg ;
 APT::Compressor::lzma::CompressArg:: --format=lzma;
 APT::Compressor::lzma::CompressArg:: -9;
 APT::Compressor::lzma::UncompressArg ;
 APT::Compressor::lzma::UncompressArg:: --format=lzma;
 APT::Compressor::lzma::UncompressArg:: -d;
 APT::CompressorName ;
 APT::CompressorExtension .;
 APT::CompressorBinary ;
 APT::CompressorCost 100;
 APT::CompressorCompressArg ;
 APT::CompressorCompressArg:: -9;
 APT::CompressorUncompressArg ;
 APT::CompressorUncompressArg:: -d;
 Dir /;
 Dir::State var/lib/apt/;
 Dir::State::lists lists/;
 Dir::State::cdroms cdroms.list;
 Dir::State::mirrors mirrors/;
 Dir::State::extended_states extended_states;
 Dir::State::status /var/lib/dpkg/status;
 Dir::Cache var/cache/apt/;
 Dir::Cache::archives archives/;
 Dir::Cache::srcpkgcache srcpkgcache.bin;
 Dir::Cache::pkgcache pkgcache.bin;
 Dir::Etc etc/apt/;
 Dir::Etc::sourcelist sources.list;
 Dir::Etc::sourceparts sources.list.d;
 Dir::Etc::vendorlist vendors.list;
 Dir::Etc::vendorparts 

Bug#757438: exposes entire dpkg upgrade log to non-root users

[Michael Vogt]

On Fri, Aug 08, 2014 at 03:00:19AM -0400, Joey Hess wrote:
 Package: unattended-upgrades
 Version: 0.79.5
 Severity: normal
 Tags: security

Thanks for your bugreport and sorry for my slow reply.
 
 /var/log/unattended-upgrades/ is readable by all, so when this package is
 run on a multi-user system, non-admin users can trawl the upgrade logs
 for interesting information.
[..]

I totally agree with the concern and fixed the permissions of the dir
to root:adm 0750 (as you suggested) and the dpkg log to root:adm 0640
too. This will be part of my next upload.
 
 Any reason not to make the directory 750 root.adm?

No, fixed.

Do you think this should go out to stable as well? 

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#759693: unattended-upgrades: please document how to configure the logging options

[Michael Vogt]

On Fri, Aug 29, 2014 at 05:21:02PM +0300, Martin-Éric Racine wrote:
 Package: unattended-upgrades
 Version: 0.82.8
 Severity: normal

Thanks for your bugreport.
 
[..]
 While the number of older files kept as unattended-upgrades.log.[1-7].gz and 
 unattended-upgrades-shutdown.log.[1-7].gz remains reasonable, the sheer 
 quantity of dated log files quickly reaches a ridiculous amount. 
 Additionally, keeping gzipped copies of each dated log files seems excessive.
[..]

I changed the code in bzr now so that there is only a single
unattended-upgrades-dpkg.log with date/time headers similar to what
the /var/log/apt/term.log is doing. This will keep the number of logs
as small as for the other two log files. I'm not sure if I should keep
the logs using the date, it would be straightforward to add a option,
so if someone really feels like the individual file format has
advantages I could add it back.

Cheers,
 Michael


 As such, I am wondering whether there are configuration options to perform 
 the following:
 
 1) Output one's choice of clear/gzipped/both logs.
 2) Delete dated logs older than NN months back.
 
 If there are, the options listed in /etc/apt/apt.conf.d/50unattended-upgrades 
 configuration file don't make any mention of this.
 
 Could you please document how this can be configured?
 
 Thanks!
 
 -- System Information:
 Debian Release: jessie/sid
   APT prefers testing
   APT policy: (1001, 'testing'), (1001, 'oldstable')
 Architecture: i386 (i686)
 
 Kernel: Linux 3.14-2-686-pae (SMP w/1 CPU core)
 Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages unattended-upgrades depends on:
 ii  apt1.0.6
 ii  apt-utils  1.0.6
 ii  debconf [debconf-2.0]  1.5.53
 ii  init-system-helpers1.21
 ii  lsb-base   4.1+Debian13
 ii  lsb-release4.1+Debian13
 ii  python33.4.1-1
 ii  python3-apt0.9.3.8
 ii  ucf3.0030
 ii  xz-utils   5.1.1alpha+20120614-2
 
 unattended-upgrades recommends no packages.
 
 Versions of packages unattended-upgrades suggests:
 ii  bsd-mailx  8.1.2-0.20131005cvs-1
 ii  nullmailer [mail-transport-agent]  1:1.13-1
 
 -- debconf information:
 * unattended-upgrades/enable_auto_updates: true


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#759264: This change broke proxy support in apt for me

[Michael Vogt]

On Wed, Sep 10, 2014 at 05:24:37PM -0400, Lennart Sorensen wrote:
 After this change proxy handling is completely broken for me.
 
 I have this for a config:
 
 Acquire::http::Proxy-Auto-Detect /usr/local/sbin/getproxy;
 Acquire::http::Proxy::rceng02.eng.lan DIRECT;
 Acquire::http::Proxy::mirror.eng.lan DIRECT;
 Acquire::http::Proxy::cache.eng.lan DIRECT;
 
 With apt 1.0.7 it works perfectly, using direct access to sources on
 the 3 listed hosts and proxy returned by a script for everything else.
 
 With 1.0.8 it now randomly tries to use the proxy for hostnames configured
 to be direct.
 
 I highly suspect this change is the cause of the breakage.

Indeed, sorry for that. I attached a patch that should fix the issue by
not running the auto-detect if the user already has a proxy set for
the given specific host. This seems to be the most sensible option,
autodetect everything that is not set explicitly already in the config.

Cheers,
 Michael
diff --git a/apt-pkg/contrib/proxy.cc b/apt-pkg/contrib/proxy.cc
index b58db84..9750f71 100644
--- a/apt-pkg/contrib/proxy.cc
+++ b/apt-pkg/contrib/proxy.cc
@@ -26,6 +26,10 @@ bool AutoDetectProxy(URI URL)
// we support both http/https debug options
bool Debug = _config-FindB(Debug::Acquire::+URL.Access,false);
 
+   // the user already explicitly set a proxy for this host
+   if(_config-FindS(Acquire::+URL.Access+::proxy::+URL.Host, ) != )
+  return true;
+
// option is Acquire::http::Proxy-Auto-Detect but we allow the old
// name without the dash (-)
std::string AutoDetectProxyCmd = _config-Find(Acquire::+URL.Access+::Proxy-Auto-Detect,

Bug#760666: squid-deb-proxy writes to /var/log/squid3/netdb.state

[Michael Vogt]

On Sat, Sep 06, 2014 at 12:45:11PM -0500, Vagrant Cascadian wrote:
 Control: tag -1 patch
 
 On 2014-09-06 12:27:42 -0500, Vagrant Cascadian wrote:
  It seems like it should probably be writing to 
  /var/log/squid-deb-proxy/netdb.state instead.

Thanks a lot for the bugreport and the patch (and sorry for my slow
reply). I merged it into my bzr tree and it will be part of the next
upload.

Cheers,
 Michael
 
 The following patch might fix this:
 
 diff --git a/squid-deb-proxy/squid-deb-proxy.conf 
 b/squid-deb-proxy/squid-deb-proxy.conf
 index 7672e69..5e4b267 100644
 --- a/squid-deb-proxy/squid-deb-proxy.conf
 +++ b/squid-deb-proxy/squid-deb-proxy.conf
 @@ -91,3 +91,11 @@ http_access allow allowed_networks
  
  # And finally deny all other access to this proxy
  http_access deny all
 +
 +#  TAG: netdb_filename
 +#   Where Squid stores it's netdb journal.
 +#   When enabled this journal preserves netdb state between restarts.
 +#
 +#   To disable, enter none.
 +#Default:
 +netdb_filename stdio:/var/log/squid-deb-proxy/netdb.state
 
 
 live well,
   vagrant


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#283718: no_proxy variable not honored by apt-transport-https

[Michael Vogt]

On Tue, Sep 09, 2014 at 04:27:32PM +0200, Raoul Bhatia wrote:
 I'm seeing this issue with correctly working no_proxy settings via
 /etc/environment and/or /root/.bashrc,
 which are correctly working for e.g. w3m but are not honored via
 apt-transport-https.

Thanks for your bugreport.
 
[..]
 apt-get update -o Debug::Acquire::Https=true
 still shows that APT is trying to use the proxy.

Could you please test the attached patch? It seems like the proxy
setting is not properly reset for libcurl.

Cheers,
 Michael
diff --git a/methods/https.cc b/methods/https.cc
index 0499af0..1b3d867 100644
--- a/methods/https.cc
+++ b/methods/https.cc
@@ -132,8 +132,14 @@ void HttpsMethod::SetupProxy()  	/*{{{*/
{
   // Parse no_proxy, a comma (,) separated list of domains we don't want to use
   // a proxy for so we stop right here if it is in the list
-  if (getenv(no_proxy) != 0  CheckDomainList(ServerName.Host,getenv(no_proxy)) == true)
+  if (getenv(no_proxy) != 0 
+  CheckDomainList(ServerName.Host,getenv(no_proxy)) == true)
+  {
+ Proxy = ;
+ curl_easy_setopt(curl, CURLOPT_PROXY, NULL);
+ curl_easy_setopt(curl, CURLOPT_PROXYPORT, 0);
 	 return;
+  }
} else {
   const char* result = getenv(https_proxy);
   // FIXME: Fall back to http_proxy is to remain compatible with

Bug#753297: apt list --upgradable gives lot of false positives: possible solution

[Michael Vogt]

On Mon, Jul 21, 2014 at 05:52:11PM +0200, Michael Musenbrock wrote:
 Package: apt
 Version: 1.0.6
 Followup-For: Bug #753297

Thanks for your patch!

[..] 
 for me the problem (listing packages as upgradable if they are not) occurs 
 for all
 packages, which have a newer version in an archive with lower APT:Pinning 
 score.
 
 So if I understood the source correctly, the pkgPolicy handles the candidate 
 version
 in respect to the correct pinning.
 The attached patch [1] should do the trick.
[..]

This is fixed in git now and it will be part of the next upload. Your
patch was superhelpful to get to the bottom of the problem, the new
apt binary did not always initialize the depcache/policy in the right
order so that the depcache ended up with the wrong pkgPolicy. This
should be fixed in HEAD and a test was added.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#755874: gobject-introspection: [patch] use multi-arch pathes for the .typelib files

[Michael Vogt]

On Sun, Aug 24, 2014 at 10:04:43PM +0100, Iain Lane wrote:
 Hi mvo,
Hi Ian,
 
 On Thu, Jul 24, 2014 at 09:05:48AM +0200, Michael Vogt wrote:
  […]
  With this change most packages that ship a gir1.2-* package need a small
  change to their debian/gir1.2-foo.install file:
   - usr/lib/girepository-1.0/* 
   + usr/lib/*/girepository-1.0/*
  Without they will fail to build.
 
 Cool - I'm interested in this change since a package I care about is no
 longer x-buildable due to this problem. Didn't review the patch yet, but
 I will do before uploading.
 
 Since this requires source changes, I made a dd-list of all packages
 which ship files in /usr/lib/girepository-1.0. There are two packages -
 workrave and ibus-anthy - which I think would need splitting because
 they ship typelibs along with programs.
 
 I've got an opportunity at Debconf to spend some time on this. What's
 the best way? Do it in unstable and NMU after an announce/fix perioud
 because packages will be broken or use experimental and do this more
 gradually with MBF and prodding?

Thanks a lot for your experimental upload! I played with the new
version in a PPA and did a bunch of package updates in my test repo
(ppa:mvo/gir-multiarch). While doing that I noticed that the
dh_girepository needs a small tweak (attached). Without that it fails
for me for json-glib (and probably more, it was just the first failure
I noticed).

The update the for individual is mostly a very mechanical process, I
created a script in lp:~mvo/+junk/gir-multiarch that automates the
work. It has a pretty high success rate, some packages need manual
tweaks of course, I put a list into the update.sh for the ones I know
about.

Hope that helps the transition, I'm very excited about it!

Thanks,
 Michael

diff -Nru gobject-introspection-1.41.4/debian/dh_girepository gobject-introspection-1.41.4/debian/dh_girepository
--- gobject-introspection-1.41.4/debian/dh_girepository	2014-08-30 21:40:04.0 +
+++ gobject-introspection-1.41.4/debian/dh_girepository	2014-09-04 09:28:25.0 +
@@ -196,8 +196,8 @@
 }
 if (! $found) {
 addsubstvar ($package, gir:Depends, $deppkg);
-return;
 }
+return;
 }
 }
 error(Could not find $req dependency);

Bug#758615: [patch] more error handling remove global state

[Michael Vogt]

On Sun, Aug 31, 2014 at 06:10:36AM +0200, Guillem Jover wrote:
 Hi!
Hello,
 
 On Tue, 2014-08-19 at 11:23:41 +0200, Michael Vogt wrote:
[..]
 Some comments on the points raised in the review, although it's true that
 dpkg itself should only be dealing with “trusted” data, otherwise you are
 going to be happily giving root accesss away, dpkg-deb does not, so it
 must be picky and suspicious when parsing .deb packages. And for most (if
 not all) of the dpkg .deb parsing code I've either rewritten or at least
 extensively reviewed it by now, that obviously does not mean there will
 be no bugs, but besides code staring, unit tests, functional tests [F],
 code checkers like clang, cppcheck and coverity among others do help. So
 I do trust more the dpkg code than the debsig-verify code. Precisely one
 of the reasons for taking it over was to update its .deb format support,
 including LFS. Of course debsig-verify code should be considered more
 sensitive, because it's not just about inspecting, but about deciding
 to end up giving direct root access to possibly untrusted packages.
[..]

thanks for these comments, that is good to know!
 
 Regarding adoption of debsig-verify, I'm planning to work on updating
 the layout of the signatures, and to properly integrate this into dpkg
 proper. Once I start those discussions, I'll try to make sure to keep you
 and Colin Watson on the loop, as you guys seem to be interested in
 this?

Yes, please keep us in the loop.
 
  Attached are two patches that add some additional error checking.
 
 I'll review and merge those in few days, after I finish up some other
 stuff, thanks!

Thanks, that is much appreciated.

  I also started with the removal of the global state
  (attached as well). However it is not very elegant and I wonder if it would
  make more sense to have a 
  
  struct ds_ctx {
 char *deb,
 FILE *deb_fs,
 char *originID
  }
  
  that is passed around as the context instead of my current approach.
 
 Ah, yeah, I thought I had started doing something like that already,
 but I cannot find any branch or stashed change, so either I just
 thought about it or I discarded it at the time. Anyway I'll check
 it out in few days.
[..]

Great, looking forward for your feedback. I guess I need to rework the
coding style a bit (based on the previous review I had) but I guess
its best if I wait for further feedback.

Attached are my remaining patches that add _FILE_OFFSET_BITS 64, add
a README and add a (simple) integration test (with a test origin key).

The test is not using a test framework currently, I'm happy to use
whatever you suggest, shunit2 seems like a good one but I have no
strong preferences either way.

Feedback welcome, and I hope my latest stuff does not contain silly
(debconf jetlag) issues :)

Cheers,
 MichaelFrom 1a4ee2063424f94f4d481f737870892bcf50e8aa Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Thu, 21 Aug 2014 08:30:22 +0200
Subject: [PATCH 7/9] add _FILE_OFFSET_BITS 64

---
 debsig.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debsig.h b/debsig.h
index ea6edb7..39e78ab 100644
--- a/debsig.h
+++ b/debsig.h
@@ -16,6 +16,7 @@
  * You should have received a copy of the GNU General Public License
  * along with this program.  If not, see https://www.gnu.org/licenses/.
  */
+#define _FILE_OFFSET_BITS 64
 
 #define DEBSIG_POLICIES_DIR_FMT %sDEBSIG_POLICIES_DIR/%s
 #define DEBSIG_KEYRINGS_FMT %sDEBSIG_KEYRINGS_DIR/%s/%s
-- 
2.0.0.rc0

From 79318503b0039b4705019e0308544ceee7f24305 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Thu, 21 Aug 2014 08:36:18 +0200
Subject: [PATCH 8/9] add README

---
 README | 22 ++
 1 file changed, 22 insertions(+)
 create mode 100644 README

diff --git a/README b/README
new file mode 100644
index 000..150a35f
--- /dev/null
+++ b/README
@@ -0,0 +1,22 @@
+= Debian package signature verification tool =
+
+This tool inspects and verifies binary package digital signatures based
+on predetermined policies, complementing repository signatures or allowing
+to verify the authenticity of a package even after download when detached
+from a repository.
+
+== How to build ==
+
+Ensure the build-dependencies are instaleld by running
+```
+$ dpkg-checkbuilddeps debian/control 
+```
+
+then type:
+```
+$ make
+```
+
+== Testing ==
+
+No automatic testsuite yet, manual testing needs to be performed.
-- 
2.0.0.rc0

From df421bdccf43ae520f676c9d1da0ab5788f1e3a0 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Tue, 2 Sep 2014 09:52:48 +0200
Subject: [PATCH 9/9] add simple integration test

---
 Makefile  |   3 +
 README|   6 +-
 testing/keyrings/FAD46790DE88C7E2/pubring.gpg | Bin 0 - 1245 bytes
 testing/keyrings/FAD46790DE88C7E2/secring.gpg | Bin 0 - 2547 bytes
 testing/policies/FAD46790DE88C7E2/generic.pol |  22 +++
 testing/test_debsig

Bug#759612: apt: apt-cache segfaults when given some options

[Michael Vogt]

On Fri, Aug 29, 2014 at 10:45:09AM -0700, Dima Kogan wrote:
 David Kalnischkies da...@kalnischkies.de writes:
[..]
 Hi David. Thank you for looking at this. Looking a bit more deeply, it
 looks like my shell was expanding ^xxx- to a list of all files in the
 local directory, and the cause of the crash was simply too many
 arguments. The following crashes consistently for me:
 
  apt-cache search xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx 
 xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx 
 xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx 
 xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx 
 xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx 
 xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx 
 xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx xxx 
 xxx xxx xxx xxx
 
 There are 133 'xxx' here. This appears to be the threshold. = 133
 arguments causes a crash.  133 arguments works ok. This is admittedly
 more of a corner case, but it still shouldn't crash.

This should be fixed in the git tree now, thanks for the instructions
how to reproduce the bug.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#759655: tests fail with proxy

[Michael Vogt]

On Fri, Aug 29, 2014 at 09:13:00AM +0200, Martin Pitt wrote:
 Package: apt
 Version: 1.0.4

Thanks for your bugreport.
 
 Hello,
 
 In our CI environment we need to use a proxy to get to most internet
 sites:
 
 http_proxy=http://squid.internal:3128
 https_proxy=http://squid.internal:3128
 no_proxy=localhost,ubuntu.com,launchpad.net
[..]

I changed the run-tests now to run the tests with env -i to ensure
that we start with a clean environment. As a by-product this should
also fix the proxy env pollution.

Thanks!
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#759264: apt: Please help with PAC support - proxy autoconfiguration files

[Michael Vogt]

On Mon, Aug 25, 2014 at 07:17:18PM -0700, Michael Vogt wrote:
  It would be useful to support PAC (proxy autoconfiguration files) with
  apt. Specifically, PAC files are simple javascript files that given a
  URL and HOST output a proxy setting. This can be trivially hooked up
  with Acquire::http::Proxy-Auto-Detect, however Proxy-Auto-Detect is
  called only once, instead of per-host, hence one cannot easily mix
  repositories that require different proxies or proxy only for some
  repositories. Extending Proxy-Auto-Detect to pass host parameter and
  calling that for each host/repository would be beneficial to integrate
  (optionally) pac file support with apt. (Similar to how deb squid proxy
  support is done).
 
 Attached is a (untested) patch that make the Proxy-Auto-Detect a
 per-host thing. If this looks vaguely like what you need we need to
 add a testcase before it can go in.

Looks like I forgot to attach the patch. I attach it now, Raphael
Geissert pointed out that by using command proxy from the
libproxy-tools package your use-case should be solved.

Along the way I added the auto-detect to https as well. If you could
give it a test-run, that would be awesome.

Cheers,
 Michaeldiff --git a/apt-pkg/contrib/proxy.cc b/apt-pkg/contrib/proxy.cc
index b68a053..d1f8274 100644
--- a/apt-pkg/contrib/proxy.cc
+++ b/apt-pkg/contrib/proxy.cc
@@ -1,9 +1,18 @@
+#includeapt-pkg/configuration.h
+#includeapt-pkg/error.h
+#includeapt-pkg/fileutl.h
+
+#includeiostream
+#include unistd.h
+
 #include proxy.h
 
+
+
 // AutoDetectProxy - auto detect proxy			/*{{{*/
 // -
 /* */
-bool AutoDetectProxy(const URI URL)
+bool AutoDetectProxy(URI URL)
 {
bool Debug = _config-FindB(Debug::Acquire::http,false);
// option is Acquire::http::Proxy-Auto-Detect but we allow the old
@@ -15,7 +24,7 @@ bool AutoDetectProxy(const URI URL)
   return true;
 
if (Debug)
-  clog  Using auto proxy detect command:   AutoDetectProxyCmd  endl;
+  std::clog  Using auto proxy detect command:   AutoDetectProxyCmd  std::endl;
 
int Pipes[2] = {-1,-1};
if (pipe(Pipes) != 0)
@@ -30,10 +39,10 @@ bool AutoDetectProxy(const URI URL)
 
   const char *Args[4];
   Args[0] = AutoDetectProxyCmd.c_str();
-  Args[1] = URL.c_str();
+  Args[1] = string(URL).c_str();
   Args[2] = 0;
   execv(Args[0],(char **)Args);
-  cerr  Failed to exec method   Args[0]  endl;
+  std::cerr  Failed to exec method   Args[0]  std::endl;
   _exit(100);
}
char buf[512];
@@ -51,7 +60,7 @@ bool AutoDetectProxy(const URI URL)
buf[res] = 0;
 
if (Debug)
-  clog  auto detect command returned: '  buf  '  endl;
+  std::clog  auto detect command returned: '  buf  '  std::endl;
 
URI Tmp(URL);
if (strstr(buf, http://;) == buf)
diff --git a/apt-pkg/contrib/proxy.h b/apt-pkg/contrib/proxy.h
index b7ebf61..be31791 100644
--- a/apt-pkg/contrib/proxy.h
+++ b/apt-pkg/contrib/proxy.h
@@ -11,7 +11,7 @@
 
 #include apt-pkg/strutl.h
 
-bool AutoDetectProxy(const URI URL);
+bool AutoDetectProxy(URI URL);
 
 
 #endif
diff --git a/methods/http.cc b/methods/http.cc
index 7c7949e..06325e9 100644
--- a/methods/http.cc
+++ b/methods/http.cc
@@ -34,6 +34,7 @@
 #include apt-pkg/hashes.h
 #include apt-pkg/netrc.h
 #include apt-pkg/strutl.h
+#include apt-pkg/proxy.h
 
 #include stddef.h
 #include stdlib.h
@@ -51,6 +52,7 @@
 #include connect.h
 #include http.h
 
+
 #include apti18n.h
 	/*}}}*/
 using namespace std;
@@ -60,6 +62,7 @@ unsigned long long CircleBuf::BwTickReadData=0;
 struct timeval CircleBuf::BwReadTick={0,0};
 const unsigned int CircleBuf::BW_HZ=10;
 
+
 // CircleBuf::CircleBuf - Circular input buffer/*{{{*/
 // -
 /* */
@@ -304,8 +307,10 @@ bool HttpServerState::Open()
Persistent = true;

// Determine the proxy setting
+   AutoDetectProxy(ServerName);
+
string SpecificProxy = _config-Find(Acquire::http::Proxy:: + ServerName.Host);
-   if (!SpecificProxy.empty())
+   if (SpecificProxy != )
{
 	   if (SpecificProxy == DIRECT)
 		   Proxy = ;
@@ -762,66 +767,6 @@ bool HttpMethod::Configuration(string Message)
   PipelineDepth);
Debug = _config-FindB(Debug::Acquire::http,false);
 
-   // Get the proxy to use
-   AutoDetectProxy();
-
-   return true;
-}
-	/*}}}*/
-// HttpMethod::AutoDetectProxy - auto detect proxy			/*{{{*/
-// -
-/* */
-bool HttpMethod::AutoDetectProxy()
-{
-   // option is Acquire::http::Proxy-Auto-Detect but we allow the old
-   // name without the dash (-)
-   AutoDetectProxyCmd = _config-Find(Acquire::http::Proxy-Auto-Detect,
-  _config-Find(Acquire::http::ProxyAutoDetect));
-
-   if (AutoDetectProxyCmd.empty())
-  return true;
-
-   if (Debug)
-  clog  Using auto proxy detect command

Bug#759264: apt: Please help with PAC support - proxy autoconfiguration files

[Michael Vogt]

On Mon, Aug 25, 2014 at 06:18:22PM +0100, Dimitri John Ledkov wrote:
 Package: apt
 Version: 1.0.4ubuntu6
 Severity: wishlist

Thanks for your bugreport.
 
 It would be useful to support PAC (proxy autoconfiguration files) with
 apt. Specifically, PAC files are simple javascript files that given a
 URL and HOST output a proxy setting. This can be trivially hooked up
 with Acquire::http::Proxy-Auto-Detect, however Proxy-Auto-Detect is
 called only once, instead of per-host, hence one cannot easily mix
 repositories that require different proxies or proxy only for some
 repositories. Extending Proxy-Auto-Detect to pass host parameter and
 calling that for each host/repository would be beneficial to integrate
 (optionally) pac file support with apt. (Similar to how deb squid proxy
 support is done).

Attached is a (untested) patch that make the Proxy-Auto-Detect a
per-host thing. If this looks vaguely like what you need we need to
add a testcase before it can go in.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#758826: [patch] fix if $HOME is not writable

[Michael Vogt]

On Fri, Aug 22, 2014 at 05:12:53PM +0200, Guillem Jover wrote:
 Hi!
Hi,
 
 On Thu, 2014-08-21 at 21:12:20 +0200, Michael Vogt wrote:
  Package: debsig-verify
  Version: 0.10
 
  I ran into a issue today that debsig-verify would fail if $HOME was
  not writable to the debsig-verify progress. The reason is that gpg
  tries to create/read a ~/.gnupg/{pubring,secring}.gpg.
  
  Attached is a patch that run gpg with its own GNUPGHOME instead of the
  users.
 
 Ah, makes sense, given that the gpg invoked is not using any default
 options nor default keyrings. It should also have a more predictable
 behavior. Thanks for the patch!
[..]

Thanks a lot for your thorough review of the patch. I addressed your
point and attached a new version. Review welcome!

Please let me know if I went overbord with the free()/unset
gpg_tempdir in cleanup_gpg_tmpdir(). I understand this is not needed
given that its the exit handler, but I was thinking that this code
might be used in a different context at some point. But then it may
well be a instance of YAGNI. Just let me know and I'm happy to remove
it again.


Thanks!
 Michael
 
From a2e6c4e797e46ae2d5b7af11bda4e98c1a67d276 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Fri, 22 Aug 2014 18:08:47 +0200
Subject: [PATCH] run gpg with its own temporary GNUPGHOME directory

---
 gpg-parse.c | 32 ++--
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/gpg-parse.c b/gpg-parse.c
index bae2181..df59a3b 100644
--- a/gpg-parse.c
+++ b/gpg-parse.c
@@ -21,6 +21,9 @@
  * routines to parse gpg output
  */
 
+#include dpkg/path.h
+
+#include errno.h
 #include stdio.h
 #include string.h
 #include sys/types.h
@@ -32,16 +35,33 @@
 #include debsig.h
 
 static int gpg_inited = 0;
+static char *gpg_tmpdir;
+
+static void
+cleanup_gpg_tmpdir(void)
+{
+   execlp(rm, rm, -rf, gpg_tmpdir, NULL);
+   free(gpg_tmpdir);
+   gpg_tmpdir = NULL;
+}
 
-/* Crazy damn hack to make sure gpg has created ~/.gnupg, else it will
- * fail first time called */
-static void gpg_init(void) {
+/* Ensure that gpg has a writable HOME to put its keyrings */
+static void
+gpg_init(void)
+{
 int rc;
 
 if (gpg_inited) return;
-rc = system(GPG_PROG --options /dev/null  /dev/null  /dev/null 21);
-if (rc  0)
-ds_fail_printf(DS_FAIL_INTERNAL, error writing initializing gpg);
+
+gpg_tmpdir = mkdtemp(path_make_temp_template(debsig-verify));
+if(!gpg_tmpdir)
+   ds_fail_printf(DS_FAIL_INTERNAL, Cannot create temporary directory '%s', gpg_tmpdir);
+rc = setenv(GNUPGHOME, gpg_tmpdir, 1);
+if(rc  0)
+   ds_fail_printf(DS_FAIL_INTERNAL, Can not set environment GNUPGHOME to '%s' (%s), gpg_tmpdir, strerror(errno));
+rc = atexit(cleanup_gpg_tmpdir);
+if(rc != 0)
+   ds_fail_printf(DS_FAIL_INTERNAL, Can not set atexit cleanup handler);
 gpg_inited = 1;
 }
 
-- 
2.0.0.rc0

Bug#758826: updated patch

[Michael Vogt]

Hi,

the previous patch has a really silly error, sorry for that. The
fork() in the atexit() handler is missing :(

Attached a updated version. I will try to write a very basic test ASAP
to avoid this kind of mistake.

Sorry,
 Michael
From 9f327ecc7abae8234029a57bc9bfc28c7aee962f Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Fri, 22 Aug 2014 18:08:47 +0200
Subject: [PATCH] run gpg with its own temporary GNUPGHOME directory

---
 gpg-parse.c | 39 +--
 1 file changed, 33 insertions(+), 6 deletions(-)

diff --git a/gpg-parse.c b/gpg-parse.c
index bae2181..6d5d66e 100644
--- a/gpg-parse.c
+++ b/gpg-parse.c
@@ -21,6 +21,9 @@
  * routines to parse gpg output
  */
 
+#include dpkg/path.h
+
+#include errno.h
 #include stdio.h
 #include string.h
 #include sys/types.h
@@ -32,16 +35,40 @@
 #include debsig.h
 
 static int gpg_inited = 0;
+static char *gpg_tmpdir;
+
+static void
+cleanup_gpg_tmpdir(void)
+{
+   pid_t pid = fork();
+   if (pid  0)
+  ds_fail_printf(DS_FAIL_INTERNAL, Cleanup failed to fork() (%s),
+ strerror(errno));
+   if (pid == 0)
+  execlp(rm, rm, -rf, gpg_tmpdir, NULL);
+   waitpid(pid, NULL, 0);
+
+   free(gpg_tmpdir);
+   gpg_tmpdir = NULL;
+}
 
-/* Crazy damn hack to make sure gpg has created ~/.gnupg, else it will
- * fail first time called */
-static void gpg_init(void) {
+/* Ensure that gpg has a writable HOME to put its keyrings */
+static void
+gpg_init(void)
+{
 int rc;
 
 if (gpg_inited) return;
-rc = system(GPG_PROG --options /dev/null  /dev/null  /dev/null 21);
-if (rc  0)
-ds_fail_printf(DS_FAIL_INTERNAL, error writing initializing gpg);
+
+gpg_tmpdir = mkdtemp(path_make_temp_template(debsig-verify));
+if(!gpg_tmpdir)
+   ds_fail_printf(DS_FAIL_INTERNAL, Cannot create temporary directory '%s', gpg_tmpdir);
+rc = setenv(GNUPGHOME, gpg_tmpdir, 1);
+if(rc  0)
+   ds_fail_printf(DS_FAIL_INTERNAL, Can not set environment GNUPGHOME to '%s' (%s), gpg_tmpdir, strerror(errno));
+rc = atexit(cleanup_gpg_tmpdir);
+if(rc != 0)
+   ds_fail_printf(DS_FAIL_INTERNAL, Can not set atexit cleanup handler);
 gpg_inited = 1;
 }
 
-- 
2.0.0.rc0

Bug#758826: [patch] fix if $HOME is not writable

[Michael Vogt]

Package: debsig-verify
Version: 0.10

Hi,

I ran into a issue today that debsig-verify would fail if $HOME was
not writable to the debsig-verify progress. The reason is that gpg
tries to create/read a ~/.gnupg/{pubring,secring}.gpg.

Attached is a patch that run gpg with its own GNUPGHOME instead of the
users.

Feedback welcome!

Thanks,
 Michael
diff -Nru debsig-verify-0.10/gpg-parse.c debsig-verify-0.10ubuntu1/gpg-parse.c
--- debsig-verify-0.10/gpg-parse.c	2014-06-07 22:17:34.0 +0200
+++ debsig-verify-0.10ubuntu1/gpg-parse.c	2014-08-21 20:59:04.0 +0200
@@ -32,16 +32,28 @@
 #include debsig.h
 
 static int gpg_inited = 0;
+static char gpg_tmpdir[256] = {0,};
 
-/* Crazy damn hack to make sure gpg has created ~/.gnupg, else it will
- * fail first time called */
+/* Crazy damn hack to make sure gpg has a writable HOME to put its 
+   trustdb and secret keyring etc */
+static void cleanup_gpg_tmpdir(void) {
+   execl(/bin/rm, rm, -rf, gpg_tmpdir, NULL);
+}
 static void gpg_init(void) {
 int rc;
 
-if (gpg_inited) return;
-rc = system(GPG_PROG --options /dev/null  /dev/null  /dev/null 21);
-if (rc  0)
-ds_fail_printf(DS_FAIL_INTERNAL, error writing initializing gpg);
+if (gpg_inited)
+   return;
+
+char *tmpdir = getenv(TMPDIR);
+if(!tmpdir)
+   tmpdir = /tmp;
+snprintf(gpg_tmpdir, sizeof(gpg_tmpdir) -1, 
+ %s/%s, tmpdir, debsig-verify.XX);
+if(!mkdtemp(gpg_tmpdir))
+   ds_fail_printf(DS_FAIL_INTERNAL, mkdtemp() failed for '%s', gpg_tmpdir);
+setenv(GNUPGHOME, gpg_tmpdir, 1);
+atexit(cleanup_gpg_tmpdir);
 gpg_inited = 1;
 }
 

Bug#758615: new patch

[Michael Vogt]

Hi,

attached my attempt to make my previous patches a bit nicer, it
applies on top of the previous set and adds a struct debsig_ctx to
avoid passing three args (originID, deb, deb_fs) to the functions. 

As always, feedback welcome :)

Thanks,
 Michael
From 6db400f2d938dc967e657d29e483420636d5080d Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Wed, 20 Aug 2014 14:13:29 +0200
Subject: [PATCH]  use new struct debsig_ctx instead of a global state

---
 Makefile|  4 +--
 ar-parse.c  | 20 +++---
 debsig-verify.c | 82 ++---
 debsig.h| 15 ---
 gpg-parse.c | 16 +--
 misc.c  |  4 +--
 6 files changed, 71 insertions(+), 70 deletions(-)

diff --git a/Makefile b/Makefile
index 2dc0256..6a72b72 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
 CC = gcc
-CFLAGS = -Wall -Wextra -g -O2
+DS_CFLAGS = -Wall -Wextra -g3 -O2
 
 #TESTING=1
 
@@ -31,7 +31,7 @@ MANPAGES = debsig-verify.1
 all: $(PROGRAM) $(MANPAGES)
 
 $(PROGRAM): $(OBJS)
-	$(CC) $(MK_CFLAGS) $(CFLAGS) $(OBJS) $(MK_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(MK_CFLAGS) $(DS_CFLAGS) $(OBJS) $(MK_LDFLAGS) $(LDFLAGS) -o $@
 
 install: all
 	install -d -m755 $(DESTDIR)/usr/bin
diff --git a/ar-parse.c b/ar-parse.c
index 5ff558a..8138e55 100644
--- a/ar-parse.c
+++ b/ar-parse.c
@@ -39,7 +39,7 @@
  * nothing important is going to be zero length anyway, so we treat it as
  * non-existant.  */
 off_t
-findMember(const char *deb, const char *name, FILE *deb_fs)
+findMember(const struct debsig_ctx *ds_ctx, const char *name)
 {
 char magic[SARMAG+1];
 struct ar_hdr arh;
@@ -53,12 +53,14 @@ findMember(const char *deb, const char *name, FILE *deb_fs)
 }
 
 /* This shouldn't happen, but... */
-if (deb_fs == NULL)
+if (ds_ctx == NULL)
+	ds_fail_printf(DS_FAIL_INTERNAL, findMember: called while ds_ctx == NULL);
+if (ds_ctx-deb_fs == NULL)
 	ds_fail_printf(DS_FAIL_INTERNAL, findMember: called while deb_fs == NULL);
 
-rewind(deb_fs);
+rewind(ds_ctx-deb_fs);
 
-if (!fgets(magic,sizeof(magic),deb_fs))
+if (!fgets(magic,sizeof(magic), ds_ctx-deb_fs))
 	ds_fail_printf(DS_FAIL_INTERNAL, findMember: failure to read package (%s),
 		  strerror(errno));
 
@@ -68,9 +70,9 @@ findMember(const char *deb, const char *name, FILE *deb_fs)
 	return 0;
 }
 
-while(!feof(deb_fs)) {
-	if (fread(arh, 1, sizeof(arh),deb_fs) != sizeof(arh)) {
-	if (ferror(deb_fs))
+while(!feof(ds_ctx-deb_fs)) {
+	if (fread(arh, 1, sizeof(arh), ds_ctx-deb_fs) != sizeof(arh)) {
+	if (ferror(ds_ctx-deb_fs))
 		ds_fail_printf(DS_FAIL_INTERNAL, findMember: error while parsing archive header (%s),
 			  strerror(errno));
 	return 0;
@@ -80,7 +82,7 @@ findMember(const char *deb, const char *name, FILE *deb_fs)
 	ds_fail_printf(DS_FAIL_INTERNAL, findMember: archive appears to be corrupt, fmag incorrect);
 
 	dpkg_ar_normalize_name(arh);
-	mem_len = dpkg_ar_member_get_size(deb, arh);
+	mem_len = dpkg_ar_member_get_size(ds_ctx-deb, arh);
 
 	/*
 	 * If all looks well, then we return the length of the member, and
@@ -97,7 +99,7 @@ findMember(const char *deb, const char *name, FILE *deb_fs)
 	return mem_len;
 
 	/* fseek to the start of the next member, and try again */
-	if (fseek(deb_fs, mem_len + (mem_len  1), SEEK_CUR) == -1  ferror(deb_fs))
+	if (fseek(ds_ctx-deb_fs, mem_len + (mem_len  1), SEEK_CUR) == -1  ferror(ds_ctx-deb_fs))
 	ds_fail_printf(DS_FAIL_INTERNAL,
 			   findMember: error during file seek (%s), strerror(errno));
 }
diff --git a/debsig-verify.c b/debsig-verify.c
index 069cc7c..f5042a2 100644
--- a/debsig-verify.c
+++ b/debsig-verify.c
@@ -41,7 +41,7 @@ char *ver_magic_member = debian-binary;
 char *ver_ctrl_members[] = { CTAR(), CTAR(.gz), CTAR(.xz), 0 };
 char *ver_data_members[] = { DTAR(), DTAR(.gz), DTAR(.xz), DTAR(.bz2), DTAR(.lzma), 0 };
 
-static int checkSelRules(const char *originID, struct group *grp, const char *deb, FILE *deb_fs) {
+static int checkSelRules(struct debsig_ctx *ds_ctx, struct group *grp) {
 int opt_count = 0;
 struct match *mtc;
 int len;
@@ -53,8 +53,8 @@ static int checkSelRules(const char *originID, struct group *grp, const char *de
 /* If we have an ID for this match, check to make sure it exists, and
  * matches the signature we are about to check.  */
 if (mtc-id) {
-char *m_id = getKeyID(originID, mtc);
-char *d_id = getSigKeyID(deb, mtc-name);
+char *m_id = getKeyID(ds_ctx-originID, mtc);
+char *d_id = getSigKeyID(ds_ctx, mtc-name);
 if (m_id == NULL || d_id == NULL || strcmp(m_id, d_id))
 return 0;
 }
@@ -64,7 +64,7 @@ static int checkSelRules(const char *originID, struct group *grp, const char *de
 	 * specified, don't we?
 	 */
 
-len = checkSigExist(deb, mtc-name, deb_fs);
+len = checkSigExist(ds_ctx, mtc-name

Bug#758525: Acknowledgement ([patch] Please allow a alternative policy directory)

[Michael Vogt]

My previous patch contained a missing instance of DEBSIG_KEYRINGS_FMT,
I'm sorry for that. Attached is a updated version.
From f2e7429cbc583d878f369498984729c7dc67126b Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Mon, 18 Aug 2014 15:55:41 +0200
Subject: [PATCH] Add a new --rootdir commandline option to allow a different
 rootdir

This option allows to verify against a alternative policy location.
Useful for testing or verification as non-root user.
---
 debian/changelog |  6 ++
 debsig-verify.c  | 13 ++---
 debsig.h |  5 +++--
 gpg-parse.c  |  4 ++--
 4 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 8967e8d..2d5aca1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+debsig-verify (0.10.1) UNRELEASED; urgency=low
+
+  * add --rootdir option to use a alternative root directory
+
+ -- Michael Vogt michael.v...@ubuntu.com  Mon, 18 Aug 2014 15:41:53 +0200
+
 debsig-verify (0.10) unstable; urgency=low
 
   * Add exit status codes to the man page.
diff --git a/debsig-verify.c b/debsig-verify.c
index a09f534..4319caf 100644
--- a/debsig-verify.c
+++ b/debsig-verify.c
@@ -34,6 +34,7 @@
 #include debsig.h
 
 char originID[2048];
+char *rootdir = ;
 
 char *deb = NULL;
 FILE *deb_fs = NULL;
@@ -286,7 +287,8 @@ Usage: %s [ options ] deb\n\n\
'Selection' block of the policies only.\n\
--use-policy name Used in conjunction with the above\n\
option. This allows you to specify the\n\
-   short name of the policy you wish to try.\n,
+   short name of the policy you wish to try.\n\
+   --rootdir dir Use a alternative root directory for policy lookup\n,
 	dpkg_get_progname());
 exit(1);
 }
@@ -347,6 +349,12 @@ int main(int argc, char *argv[]) {
 		ds_printf(DS_LEV_ERR, --use-policy requires an argument);
 		outputUsage();
 	}
+	} else if (!strcmp(argv[i], --rootdir)) {
+	rootdir = argv[++i];
+	if (i == argc || rootdir[0] == '-') {
+		ds_printf(DS_LEV_ERR, --rootdir requires an argument);
+		outputUsage();
+	}
 	} else
 	outputUsage();
 }
@@ -371,8 +379,7 @@ int main(int argc, char *argv[]) {
 strncpy(originID, tmpID, sizeof(originID));
 
 /* Now we have an ID, let's check the policy to use */
-
-snprintf(buf, sizeof(buf) - 1, DEBSIG_POLICIES_DIR_FMT, originID);
+snprintf(buf, sizeof(buf) - 1, DEBSIG_POLICIES_DIR_FMT, rootdir, originID);
 if ((pd = opendir(buf)) == NULL)
 	ds_fail_printf(DS_FAIL_UNKNOWN_ORIGIN,
 		   Could not open Origin dir %s: %s\n, buf, strerror(errno));
diff --git a/debsig.h b/debsig.h
index 3c492b0..1b81681 100644
--- a/debsig.h
+++ b/debsig.h
@@ -17,8 +17,8 @@
  * along with this program.  If not, see https://www.gnu.org/licenses/.
  */
 
-#define DEBSIG_POLICIES_DIR_FMT DEBSIG_POLICIES_DIR/%s
-#define DEBSIG_KEYRINGS_FMT DEBSIG_KEYRINGS_DIR/%s/%s
+#define DEBSIG_POLICIES_DIR_FMT %sDEBSIG_POLICIES_DIR/%s
+#define DEBSIG_KEYRINGS_FMT %sDEBSIG_KEYRINGS_DIR/%s/%s
 
 #define GPG_PROG /usr/bin/gpg
 
@@ -93,3 +93,4 @@ extern int ds_debug_level;
 extern FILE *deb_fs;
 extern char *deb;
 extern char originID[];
+extern char *rootdir;
diff --git a/gpg-parse.c b/gpg-parse.c
index bae2181..ab450af 100644
--- a/gpg-parse.c
+++ b/gpg-parse.c
@@ -56,7 +56,7 @@ char *getKeyID (const struct match *mtc) {
 gpg_init();
 
 snprintf(buf, sizeof(buf) - 1, GPG_PROG GPG_ARGS_FMT --list-packets -q DEBSIG_KEYRINGS_FMT,
-	 GPG_ARGS, originID, mtc-file);
+	 GPG_ARGS, rootdir, originID, mtc-file);
 
 if ((ds = popen(buf, r)) == NULL) {
 	perror(gpg);
@@ -180,7 +180,7 @@ int gpgVerify(const char *data, struct match *mtc, const char *sig) {
 
 gpg_init();
 
-snprintf(keyring, sizeof(keyring) - 1, DEBSIG_KEYRINGS_FMT, originID, mtc-file);
+snprintf(keyring, sizeof(keyring) - 1, DEBSIG_KEYRINGS_FMT, rootdir, originID, mtc-file);
 if (stat(keyring, st)) {
 	ds_printf(DS_LEV_DEBUG, gpgVerify: could not stat %s, keyring);
 	return 0;
-- 
2.0.0.rc0

Bug#758615: [patch] more error handling remove global state

[Michael Vogt]

Package: debsig-verify
Version: 0.10

Hello,

because we want to use debsig-verify as part of the click project I
asked the ubuntu security team for a quick code review [1]. There were
some issues raised, notably that some error checks are missing and
that the use of the global state.

Attached are two patches that add some additional error checking.

I also started with the removal of the global state
(attached as well). However it is not very elegant and I wonder if it would
make more sense to have a 

struct ds_ctx {
   char *deb,
   FILE *deb_fs,
   char *originID
}

that is passed around as the context instead of my current approach.

And please let me know if you prefer a different workflow for (many)
patches like this, I can also publish my git branch somewhere if that
is easier for you.

Feedback/review welcome!

Thanks,
 Michael


[1] 
https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/comments/2
From 8b89723dc6618d2718b4fa83d01c5df03ac83fca Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Tue, 19 Aug 2014 10:09:24 +0200
Subject: [PATCH 1/5] add error checking on fork()

---
 gpg-parse.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/gpg-parse.c b/gpg-parse.c
index ab450af..14a9175 100644
--- a/gpg-parse.c
+++ b/gpg-parse.c
@@ -20,7 +20,7 @@
 /*
  * routines to parse gpg output
  */
-
+#include errno.h
 #include stdio.h
 #include string.h
 #include sys/types.h
@@ -120,7 +120,10 @@ char *getSigKeyID (const char *deb, const char *type) {
 	 (ds_write = fdopen(pwrite[1], w)) == NULL)
 	ds_fail_printf(DS_FAIL_INTERNAL, error opening file stream for gpg);
 
-if (!(pid = fork())) {
+pid = fork();
+if(pid  0)
+   ds_fail_printf(DS_FAIL_INTERNAL, failed to fork (errno %s), strerror(errno));
+if (pid == 0) {
 	/* Here we go */
 	dup2(pread[1],1); close(pread[0]); close(pread[1]);
 	dup2(pwrite[0],0); close(pwrite[0]); close(pwrite[1]);
@@ -186,7 +189,10 @@ int gpgVerify(const char *data, struct match *mtc, const char *sig) {
 	return 0;
 }
 
-if (!(pid = fork())) {
+pid = fork();
+if(pid  0)
+   ds_fail_printf(DS_FAIL_INTERNAL, failed to fork (%s), strerror(errno));
+if (pid == 0) {
 	if (DS_LEV_DEBUG  ds_debug_level) {
 	close(0); close(1); close(2);
 	}
-- 
2.0.0.rc0

From 8bc395f20d958cde6bf079d130a3de7118a922d5 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Tue, 19 Aug 2014 10:30:20 +0200
Subject: [PATCH 2/5] add error/eof checking into getSigKeyID()

---
 gpg-parse.c | 16 ++--
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/gpg-parse.c b/gpg-parse.c
index 14a9175..e051519 100644
--- a/gpg-parse.c
+++ b/gpg-parse.c
@@ -98,13 +98,13 @@ char *getKeyID (const struct match *mtc) {
 }
 
 char *getSigKeyID (const char *deb, const char *type) {
-static char buf[2048];
+char buf[2048];
 int pread[2], pwrite[2], t;
-off_t len = checkSigExist(type);
 pid_t pid;
 FILE *ds_read, *ds_write;
 char *c, *ret = NULL;
 
+off_t len = checkSigExist(type);
 if (!len)
 	return NULL;
 
@@ -134,15 +134,19 @@ char *getSigKeyID (const char *deb, const char *type) {
 
 /* First, let's feed gpg our signature. Don't forget, our call to
  * checkSigExist() above positioned the deb_fs file pointer already.  */
-t = fread(buf, 1, sizeof(buf), deb_fs);
-while(len  0) {
+do {
+   t = fread(buf, 1, sizeof(buf), deb_fs);
+   if (ferror(deb_fs))
+  ds_fail_printf(DS_FAIL_INTERNAL, getSigKeyID: error reading signature (%s),
+ strerror(errno));
+
 	if (t  len)
 	fwrite(buf, 1, len, ds_write);
 	else
 	fwrite(buf, 1, t, ds_write);
 	len -= t;
-	t = fread(buf, 1, sizeof(buf), deb_fs);
-}
+} while(len  0 || !feof(deb_fs));
+
 if (ferror(ds_write))
 	ds_fail_printf(DS_FAIL_INTERNAL, error writing to gpg);
 fclose(ds_write);
-- 
2.0.0.rc0

From 3096b1471e3248b09d4d5eaec618a1002e6acf8c Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Tue, 19 Aug 2014 10:44:58 +0200
Subject: [PATCH 3/5] remove global *deb var

---
 ar-parse.c  |  2 +-
 debsig-verify.c | 23 +++
 debsig.h|  4 ++--
 gpg-parse.c |  2 +-
 misc.c  |  4 ++--
 5 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/ar-parse.c b/ar-parse.c
index 477bf15..5146491 100644
--- a/ar-parse.c
+++ b/ar-parse.c
@@ -39,7 +39,7 @@
  * nothing important is going to be zero length anyway, so we treat it as
  * non-existant.  */
 off_t
-findMember(const char *name)
+findMember(const char *deb, const char *name)
 {
 char magic[SARMAG+1];
 struct ar_hdr arh;
diff --git a/debsig-verify.c b/debsig-verify.c
index 6adf7a9..33aaa1a 100644
--- a/debsig-verify.c
+++ b/debsig-verify.c
@@ -36,7 +36,6 @@
 char originID[2048];
 char *rootdir = ;
 
-char *deb = NULL;
 FILE *deb_fs = NULL;
 
 #define CTAR(x) control.tar # x
@@ -68,7 +67,7 @@ static

Bug#756357: squid-deb-proxy: refresh_pattern for .tar.xz and .tar.bz2

[Michael Vogt]

On Tue, Jul 29, 2014 at 12:34:00AM -0700, Vagrant Cascadian wrote:
 Package: squid-deb-proxy
 Version: 0.8.8
 Severity: wishlist
 Tags: patch

Thanks for your bugreport and your patch.

I added this to the bzr tree and it will be part of the next upload.

Thanks,
 Michael
 
 squid-deb-proxy.conf sets a refresh_pattern on .tar.gz files, and it seems
 like it should also do so with .tar.xz and .tar.bz2 files as well, as these
 are now used by many source packages both upstream and within Debian.
 
 --- squid-deb-proxy.conf.dpkg-dist2014-07-18 04:25:52.0 -0700
 +++ squid-deb-proxy.conf  2014-07-29 00:10:59.114247495 -0700
 @@ -54,6 +54,8 @@
  refresh_pattern deb$   129600 100% 129600
  refresh_pattern udeb$   129600 100% 129600
  refresh_pattern tar.gz$  129600 100% 129600
 +refresh_pattern tar.xz$  129600 100% 129600
 +refresh_pattern tar.bz2$  129600 100% 129600
  
  # always refresh Packages and Release files
  refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
 
 
 live well,
   vagrant
 
 -- System Information:
 Debian Release: jessie/sid
   APT prefers testing
   APT policy: (500, 'testing'), (120, 'unstable')
 Architecture: amd64 (x86_64)
 Foreign Architectures: i386
 armhf
 
 Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
 Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages squid-deb-proxy depends on:
 ii  debconf [debconf-2.0]  1.5.53
 ii  squid3 3.3.8-1.1+b1
 
 Versions of packages squid-deb-proxy recommends:
 ii  avahi-utils  0.6.31-4
 
 squid-deb-proxy suggests no packages.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#758525: [patch] Please allow a alternative policy directory

[Michael Vogt]

Package: debsig-verify
Version: 0.10

Hello,

when I wrote a bunch of integration tests for a project that uses
debsig-verify I noticed that it would be great to be able to use a
alternative root directory to store my keyrings/policies so that my
test setup can run entirely as a user.

Attached is a patch that implements this via a new --rootdir option
(similar to the dpkg --root option). Alternatively I could add a
--keyring-dir and --policy-dir option if you prefer that. I couldn't
find a test directory but I'm happy to add a integration test for this
new feature (as its exactly what its meant for :). The man-page update
is also missing but I'm happy to add that too if you are fine with the
general idea.

Thanks,
 Michael
From da91646d4e910360eced3650732e4d2cdcd72296 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Mon, 18 Aug 2014 15:55:41 +0200
Subject: [PATCH] Add a new --rootdir commandline option to allow a different
 rootdir

This option allows to verify against a alternative policy location.
Useful for testing or verification as non-root user.
---
 debian/changelog |  6 ++
 debsig-verify.c  | 13 ++---
 debsig.h |  5 +++--
 gpg-parse.c  |  2 +-
 4 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 8967e8d..2d5aca1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+debsig-verify (0.10.1) UNRELEASED; urgency=low
+
+  * add --rootdir option to use a alternative root directory
+
+ -- Michael Vogt michael.v...@ubuntu.com  Mon, 18 Aug 2014 15:41:53 +0200
+
 debsig-verify (0.10) unstable; urgency=low
 
   * Add exit status codes to the man page.
diff --git a/debsig-verify.c b/debsig-verify.c
index a09f534..4319caf 100644
--- a/debsig-verify.c
+++ b/debsig-verify.c
@@ -34,6 +34,7 @@
 #include debsig.h
 
 char originID[2048];
+char *rootdir = ;
 
 char *deb = NULL;
 FILE *deb_fs = NULL;
@@ -286,7 +287,8 @@ Usage: %s [ options ] deb\n\n\
'Selection' block of the policies only.\n\
--use-policy name Used in conjunction with the above\n\
option. This allows you to specify the\n\
-   short name of the policy you wish to try.\n,
+   short name of the policy you wish to try.\n\
+   --rootdir dir Use a alternative root directory for policy lookup\n,
 	dpkg_get_progname());
 exit(1);
 }
@@ -347,6 +349,12 @@ int main(int argc, char *argv[]) {
 		ds_printf(DS_LEV_ERR, --use-policy requires an argument);
 		outputUsage();
 	}
+	} else if (!strcmp(argv[i], --rootdir)) {
+	rootdir = argv[++i];
+	if (i == argc || rootdir[0] == '-') {
+		ds_printf(DS_LEV_ERR, --rootdir requires an argument);
+		outputUsage();
+	}
 	} else
 	outputUsage();
 }
@@ -371,8 +379,7 @@ int main(int argc, char *argv[]) {
 strncpy(originID, tmpID, sizeof(originID));
 
 /* Now we have an ID, let's check the policy to use */
-
-snprintf(buf, sizeof(buf) - 1, DEBSIG_POLICIES_DIR_FMT, originID);
+snprintf(buf, sizeof(buf) - 1, DEBSIG_POLICIES_DIR_FMT, rootdir, originID);
 if ((pd = opendir(buf)) == NULL)
 	ds_fail_printf(DS_FAIL_UNKNOWN_ORIGIN,
 		   Could not open Origin dir %s: %s\n, buf, strerror(errno));
diff --git a/debsig.h b/debsig.h
index 3c492b0..1b81681 100644
--- a/debsig.h
+++ b/debsig.h
@@ -17,8 +17,8 @@
  * along with this program.  If not, see https://www.gnu.org/licenses/.
  */
 
-#define DEBSIG_POLICIES_DIR_FMT DEBSIG_POLICIES_DIR/%s
-#define DEBSIG_KEYRINGS_FMT DEBSIG_KEYRINGS_DIR/%s/%s
+#define DEBSIG_POLICIES_DIR_FMT %sDEBSIG_POLICIES_DIR/%s
+#define DEBSIG_KEYRINGS_FMT %sDEBSIG_KEYRINGS_DIR/%s/%s
 
 #define GPG_PROG /usr/bin/gpg
 
@@ -93,3 +93,4 @@ extern int ds_debug_level;
 extern FILE *deb_fs;
 extern char *deb;
 extern char originID[];
+extern char *rootdir;
diff --git a/gpg-parse.c b/gpg-parse.c
index bae2181..f28a5b5 100644
--- a/gpg-parse.c
+++ b/gpg-parse.c
@@ -56,7 +56,7 @@ char *getKeyID (const struct match *mtc) {
 gpg_init();
 
 snprintf(buf, sizeof(buf) - 1, GPG_PROG GPG_ARGS_FMT --list-packets -q DEBSIG_KEYRINGS_FMT,
-	 GPG_ARGS, originID, mtc-file);
+	 GPG_ARGS, rootdir, originID, mtc-file);
 
 if ((ds = popen(buf, r)) == NULL) {
 	perror(gpg);
-- 
2.0.0.rc0

Bug#755088: please show removals *last* in dist-upgrade

[Michael Vogt]

On Thu, Jul 17, 2014 at 12:28:09PM -0400, Joey Hess wrote:
 Package: apt
 Version: 1.0.5
 Severity: wishlist

Thanks for your bugreport.
 
 Many of apt's users are human, and thus prone to making mistakes. A common
 mistake seems to be running apt-get dist-upgrade and not noticing that it 
 wants
 to remove your backup system and/or terminal emulator and/or steam. Or not
 noticing that it wants to install horrible-enormous-thing and/or steam. It
 doesn't help that the message about this is buried in the middle of masses of
 other data that are liable to be skimmed at best, and scroll right off the
 terminal at worst.
[..]
 So, I suggest sorting the output with the most important items last,
 to go with the UPPERCASE highlighting apt already gives them.

This is a excellent idea!

Attached is a patch that implements it as the new default for
apt. As for apt-get I am a little bit concerned that changing this
breaks some peoples workflow. So maybe switching the default for
apt-get in 1.2? Or am I too conservative here :) ?

Cheers,
 Michael



diff --git a/apt-private/private-install.cc b/apt-private/private-install.cc
index e08cd80..58639b2 100644
--- a/apt-private/private-install.cc
+++ b/apt-private/private-install.cc
@@ -61,19 +61,33 @@ bool InstallPackages(CacheFile Cache,bool ShwKept,bool Ask, bool Safety)
bool Fail = false;
bool Essential = false;

-   // Show all the various warning indicators
-   ShowDel(c1out,Cache);
-   ShowNew(c1out,Cache);
-   if (ShwKept == true)
-  ShowKept(c1out,Cache);
-   Fail |= !ShowHold(c1out,Cache);
-   if (_config-FindB(APT::Get::Show-Upgraded,true) == true)
-  ShowUpgraded(c1out,Cache);
+   // Show all the various warning indicators in the users prefered way
+   std::vectorstd::string StatsOrder = _config-FindVector(
+  APT::Cmd::Stats-Order, remove,new,keep,hold,upgrade,stats);
+   for(std::vectorstd::string::const_iterator I = StatsOrder.begin();
+   I != StatsOrder.end(); ++I)
+   {
+  if(*I == remove)
+ ShowDel(c1out,Cache);
+  else if (*I == new)
+ ShowNew(c1out,Cache);
+  else if (*I == keep)
+  {
+ if (ShwKept == true)
+ShowKept(c1out,Cache);
+  } else if (*I == hold)
+ Fail |= !ShowHold(c1out,Cache);
+  else if (*I == upgrade)
+  {
+ if (_config-FindB(APT::Get::Show-Upgraded,true) == true)
+ShowUpgraded(c1out,Cache);
+  } else if (*I == stats)
+ Stats(c1out,Cache);
+   }
Fail |= !ShowDowngraded(c1out,Cache);
if (_config-FindB(APT::Get::Download-Only,false) == false)
-Essential = !ShowEssential(c1out,Cache);
+  Essential = !ShowEssential(c1out,Cache);
Fail |= Essential;
-   Stats(c1out,Cache);
 
// Sanity check
if (Cache-BrokenCount() != 0)
diff --git a/cmdline/apt.cc b/cmdline/apt.cc
index 2cfdf8e..329c33d 100644
--- a/cmdline/apt.cc
+++ b/cmdline/apt.cc
@@ -117,6 +117,8 @@ int main(int argc, const char *argv[])	/*{{{*/
_config-CndSet(Apt::Color, 1);
_config-CndSet(APT::Get::Upgrade-Allow-New, true);
_config-CndSet(APT::Cmd::Show-Update-Stats, true);
+   _config-CndSet(APT::Cmd::Stats-Order,
+   keep,hold,upgrade,new,remove,stats);
 
// Parse the command line and initialize the package library
CommandLine CmdL(Args.data(), _config);
diff --git a/test/integration/test-apt-get-upgrade b/test/integration/test-apt-get-upgrade
index 2344629..44f6a80 100755
--- a/test/integration/test-apt-get-upgrade
+++ b/test/integration/test-apt-get-upgrade
@@ -76,3 +76,28 @@ Conf new-dep (1.0 stable [all])
 Conf upgrade-simple (2.0 unstable [all])
 Conf upgrade-with-new-dep (2.0 unstable [all])' aptget -s dist-upgrade
 
+# see if we can customize the order
+testequal 'Reading package lists...
+Building dependency tree...
+The following packages will be upgraded:
+  upgrade-simple upgrade-with-conflict upgrade-with-new-dep
+The following NEW packages will be installed:
+  new-dep
+The following packages will be REMOVED:
+  conflicting-dep
+3 upgraded, 1 newly installed, 1 to remove and 0 not upgraded.
+After this operation, 0 B of additional disk space will be used.
+E: Trivial Only specified but this is not a trivial operation.' aptget --trivial-only dist-upgrade -o Apt::Cmd::Stats-Order=keep,hold,upgrade,new,remove,stats
+
+# the cmdline apt has a different default ordering
+testequal 'Reading package lists...
+Building dependency tree...
+The following packages will be upgraded:
+  upgrade-simple upgrade-with-conflict upgrade-with-new-dep
+The following NEW packages will be installed:
+  new-dep
+The following packages will be REMOVED:
+  conflicting-dep
+3 upgraded, 1 newly installed, 1 to remove and 0 not upgraded.
+After this operation, 0 B of additional disk space will be used.
+E: Trivial Only specified but this is not a trivial operation.' apt --trivial-only full-upgrade

Bug#756056: apt(8) manpage: bad grammar in description of upgrade

[Michael Vogt]

On Fri, Jul 25, 2014 at 09:02:27PM +0200, Jakub Wilk wrote:
 Package: apt
 Version: 1.1~exp2
 Severity: minor

Thanks a bunch!
 
 The apt(8) manpage reads:
 New package will be installed, but existing package will never removed.
 
 It should be s/will never/will be never/.
 Perhaps also s/package/packages/g.

This is fixed in git now and it will be part of the next upload!

Thanks again,
 Michael 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#756162: nonexistent target release makes apt update segfault

[Michael Vogt]

On Sun, Jul 27, 2014 at 01:10:19AM +0200, Jakub Wilk wrote:
 Package: apt
 Version: 1.0.6

Thanks for your bugreport.
 
 # apt -t moostable update
 Hit http://ftp.debian.org unstable InRelease
 Hit http://ftp.debian.org experimental InRelease
 Hit http://ftp.debian.org unstable/main amd64 Packages/DiffIndex
 Hit http://ftp.debian.org experimental/main amd64 Packages/DiffIndex
 Reading package lists... Done
 Segmentation fault
 
I wasn't able to reproduce this crash. Could you please try to get a
gdb backtrace, ideally from the apt build tree and attach it to the
bugreport? 

Thanks a bunch,
 Michael

 
 -- Package-specific info:
 
 -- (no /etc/apt/preferences present) --
 
 
 -- /etc/apt/sources.list --
 
 deb http://ftp.debian.org/debian/ unstable main
 deb http://ftp.debian.org/debian/ experimental main
 
 -- System Information:
 Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
 Architecture: amd64 (x86_64)
 
 Kernel: Linux 3.14-2-amd64 (SMP w/1 CPU core)
 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages apt depends on:
 ii  debian-archive-keyring  2012.4
 ii  gnupg   1.4.18-2
 ii  libapt-pkg4.12  1.0.6
 ii  libc6   2.19-7
 ii  libgcc1 1:4.9.1-2
 ii  libstdc++6  4.9.1-2
 
 -- 
 Jakub Wilk
 
 
 -- 
 To UNSUBSCRIBE, email to deity-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/20140726231019.ga7...@jwilk.net
 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#756200: apt: [INTL:pt] Updated Portuguese translation of manpage

[Michael Vogt]

On Sun, Jul 27, 2014 at 02:17:27PM +0100, Américo Monteiro wrote:
 Package: apt
 Version: 1.0.6
 Tags: l10n, patch
 Severity: wishlist
 
 Updated Portuguese translation for apt's manpage.
 Translator: Américo Monteiro a_monte...@gmx.com
 Feel free to use it.
 
 For translation updates please contact 'Last Translator' or the
 Portuguese Translation Team traduz _at_ debianpt.org.

Thanks a bunch! Merged into git and it will be part of the next
upload.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#755874: gobject-introspection: [patch] use multi-arch pathes for the .typelib files

[Michael Vogt]

Package: gobject-introspection
Version: 1.40.0-1ubuntu0.1
Severity: wishlist
Tags: patch

Hello,

to install a cross build environment it would be great if the typelibs
could be co-installed in a multiarch environment. Right now all
foo-dev packages depend on gir1.2-foo. So when trying to install foo-dev
for cross-building that won't work because the gir1.2-foo is not
multi-arch ready. The attached patch moves gobject-introspection to
multiarch triplet pathes, adds compatiblity for the old path and 
updates dh_girepository to look at both the new and old path. 
This part could probably do with a review of someone more familiar 
with perl than I am :)

With this change most packages that ship a gir1.2-* package need a small
change to their debian/gir1.2-foo.install file:
 - usr/lib/girepository-1.0/* 
 + usr/lib/*/girepository-1.0/*
Without they will fail to build.

Here is a draft announcement:

Dear developers,

we would like to move the gnome introspection typelib data from
/usr/lib/girepository-1.0 to /usr/lib/triplet/girepository-1.0
so that we can install them in parallel on a multiarch system.

A updated version of gobject-introspection is ready in experimental that will
look into the new multiarch path and have the old path as a fallback.

But because the pkg-config libdir is now also a multiarch path most
gir1.2-* packages need adjustments to their debian/install file(s).

The change is straightforward, just change your debian/install file:
- usr/lib/girepository-1.0/* 
+ usr/lib/*/girepository-1.0/*

because the typelib files are now in e.g. /usr/lib/x86_64-linux-gnu.

Thanks,


Thanks for your consideration!
 Michael


-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 
'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gobject-introspection depends on:
ii  build-essential11.6ubuntu6
ii  libc6  2.19-0ubuntu6
ii  libffi63.1~rc1+r3.0.13-12
ii  libgirepository-1.0-1  1.40.0-1ubuntu0.1
ii  libglib2.0-0   2.40.0-2
ii  python-mako0.9.1-1
ii  python2.7  2.7.6-8
pn  python:any none

gobject-introspection recommends no packages.

gobject-introspection suggests no packages.

-- no debconf information
diff -Nru gobject-introspection-1.40.0/debian/dh_girepository gobject-introspection-1.40.0/debian/dh_girepository
--- gobject-introspection-1.40.0/debian/dh_girepository	2011-12-01 22:22:10.0 +0100
+++ gobject-introspection-1.40.0/debian/dh_girepository	2014-07-23 17:07:14.0 +0200
@@ -75,8 +75,12 @@
 my $bin_version = $dh{VERSION};
 my @archpackages = getpackages(arch);
 
+my $triplet = `dpkg-architecture -qDEB_HOST_MULTIARCH`;
+chomp $triplet;
+my $typelib_multiarch_path = /usr/lib/$triplet/girepository-1.0;
 my $typelib_path = /usr/lib/girepository-1.0;
-my @typelibdirs = (@ARGV, $typelib_path);
+
+my @typelibdirs = (@ARGV, $typelib_path, $typelib_multiarch_path);
 my $gir_path = /usr/share/gir-1.0;
 my @girdirs = (@ARGV, $gir_path);
 my $arch_triplet = `dpkg-architecture -qDEB_HOST_MULTIARCH`;
@@ -146,28 +150,31 @@
 sub require_typelib {
 my $req = shift;
 my $package = shift;
-my $fullpath = $typelib_path/$req;
+my $fullpath = ;
+foreach my $typelibdir (@typelibdirs) {
+$fullpath = $typelibdir/$req;
 
-verbose_print (Dependency: $req);
-foreach my $girdir (@girdirs) {
-if (-f tmpdir($package).$girdir/$req) {
-verbose_print(  found in the same package);
-return;
+verbose_print (Dependency: $req);
+foreach my $girdir (@girdirs) {
+if (-f tmpdir($package).$girdir/$req) {
+verbose_print(  found in the same package);
+return;
+}
 }
-}
-foreach my $otherpkg (@archpackages) {
-if (-f tmpdir($otherpkg).$fullpath) {
-verbose_print (  found in $otherpkg);
-error(Dependency on $otherpkg with a different format than $format) unless $otherpkg =~ /^gir$format/;
-addsubstvar ($package, gir:Depends, $otherpkg, = $bin_version);
-return;
+foreach my $otherpkg (@archpackages) {
+if (-f tmpdir($otherpkg).$fullpath) {
+verbose_print (  found in $otherpkg);
+error(Dependency on $otherpkg with a different format than $format) unless $otherpkg =~ /^gir$format/;
+addsubstvar ($package, gir:Depends, $otherpkg, = $bin_version);
+return;
+}
 }
-}
-foreach my $privpath (@privdirs) {
-if (-f $privpath/$req) {
-verbose_print (  found in $privpath);
-$fullpath = $privpath/$req;
-  

Bug#755389: synaptic: List remaining files for package Not installed (residual config)

[Michael Vogt]

On Sun, Jul 20, 2014 at 11:19:06AM +0200, Christophe wrote:
 Package: synaptic
 Version: 0.81.2
 Severity: wishlist
 Tags: upstream

Thanks for your bugreport.
 
 After un-installing some packages, they end up in the Not installed 
 (residual config) state.
 In general case, this is ok as is and we can mark them for complete 
 removal, but in some
 case it would be interresting first to be able to check the files that 
 remains, so we can
 cross-check them before removal (my current use case being the package 
 sysvinit-core for
 which I would like to be sure it is not linked to some customised stuff that 
 I need to port
 to systemd's config).
 
 Would it be thinkable to list these files in the package - Property - 
 Installed Files tab,
 or something similar?

It should display the leftover files already when there are
any. However it seems that dpkg marks quite a few packages with
Status: deinstall ok config-files even if there are no config files
left. I see this on my box for e.g. abiword which afaict from a quick
glance at various old version never had a config files. This sounds
like something to talk to dpkg about.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#754817: apt-doc: [INTL:ja] New Japanese document translation

[Michael Vogt]

On Tue, Jul 15, 2014 at 01:15:04AM +0900, victory wrote:
 
 Package: apt-doc
 Version: 1.0.6
 Severity: wishlist
 Tags: patch l10n
 
 Dear apt package maintainer,
 
  Here's Japanese document translation (ja.po) file that 
  reviewed by several Japanese Debian developers and users.
 
  Could you apply it, please?

Thanks a bunch! I added it to git and it will be part of the
next upload.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#754904: apt-get install /dev/null segfaults

[Michael Vogt]

On Tue, Jul 15, 2014 at 09:26:31PM +0200, Jakub Wilk wrote:
 Package: apt
 Version: 1.1~exp2
 Severity: minor

Thanks for your bugreport.
 
 # apt-get install -qq /dev/null
 Segmentation fault
 
 It would be nice if apt could print a helpful error message instead
 of segfaulting. For example, this is what dpkg says:
 
 # dpkg -i /dev/null
 dpkg-deb: error: `/dev/null' is not a debian format archive
 dpkg: error processing archive /dev/null (--install):
 subprocess dpkg-deb --control returned error exit status 2
 Errors were encountered while processing:
 /dev/null

This is fixed in git now.

Cheers,
 Michael 
 
 -- System Information:
 Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
 Architecture: i386 (x86_64)
 Foreign Architectures: amd64
 
 Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores)
 Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages apt depends on:
 ii  debian-archive-keyring  2012.4
 ii  gnupg   1.4.18-2
 ii  libapt-pkg4.13  1.1~exp2
 ii  libc6   2.19-7
 ii  libgcc1 1:4.9.0-10
 ii  libstdc++6  4.9.0-10
 
 -- 
 Jakub Wilk
 
 
 -- 
 To UNSUBSCRIBE, email to deity-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/20140715192630.ga9...@jwilk.net
 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#742882: apt: Does not support LFS .deb packages on 32-bit systems

[Michael Vogt]

On Sat, Jul 05, 2014 at 01:17:24AM +0200, Guillem Jover wrote:
[..]
 Ok, here's a first rough go at a patch. It breaks ABI, and just noticed
 an ABI breaking release was recently uploaded to experimental. :(
 
 Just wanted to publish it for now, in case your policy allows to merge
 this in the ABI breaking release. Otherwise I could rework it to stage
 the change in preprocessor macros in a similar way as how you seem to
 handle these. I've only test-built it though.

Thanks a bunch. This looks good! I updated the version of libapt-inst
to 1.6 in the branch as well. Breaking the ABI is ok at this point
because the package has only reached experimental so far.

python-apt is now updated too so that is uses the new long long in
Process() and the testsuite is also happy, so all appears to be well
:)

Thanks,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#753531: apt-get clean executes 'rm /*' if Dir::Cache is set to

[Michael Vogt]

On Sun, Jul 06, 2014 at 01:05:16PM +0200, Cédric Barboiron wrote:
 On Thu, 3 Jul 2014 08:59:57 +0200
[..]
 Hi Michael, and thanks for your answer.
 
 The use-case was indeed to disable the bin cache. Your patch is a good
 protection against misreading the manual. Btw, I tried with '/dev/null'
 only because it is handled differently in configuration.cc, I don't
 think it's useful to protect against this.
 
 For the manpage, I believe changing their names and empty string
 to the actual values would be clear enough (attached patch).

Great, that looks good! Your patch (and the patch to error when
cleaning /) is now part of the debian/sid branch and it will be part
of the next upload.

Thanks for your help with making the documentation better!

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#754124: Error in `apt-extracttemplates': double free or corruption (fasttop)

[Michael Vogt]

On Mon, Jul 07, 2014 at 08:20:41PM +0200, Jakub Wilk wrote:
 Package: apt-utils
 Version: 1.1~exp1
 Severity: important

Thanks for your bugreport.
 
 $ apt-extracttemplates -h
 apt 1.1~exp1 for i386 compiled on Jun 22 2014 10:39:33
 Usage: apt-extracttemplates file1 [file2 ...]
 
 apt-extracttemplates is a tool to extract config and template info
 from debian packages
 
 Options:
  -h   This help text
  -t   Set the temp dir
  -c=? Read this configuration file
  -o=? Set an arbitrary configuration option, eg -o dir::cache=/tmp
 *** Error in `apt-extracttemplates': double free or corruption (fasttop): 
 0x08ddd8a8 ***
 Aborted
 
I can reproduce the error in a clean debian/experimental environment
when installing the packages from experimental. Turns out there is a
(subtle) ABI break in libapt-inst, sorry for that. As a workaround,
you could use the libapt-inst1.5 from experimental or wait a little
bit and I will upload a fixed package to experimental.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#754041: apt-get build-dep pkgname no longer secure when cwd=/tmp

[Michael Vogt]

On Sun, Jul 06, 2014 at 11:49:26PM +0200, Jakub Wilk wrote:
 Package: apt
 Version: 1.1~exp1
 Severity: minor
 Tags: security

Thanks for your bugreport.
 
 First of all, thanks for bringing new exciting features to apt!
 
 I'm afraid, however, that one of these features, namely
  * add support for apt-get build-dep unpacked-source-dir
 brought an unanticipated security regression.
 
 Consider the following command:
 
  # apt-get build-dep nyancat
 
 It used to be safe to execute it regardless of what your working
 directory was. But in apt_1.1~exp1, this is no longer secure if cwd
 is a world-writable, for example /tmp. A local malicious user could
 create crafted /tmp/nyancat/debian/control, tricking apt into
 installing packages of their choice. Or they could symlink
 /tmp/nyancat/debian/control to /dev/urandom...

Good point, thanks a lot for bring this to our attention. I changed
the code now so that it prints when using a file/directory so that the
user is aware of it (as suggested by David).

And as you suggested it now enforces that it needs a path starting
with ./ or /.

Thanks,
 Michael

 
 -- System Information:
 Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
 Architecture: i386 (x86_64)
 Foreign Architectures: amd64
 
 Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores)
 Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages apt depends on:
 ii  debian-archive-keyring  2012.4
 ii  gnupg   1.4.18-1
 ii  libapt-pkg4.13  1.1~exp1
 ii  libc6   2.19-4
 ii  libgcc1 1:4.9.0-10
 ii  libstdc++6  4.9.0-10
 
 -- 
 Jakub Wilk
 
 
 -- 
 To UNSUBSCRIBE, email to deity-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/20140706214926.ga8...@jwilk.net
 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#753297: apt list --upgradable gives lot of false positives

[Michael Vogt]

On Mon, Jun 30, 2014 at 03:27:01PM +0530, shirish शिरीष wrote:
 Package: apt
 Version: 1.0.5
 Severity: normal

Thanks for your bugreport.
 
[..]
 apt list --upgradable gives lot of false positives. I did a run of
 index update and it said :-
 
 Reading package lists... Done
 Building dependency tree
 Reading state information... Done
 25 packages can be upgraded. Run 'apt list --upgradable' to see them.
 
 But running the command itself gave lot of false positives.
[..]
 $ apt list --upgradable
 Listing... Done
 advancecomp/testing,now 1.16-1 amd64 [installed,upgradable to: 1.16-1]
 aegisub/testing,now 3.0.4-2+b1 amd64 [installed,upgradable to: 3.0.4-2+b1]
 alsa-base/testing,now 1.0.25+3 all [installed,upgradable to: 1.0.25+3]
 anacron/testing,now 2.3-20 amd64 [installed,upgradable to: 2.3-20]
 autoconf/testing,now 2.69-6 all [installed,upgradable to: 2.69-6]
 
 It is possible that it might be some configuration issue at my end,
 but still it would be nice if somebody can clarify.
[..]

I wasn't able to directly reproduce this, but I think the following
commit fixes the false positives:

http://anonscm.debian.org/gitweb/?p=apt/apt.git;a=commitdiff;h=7d1b93d94083a3856efc821bacd9e91f80bbf760
 

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#752702: apt: please add a way to to retrieve the location of Packages/Sources files in /var/lib/apt/lists/

[Michael Vogt]

On Thu, Jun 26, 2014 at 11:13:28PM +0200, Johannes Schauer wrote:
 Hi,
Hi,
 
[..]
 I was thinking that it would nice if apt would provide an API to retrieve the
 location and properties of Packages and Sources files in /var/lib/apt/lists

 If apt had such an interface, then third party applications which make use of
 Packages and Sources files like dose3, ben and botch could directly make use 
 of
 those files and the user would not have to retrieve them from somewhere else.
 
 `apt-cache dumpavail` doesnt work well here because it prints all available
 binary packages and doesnt allow to select a suite or distribution. It also
 doesnt allow listing source packages.
[..]

Ok, that is certainly doable, attached is a very simple patch that
adds a local filename (abi break). I guess we probably want to return
a struct instead that describes it a bit more. But as David points
out, there are flat archives that are really just a Packages file
with mixed architectures so its not always meaningful.

Cheers,
 Michael 

 
 You mentioned creating a mapping between sources.list and files in
 /var/lib/apt/lists. This could be one way to solve this but it would not be 
 the
 only way.
 
 Here more detail about he use case: a 3rd party application (like botch or
 dose3 or ben) work on Packages and Sources files. If the user now wants to let
 Debian sid amd64 be analyzed by any of these utilities, then they first have 
 to
 require Packages and Sources files for Debian sid amd64. They'd have to do 
 that
 even though apt might already have usable ones in /var/lib/apt/lists.
 Unfortunately, as you already pointed out it is not safe to use anything in
 /var/lib/apt/lists yet. It would be nice if apt could be queried about the
 content of /var/lib/apt/lists so that 3rd party applications can then decide
 whether they can make use of those contents and can thus avoid extra 
 downloads.
 
 I hope this makes more sense now?
 
 cheers, josch
 
 
 --
 To UNSUBSCRIBE, email to deity-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/20140626211328.3886.46854@hoothoot
 
diff --git a/apt-pkg/deb/debindexfile.h b/apt-pkg/deb/debindexfile.h
index 18322dc..266a1b7 100644
--- a/apt-pkg/deb/debindexfile.h
+++ b/apt-pkg/deb/debindexfile.h
@@ -51,6 +51,8 @@ class debStatusIndex : public pkgIndexFile
bool Merge(pkgCacheGenerator Gen,OpProgress *Prog, unsigned long const Flag) const;
virtual pkgCache::PkgFileIterator FindInCache(pkgCache Cache) const;
 
+   virtual std::string LocalFileName() const {return File;};
+
debStatusIndex(std::string File);
virtual ~debStatusIndex() {};
 };
@@ -87,6 +89,8 @@ class debPackagesIndex : public pkgIndexFile
virtual bool Merge(pkgCacheGenerator Gen,OpProgress *Prog) const;
virtual pkgCache::PkgFileIterator FindInCache(pkgCache Cache) const;
 
+   virtual std::string LocalFileName() const {return IndexFile(Packages);};
+
debPackagesIndex(std::string const URI, std::string const Dist, std::string const Section,
 			bool const Trusted, std::string const Arch = native);
virtual ~debPackagesIndex() {};
@@ -123,6 +127,8 @@ class debTranslationsIndex : public pkgIndexFile
virtual bool Merge(pkgCacheGenerator Gen,OpProgress *Prog) const;
virtual pkgCache::PkgFileIterator FindInCache(pkgCache Cache) const;
 
+   virtual std::string LocalFileName() const {return IndexFile(Language);};
+
debTranslationsIndex(std::string URI,std::string Dist,std::string Section, char const * const Language);
virtual ~debTranslationsIndex() {};
 };
@@ -160,6 +166,8 @@ class debSourcesIndex : public pkgIndexFile
virtual bool HasPackages() const {return false;};
virtual unsigned long Size() const;

+   virtual std::string LocalFileName() const {return IndexFile(Sources);};
+
debSourcesIndex(std::string URI,std::string Dist,std::string Section,bool Trusted);
virtual ~debSourcesIndex() {};
 };
@@ -190,6 +198,8 @@ class debDebPkgFileIndex : public pkgIndexFile
// Interface for acquire
virtual std::string ArchiveURI(std::string /*File*/) const;
 
+   virtual std::string LocalFileName() const {return DebFile;};
+
debDebPkgFileIndex(std::string DebFile);
virtual ~debDebPkgFileIndex() {};
 };   
@@ -207,6 +217,7 @@ class debDscFileIndex : public pkgIndexFile
virtual std::string Describe(bool /*Short*/) const {
   return DscFile;
};
+   virtual std::string LocalFileName() const {return DscFile;};
 
debDscFileIndex(std::string DscFile);
virtual ~debDscFileIndex() {};
diff --git a/apt-pkg/indexfile.h b/apt-pkg/indexfile.h
index 817165f..9a95725 100644
--- a/apt-pkg/indexfile.h
+++ b/apt-pkg/indexfile.h
@@ -95,6 +95,9 @@ class pkgIndexFile
static std::string LanguageCode();
 
bool IsTrusted() const { return Trusted; };
+
+   // returns the path of the local file (or  if its not available)
+   virtual std::string LocalFileName() const {return ;};

  

Bug#753531: apt-get clean executes 'rm /*' if Dir::Cache is set to

[Michael Vogt]

On Wed, Jul 02, 2014 at 09:41:07PM +0200, Cédric Barboiron wrote:
 Package: apt
 Version: 1.0.5
 Severity: important

Thanks for your bugreport.
 
 (warning: attached patch is not a solution, it is just intended to show
 the problem)
 
 Setting Dir::Cache::archives and Dir::Cache to the empty string (as
 instructed by man 5 apt.conf) do NOT disable cache but set it to '/'.
 
 Consequence: apt-get clean then effectively cleans '/' and removes all
 files here.
 
 Not true anymore but even worse, on squeeze it also removes the '/lib64'
 symlink, breaking the loader and preventing any new dynamically linked
 binary to be launched.

This sounds like we want to improve the description of the apt.conf
manpage. I assume your use-case was to disable the binary cache? Maybe
you can suggest a way to make the description clearer to avoid the
issue for others?

As for protecting against this, I attached a patch that makes clean a
bit more careful and fix the example where Dir::Cache::archives= is
empty. But there is only so much we can do, e.g. if someone sets
Dir::Cache=/vmlinuz its hard to have a programmatic way to detect that
this is a bad idea. But I'm happy to protect against obvious ones
(like Clean(/)).

Cheers,
 Michael

 - - -
 all following tests done on debian testing, up to date on 2014-07-02
 
 current result:
 
 debdev# cat apt.conf 
 Dir::Cache ;
 Dir::Cache::archives ;
 debdev# touch /VERY_SECRET   
 debdev# ls / 
 bin  boot  dev  etc  home  initrd.img  initrd.img.old  lib  lib64  lost+found 
  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var  VERY_SECRET 
  vmlinuz  vmlinuz.old
 debdev# apt-get clean
 debdev# ls / 
 bin  boot  dev  etc  home  lib  lib64  lock  lost+found  media  mnt  opt  
 proc  root  run  sbin  srv  sys  tmp  usr  var
 
 
 reading source code (contrib/configuration.cc) instead of the man page of 
 apt.conf:
 
 debdev# cat apt.conf
 Dir::Cache /dev/null;
 Dir::Cache::archives /dev/null;
 debdev# touch /VERY_SECRET   
 debdev# ls / 
 bin  boot  dev  etc  home  lib  lib64  lock  lost+found  media  mnt  opt  
 proc  root  run  sbin  srv  sys  tmp  usr  var  VERY_SECRET
 debdev# apt-get clean
 debdev# ls / 
 bin  boot  dev  etc  home  lib  lib64  lock  lost+found  media  mnt  opt  
 proc  root  run  sbin  srv  sys  tmp  usr  var  VERY_SECRET
 
 expected result, BUT BUT BUT its not a good idea at all :
 
 debdev# cat /etc/apt/apt.conf
 Dir::Cache /dev/null;
 Dir::Cache::archives /dev/null;
 debdev# ls -l /dev/null
 crw-rw-rw- 1 root root 1, 3 Jul  2 20:11 /dev/null
 debdev# apt-get install libcaca
 Reading package lists... Error!
 E: Write error - write (28: No space left on device)
 E: Can't mmap an empty file
 E: Failed to truncate file - ftruncate (9: Bad file descriptor)
 E: The package lists or status file could not be parsed or opened.
 debdev# ls -l /dev/null
 -rw-r--r-- 1 root root 0 Jul  2 20:17 /dev/null
 debdev# df -h
 Filesystem   Size  Used Avail Use% Mounted on
 /dev/mapper/debdev-root   95G  5.0G   85G   6% /
 udev  10M   10M 0 100% /dev
 tmpfs202M  200K  201M   1% /run
 tmpfs5.0M 0  5.0M   0% /run/lock
 tmpfs403M 0  403M   0% /run/shm
 /dev/sda1228M   80M  137M  37% /boot
 none 4.0K 0  4.0K   0% /sys/fs/cgroup
 
 and finally with attached patch (built without make test because it has 
 other side-effects):
 
 debdev# cat /etc/apt/apt.conf
 Dir::Cache ;
 Dir::Cache::archives ;
 debdev# touch /MYTRALALA
 debdev# ls /
 bin   dev  home  lib64  lost+found  mntopt   root  sbin  sys  usr
 boot  etc  lib   lock media MYTRALALA  proc  run   srv   tmp  var
 debdev# apt-get clean
 E: Ignored empty string directory configuration (would have been expanded to 
 '/' otherwise)
 debdev# ls /
 bin   dev  home  lib64  lost+found  mntopt   root  sbin  sys  usr
 boot  etc  lib   lock media MYTRALALA  proc  run   srv   tmp  var
 
 

 diff --git a/apt-pkg/contrib/configuration.cc 
 b/apt-pkg/contrib/configuration.cc
 index 00f6ad0..3dd63aa 100644
 --- a/apt-pkg/contrib/configuration.cc
 +++ b/apt-pkg/contrib/configuration.cc
 @@ -240,6 +240,11 @@ string Configuration::FindFile(const char *Name,const 
 char *Default) const
  string Configuration::FindDir(const char *Name,const char *Default) const
  {
 string Res = FindFile(Name,Default);
 +   if (Res == )
 +   {
 + _error-Error(_(Ignored empty string directory configuration (would 
 have been expanded to '/' otherwise)));
 + return Res;
 +   }
 if (Res.end()[-1] != '/')
 {
size_t const found = Res.rfind(/dev/null);
 diff --git a/doc/apt.conf.5.xml b/doc/apt.conf.5.xml
 index fcbf20d..e30898c 100644
 --- a/doc/apt.conf.5.xml
 +++ b/doc/apt.conf.5.xml
 @@ -607,8 +607,8 @@ DPkg::Pre-Install-Pkgs {/usr/sbin/dpkg-preconfigure 
 --apt;};
 paraliteralDir::Cache/literal 

Bug#752327: apt: Passes full path to .deb to mkstemp

[Michael Vogt]

On Sun, Jun 22, 2014 at 06:25:12PM +0200, Axel Beckert wrote:
 Package: apt
 Version: 1.1~exp1
 Severity: normal

Thanks for your bugreport.
 
 first let me say Yay for apt install file.deb. We can finally get rid
 of gdebi! ;-)

:)
 
 Playing around with this new feature, I ran into the following issue:
 
 # apt install /var/cache/apt/archives/bc_1.06.95-9_amd64.deb
 Reading package lists... Error!
 E: Unable to mkstemp 
 /tmp/deb-file-/var/cache/apt/archives/bc_1.06.95-9_amd64.deb.dqKFUj - 
 GetTempFile (2: No such file or directory)
 E: The package lists or status file could not be parsed or opened.
 
 I think, only the file name but not the full path should be passed to
 mkstemp.

Yeah, thanks for reporting. Currently it can only install in cwd
because of the issue you found and also because / is used as a
commandline modified for normal packages.

Attached is a patch that fixes it. It would be nice if David could
have a look before I commit, I was pondering if the CacheSet should
have a new ::FromFile() or something instead of putting it into
VersionContainerInterface::FromString.

Cheers,
 Michael
diff --git a/apt-pkg/cacheset.cc b/apt-pkg/cacheset.cc
index 5d7f285..346bad3 100644
--- a/apt-pkg/cacheset.cc
+++ b/apt-pkg/cacheset.cc
@@ -24,6 +24,7 @@
 #include apt-pkg/depcache.h
 #include apt-pkg/macros.h
 #include apt-pkg/pkgcache.h
+#include apt-pkg/fileutl.h
 
 #include stddef.h
 #include stdio.h
@@ -445,6 +446,13 @@ bool VersionContainerInterface::FromString(VersionContainerInterface * const vci
 	   pkgCacheFile Cache, std::string pkg,
 	   Version const fallback, CacheSetHelper helper,
 	   bool const onlyFromName) {
+PackageSet pkgset;
+if(FileExists(pkg))
+{
+PackageContainerInterface::FromString(pkgset, Cache, pkg, helper);
+return VersionContainerInterface::FromPackage(vci, Cache, pkgset.begin(), fallback, helper);
+}
+
 	std::string ver;
 	bool verIsRel = false;
 	size_t const vertag = pkg.find_last_of(/=);
@@ -453,7 +461,6 @@ bool VersionContainerInterface::FromString(VersionContainerInterface * const vci
 		verIsRel = (pkg[vertag] == '/');
 		pkg.erase(vertag);
 	}
-	PackageSet pkgset;
 	if (onlyFromName == false)
 		PackageContainerInterface::FromString(pkgset, Cache, pkg, helper);
 	else {
diff --git a/apt-pkg/deb/debindexfile.cc b/apt-pkg/deb/debindexfile.cc
index c1c2b72..5717b01 100644
--- a/apt-pkg/deb/debindexfile.cc
+++ b/apt-pkg/deb/debindexfile.cc
@@ -710,7 +710,7 @@ bool debDebPkgFileIndex::Merge(pkgCacheGenerator Gen, OpProgress* Prog) const
ExecWait(Child, Popen);
 
// now write the control data to a tempfile
-   SPtrFileFd DebControl = GetTempFile(deb-file- + DebFile);
+   SPtrFileFd DebControl = GetTempFile(deb-file- + flNotDir(DebFile));
if(DebControl == NULL)
   return false;
DebControl-Write(buf, n);

Bug#705995: squid-deb-proxy: unowned files after purge (policy 6.8, 10.8): /etc/squid-deb-proxy/*.d/10-default

[Michael Vogt]

On Thu, Jun 19, 2014 at 02:44:48PM -0700, Vagrant Cascadian wrote:
[..]
 The following patch should fix this, using the same variable names in 
 postinst:
[..]
 Though simply rm -f /etc/squid-deb-proxy/*.d/10-default would be simpler, at
 risk of deleting some randomly created file dropped in some other .d dir and
 happened to be named 10-default...

Thanks a bunch! I merged the patch into my bzr tree and it will be
part of the next upload.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#749795: apt: no authentication checks for source packages

[Michael Vogt]

On Mon, Jun 16, 2014 at 11:18:27AM +0200, Jakub Wilk wrote:
 * Michael Vogt m...@debian.org, 2014-06-16, 09:35:
 +   _error-Warning(_(The data from '%s' is not signed. All packages from 
 + that repository can not be authenticated.),
 
 s/can not/cannot/
 
 Also, All with a negated verb sounds awkward to me (but that may
 be due to my non-native-englishness). How about:
 
 No packages from that repository can be authenticated.
 
 or simply
 
 Packages from that repository cannot be authenticated.
 
 ?

I like the second string, I updated my branch. Thanks!

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#751388: apt: Run 'apt list --upgradable' to see them. when no packages can be upgraded

[Michael Vogt]

On Thu, Jun 12, 2014 at 01:54:16PM +0200, Jakub Wilk wrote:
 Package: apt
 Version: 1.0.4
 Severity: minor

Thanks for your bugreport.
 
 apt update has just told me:
 
 0 packages can be upgraded. Run 'apt list --upgradable' to see them.
 
 Technically this is true that I can run 'apt list --upgradable' to
 see all of the 0 packages that can be upgraded. But practically the
 advice to run it is a bit useless in this case. :-)

Indeed, I changed that so that apt update not prints:
 All packages are up to date.
when there are 0 upgradable packages.

Cheers,
 Michael

 -- System Information:
 Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
 Architecture: i386 (x86_64)
 Foreign Architectures: amd64
 
 Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores)
 Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages apt depends on:
 ii  debian-archive-keyring  2012.4
 ii  gnupg   1.4.16-1.1
 ii  libapt-pkg4.12  1.0.4
 ii  libc6   2.19-1
 ii  libgcc1 1:4.9.0-6
 ii  libstdc++6  4.9.0-6
 
 -- 
 Jakub Wilk
 
 
 -- 
 To UNSUBSCRIBE, email to deity-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/20140612115416.ga4...@jwilk.net
 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#749795: apt: no authentication checks for source packages

[Michael Vogt]

On Mon, Jun 16, 2014 at 02:58:28PM +0200, Christoph Anton Mitterer wrote:
 On Mon, 2014-06-16 at 09:35 +0200, Michael Vogt wrote: 
  I think for the future we actually should not allow a apt-get update
  of untrusted repos without --allow-unauthenticated  or
  [trusted=no]. But this will probably break some setups so we need to
  be careful and not rush it.
 
 And what about the setups, which assume secure data to be retrieved (as
 far as I can see the whole build stack of Debian), which is already
 broken now?
 
 Security is much more critical here then things continuing to work... if
 someone's setup really depend on not verifying integrity... he will
 immediately notice (and can add the flag),... but no one notices if his
 security is compromised by MitMs... :-(

 So I see not much of a reason to not implement that right away.

Absolutely, security is (much!) more important.

However with the fix that recently went into -security apt-get source
foo will fail if foo comes from a not-authenticated source. What I
wrote above is about not allowing apt-get update at all for unsigned
repositories (unless --allow-unauthenticated is used). But maybe you
are right and the warning that I added to git should be a error that
tells the user to use --allow-unauthenticated if he/she really wants
to use a repository that we can not authenticate.

Cheers,
 Michael
 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#749795: apt: no authentication checks for source packages

[Michael Vogt]

On Fri, May 30, 2014 at 03:21:20PM +0200, Michael Vogt wrote:
[..]
  Hmm. There is no warning suggesting that anything fishy is going on,
  and the exit code indicates success. (Perhaps the Igns could raise
  suspicion of an observant sysadmin. But who knows what Ign exactly
  means? At least the apt-get(1) manpage doesn't know.)
 
 Right, I think apt should show a more prominent warning here. I will
 look into this next.
[..]

I create a git branch that shows a warning if it comes accross a
unauthenticated repository:

+   _error-Warning(_(The data from '%s' is not signed. All packages from 
+ that repository can not be authenticated.),
+   MetaIndexURIDesc.c_str());


I think for the future we actually should not allow a apt-get update
of untrusted repos without --allow-unauthenticated  or
[trusted=no]. But this will probably break some setups so we need to
be careful and not rush it.



Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#749795: apt: no authentication checks for source packages

[Michael Vogt]

On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
 Hi,
 
  apt: no authentication checks for source packages
 
 The Debian security team has assigned CVE-2014-0478 to this issue.
 
 APT developers: we should fix this in wheezy. Are you able to provide an
 update for wheezy for this issue?

Yes, I will work on a backport for this today.

 As for squeeze, if it's not too much extra work it would be great if an
 update for squeeze was also possible. Perhaps it could also even include
 the fix for https://security-tracker.debian.org/tracker/CVE-2011-3634?

I look into this too, I don't know yet how much extra work it is.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#749795: apt: no authentication checks for source packages

[Michael Vogt]

On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
  apt: no authentication checks for source packages
 
 The Debian security team has assigned CVE-2014-0478 to this issue.
 
 APT developers: we should fix this in wheezy. Are you able to provide an
 update for wheezy for this issue?
[..]

Attached is the fix for wheezy with a regression test, a additional
test run is very welcome (works in my wheezy container both the
testcase and a manual test when removing /var/lib/apt/lists/*Release*).

Cheers,
 Michael
diff -Nru apt-0.9.7.9+deb7u1/cmdline/apt-get.cc 
apt-0.9.7.9+deb7u2/cmdline/apt-get.cc
--- apt-0.9.7.9+deb7u1/cmdline/apt-get.cc   2013-03-01 11:51:21.0 
+0100
+++ apt-0.9.7.9+deb7u2/cmdline/apt-get.cc   2014-06-12 13:35:58.0 
+0200
@@ -1046,25 +1046,8 @@
return true;
 }
/*}}}*/
-// CheckAuth - check if each download comes form a trusted source  /*{{{*/
-// -
-/* */
-static bool CheckAuth(pkgAcquire Fetcher)
+static bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
 {
-   string UntrustedList;
-   for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I  
Fetcher.ItemsEnd(); ++I)
-   {
-  if (!(*I)-IsTrusted())
-  {
- UntrustedList += string((*I)-ShortDesc()) +  ;
-  }
-   }
-
-   if (UntrustedList == )
-   {
-  return true;
-   }
-
ShowList(c2out,_(WARNING: The following packages cannot be 
authenticated!),UntrustedList,);
 
if (_config-FindB(APT::Get::AllowUnauthenticated,false) == true)
@@ -1073,6 +1056,9 @@
   return true;
}
 
+   if (PromptUser == false)
+ return _error-Error(_(Some packages could not be authenticated));
+
if (_config-FindI(quiet,0)  2
 _config-FindB(APT::Get::Assume-Yes,false) == false)
{
@@ -1090,6 +1076,27 @@
return _error-Error(_(There are problems and -y was used without 
--force-yes));
 }
/*}}}*/
+// CheckAuth - check if each download comes form a trusted source  /*{{{*/
+// -
+/* */
+static bool CheckAuth(pkgAcquire Fetcher, bool PromptUser=true)
+{
+   string UntrustedList;
+   for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I  
Fetcher.ItemsEnd(); ++I)
+   {
+  if (!(*I)-IsTrusted())
+  {
+ UntrustedList += string((*I)-ShortDesc()) +  ;
+  }
+   }
+
+   if (UntrustedList == )
+   {
+  return true;
+   }
+
+   return AuthPrompt(UntrustedList, PromptUser);
+}
 // InstallPackages - Actually download and install the packages
/*{{{*/
 // -
 /* This displays the informative messages describing what is going to 
@@ -2483,6 +2490,7 @@
 
// Load the requestd sources into the fetcher
unsigned J = 0;
+   std::string UntrustedList;
for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++)
{
   string Src;
@@ -2492,6 +2500,9 @@
 delete[] Dsc;
 return _error-Error(_(Unable to find a source package for 
%s),Src.c_str());
   }
+
+  if (Last-Index().IsTrusted() == false)
+ UntrustedList += Src +  ;
   
   string srec = Last-AsStr();
   string::size_type pos = srec.find(\nVcs-);
@@ -2576,6 +2587,10 @@
Last-Index().SourceInfo(*Last,*I),Src);
   }
}
+
+   // check authentication status of the source as well
+   if (UntrustedList !=   !AuthPrompt(UntrustedList, false))
+  return false;

// Display statistics
unsigned long long FetchBytes = Fetcher.FetchNeeded();
diff -Nru apt-0.9.7.9+deb7u1/debian/changelog 
apt-0.9.7.9+deb7u2/debian/changelog
--- apt-0.9.7.9+deb7u1/debian/changelog 2013-11-16 12:47:12.0 +0100
+++ apt-0.9.7.9+deb7u2/debian/changelog 2014-06-12 13:22:44.0 +0200
@@ -1,3 +1,10 @@
+apt (0.9.7.9+deb7u2) wheezy; urgency=low
+
+  * SECURITY UPDATE: apt-get source validation
+- CVE-2014-0478
+
+ -- Michael Vogt m...@debian.org  Thu, 12 Jun 2014 12:47:25 +0200
+
 apt (0.9.7.9+deb7u1) wheezy; urgency=low
 
   * Non-maintainer upload.
diff -Nru apt-0.9.7.9+deb7u1/test/integration/framework 
apt-0.9.7.9+deb7u2/test/integration/framework
--- apt-0.9.7.9+deb7u1/test/integration/framework   2013-03-01 
11:51:21.0 +0100
+++ apt-0.9.7.9+deb7u2/test/integration/framework   2014-06-12 
13:21:11.0 +0200
@@ -130,7 +130,7 @@
mkdir rootdir aptarchive keys
cd rootdir
mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d 
etc/apt/trusted.gpg.d etc/apt/preferences.d
-   mkdir -p var/cache var/lib var/log
+   mkdir -p var/cache var/lib var/log tmp
mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers
touch var/lib/dpkg/available
mkdir -p usr/lib/apt

Bug#749795: apt: no authentication checks for source packages

[Michael Vogt]

On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
[..]
  apt: no authentication checks for source packages
 
 The Debian security team has assigned CVE-2014-0478 to this issue.
[..]
 As for squeeze, if it's not too much extra work it would be great if an
 update for squeeze was also possible. Perhaps it could also even include
 the fix for https://security-tracker.debian.org/tracker/CVE-2011-3634?

Attached is the debdiff for squeeze. Additional testing welcome (work
in my debian-squeeze environment).

Cheers,
 Michael
diff -Nru apt-0.8.10.3+squeeze1/cmdline/apt-get.cc 
apt-0.8.10.3+squeeze2/cmdline/apt-get.cc
--- apt-0.8.10.3+squeeze1/cmdline/apt-get.cc2011-04-15 09:30:33.0 
+0200
+++ apt-0.8.10.3+squeeze2/cmdline/apt-get.cc2014-06-12 15:03:48.0 
+0200
@@ -959,25 +959,8 @@
return true;
 }
/*}}}*/
-// CheckAuth - check if each download comes form a trusted source  /*{{{*/
-// -
-/* */
-static bool CheckAuth(pkgAcquire Fetcher)
+static bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
 {
-   string UntrustedList;
-   for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I  
Fetcher.ItemsEnd(); ++I)
-   {
-  if (!(*I)-IsTrusted())
-  {
- UntrustedList += string((*I)-ShortDesc()) +  ;
-  }
-   }
-
-   if (UntrustedList == )
-   {
-  return true;
-   }
-
ShowList(c2out,_(WARNING: The following packages cannot be 
authenticated!),UntrustedList,);
 
if (_config-FindB(APT::Get::AllowUnauthenticated,false) == true)
@@ -986,6 +969,9 @@
   return true;
}
 
+   if (PromptUser == false)
+ return _error-Error(_(Some packages could not be authenticated));
+
if (_config-FindI(quiet,0)  2
 _config-FindB(APT::Get::Assume-Yes,false) == false)
{
@@ -1003,6 +989,27 @@
return _error-Error(_(There are problems and -y was used without 
--force-yes));
 }
/*}}}*/
+// CheckAuth - check if each download comes form a trusted source  /*{{{*/
+// -
+/* */
+static bool CheckAuth(pkgAcquire Fetcher, bool PromptUser=true)
+{
+   string UntrustedList;
+   for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I  
Fetcher.ItemsEnd(); ++I)
+   {
+  if (!(*I)-IsTrusted())
+  {
+ UntrustedList += string((*I)-ShortDesc()) +  ;
+  }
+   }
+
+   if (UntrustedList == )
+   {
+  return true;
+   }
+
+   return AuthPrompt(UntrustedList, PromptUser);
+}
 // InstallPackages - Actually download and install the packages
/*{{{*/
 // -
 /* This displays the informative messages describing what is going to 
@@ -2229,6 +2236,7 @@
 
// Load the requestd sources into the fetcher
unsigned J = 0;
+   std::string UntrustedList;
for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++)
{
   string Src;
@@ -2237,6 +2245,9 @@
   if (Last == 0)
 return _error-Error(_(Unable to find a source package for 
%s),Src.c_str());
   
+  if (Last-Index().IsTrusted() == false)
+ UntrustedList += Src +  ;
+  
   string srec = Last-AsStr();
   string::size_type pos = srec.find(\nVcs-);
   while (pos != string::npos)
@@ -2319,6 +2330,11 @@
   }
}

+   // check authentication status of the source as well
+   if (UntrustedList !=   !AuthPrompt(UntrustedList, false))
+  return false;
+   
+   
// Display statistics
unsigned long long FetchBytes = Fetcher.FetchNeeded();
unsigned long long FetchPBytes = Fetcher.PartialPresent();
diff -Nru apt-0.8.10.3+squeeze1/debian/changelog 
apt-0.8.10.3+squeeze2/debian/changelog
--- apt-0.8.10.3+squeeze1/debian/changelog  2011-04-15 09:30:33.0 
+0200
+++ apt-0.8.10.3+squeeze2/debian/changelog  2014-06-12 15:07:49.0 
+0200
@@ -1,3 +1,14 @@
+apt (0.8.10.3+squeeze2) squeeze-security; urgency=high
+
+  * SECURITY UPDATE: apt-get source validation (closes: #749795)
+- CVE-2014-0478
+  * SECURITY UPDATE: sensitive information disclosure via incorrect
+hostname validation (LP: #868353)
+- methods/https.cc: properly set CURLOPT_SSL_VERIFYHOST.
+- CVE-2011-3634
+
+ -- Michael Vogt m...@debian.org  Thu, 12 Jun 2014 14:30:59 +0200
+
 apt (0.8.10.3+squeeze1) stable; urgency=low
 
   [ Michael Vogt ]
diff -Nru apt-0.8.10.3+squeeze1/methods/https.cc 
apt-0.8.10.3+squeeze2/methods/https.cc
--- apt-0.8.10.3+squeeze1/methods/https.cc  2011-04-15 09:30:33.0 
+0200
+++ apt-0.8.10.3+squeeze2/methods/https.cc  2014-06-12 14:32:46.0 
+0200
@@ -143,13 +143,11 @@
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, peer_verify);
 
// ... and hostname against cert CN or subjectAltName
-   int

Bug#747498: python-apt: Please consider adding information templates for blankon

[Michael Vogt]

On Fri, May 09, 2014 at 11:36:23AM +, Rahman Yusri Aftian wrote:
 Package: python-apt
 Version: 0.9.3.6
 Severity: normal
 Tags: patch

Thanks for your bugreport.
 
 Dear Maintainer,
 
 I notice that you include settings for debian and ubuntu in the debian
 source package.
 Please consider also including the settings for blankon.

This is added now and will be part of the next upload.

Cheers,
 Michael
 
 -- Package-specific info:
 
 -- (no /usr/share/python-apt/templates/ present) --
 
 -- /usr/share/python-apt/templates/Blankon.mirrors --
 
 #LOC:ID
 http://kambing.ui.ac.id/blankon/
 http://mirror.omadata.com/blankon/
 http://repo.ugm.ac.id/repo/blankon/
 http://buaya.klas.or.id/blankon/
 http://bos.fkip.uns.ac.id/blankon
 http://pandawa.ipb.ac.id/blankon/
 http://dl2.foss-id.web.id/blankon/
 http://shol.vlsm.org/blankon/
 http://openstorage.gunadarma.ac.id/blankon/
 http://debian.rab.co.id/blankon/
 http://singo.ub.ac.id/blankon/
 http://ftp.paudni.kemdiknas.go.id/blankon/
 http://blankon.idrepo.or.id/blankon/
 http://mirror.kioss.undip.ac.id/blankon/
 http://repo.unnes.ac.id/repo/blankon/
 http://kartolo.sby.datautama.net.id/blankon/
 
 -- /usr/share/python-apt/templates/Blankon.info --
 ChangelogURI:
 http://arsip.blankonlinux.or.id/blankon/changelogs/pool/%s/%s/%s/%s_%s/changelog
 
 Suite: tambora
 RepositoryType: deb
 BaseURI: http://arsip.blankonlinux.or.id/blankon/
 MatchURI: arsip.blankonlinux.or.id/blankon
 MirrorsFile-amd64: /usr/share/python-apt/templates/Blankon.mirrors
 MirrorsFile-i386: /usr/share/python-apt/templates/Blankon.mirrors
 Description: Blankon 10.0 'Tambora'
 Component: main
 CompDescription: Officially supported
 CompDescriptionLong: Blankon-supported Free/Open Source software
 Component: extras
 CompDescription: Community-maintained
 CompDescriptionLong: Community-maintained Free/Open Source software
 Component: restricted
 CompDescription: Non-free drivers
 CompDescriptionLong: Proprietary drivers for devices
 Component: extras-restricted
 CompDescription: Restricted software
 CompDescriptionLong: Software restricted by copyright or legal issues
 
 Suite: tambora
 MatchName: .*
 BaseURI: cdrom:\[Blankon.*10.0
 MatchURI: cdrom:\[Blankon.*10.0
 Description: CDROM with Blankon 10.0 'Tambora'
 Available: False
 Component: main
 CompDescription: Officially supported
 Component: restricted
 CompDescription: Restricted copyright
 
 Suite: tambora-security
 ParentSuite: tambora
 RepositoryType: deb
 BaseURI: http://arsip.blankonlinux.or.id/blankon/
 MatchURI: arsip.blankonlinux.or.id/blankon
 Description: Important security updates
 
 Suite: tambora-updates
 ParentSuite: tambora
 RepositoryType: deb
 Description: Recommended updates
 
 Suite: suroboyo
 RepositoryType: deb
 BaseURI: http://arsip.blankonlinux.or.id/blankon/
 MatchURI: arsip.blankonlinux.or.id/blankon
 MirrorsFile-amd64: /usr/share/python-apt/templates/Blankon.mirrors
 MirrorsFile-i386: /usr/share/python-apt/templates/Blankon.mirrors
 Description: Blankon 9.0 'Suroboyo'
 Component: main
 CompDescription: Officially supported
 CompDescriptionLong: Blankon-supported Free/Open Source software
 Component: extras
 CompDescription: Community-maintained
 CompDescriptionLong: Community-maintained Free/Open Source software
 Component: restricted
 CompDescription: Non-free drivers
 CompDescriptionLong: Proprietary drivers for devices
 Component: extras-restricted
 CompDescription: Restricted software
 CompDescriptionLong: Software restricted by copyright or legal issues
 
 Suite: suroboyo
 MatchName: .*
 BaseURI: cdrom:\[Blankon.*9.0
 MatchURI: cdrom:\[Blankon.*9.0
 Description: CDROM with Blankon 9.0 'Suroboyo'
 Available: False
 Component: main
 CompDescription: Officially supported
 Component: restricted
 CompDescription: Restricted copyright
 
 Suite: suroboyo-security
 ParentSuite: suroboyo
 RepositoryType: deb
 BaseURI: http://arsip.blankonlinux.or.id/blankon/
 MatchURI: arsip.blankonlinux.or.id/blankon
 Description: Important security updates
 
 Suite: suroboyo-updates
 ParentSuite: suroboyo
 RepositoryType: deb
 Description: Recommended updates
 
 Suite: rote
 RepositoryType: deb
 BaseURI: http://arsip.blankonlinux.or.id/blankon/
 MatchURI: arsip.blankonlinux.or.id/blankon
 MirrorsFile-amd64: /usr/share/python-apt/templates/Blankon.mirrors
 MirrorsFile-i386: /usr/share/python-apt/templates/Blankon.mirrors
 Description: Blankon 8.0 'Rote'
 Component: main
 CompDescription: Officially supported
 CompDescriptionLong: Blankon-supported Free/Open Source software
 Component: extras
 CompDescription: Community-maintained
 CompDescriptionLong: Community-maintained Free/Open Source software
 Component: restricted
 CompDescription: Non-free drivers
 CompDescriptionLong: Proprietary drivers for devices
 Component: extras-restricted
 CompDescription: Restricted software
 CompDescriptionLong: Software restricted by copyright or legal issues
 
 Suite: rote
 MatchName: .*
 BaseURI: cdrom:\[Blankon.*8.0
 MatchURI: 

Bug#750120: python-apt: Some locales use no-breaking space for LC_NUMBER, so return unicode for SizeToStr

[Michael Vogt]

On Sun, Jun 01, 2014 at 09:18:45PM +0200, Odin Hørthe Omdal wrote:
 Package: python-apt
 Version: 0.9.3.5
 Severity: normal
 Tags: upstream l10n patch

Thanks for your bugreport and your patch!
 
 this is on Ubuntu, but this was the closest I could find to the python-apt
 upstream :)
 
 This is breaking the distribution upgrade on my girlfriends computer
 (since she is using nn_NO.UTF8 as her language).
 
 Ubuntu's upgrading python script is not expecting that the str returned
 will have undecodeable chars. This could also be fixed at Ubuntu's
 level, but looking at it, I thought it hit closer to home for
 apt_pkg.size_to_str() to return a ready decoded unicode string to all
 its users.
[..]

Indeed, thanks for this fix! Unfortunately as it is right now it
breaks the API of size_to_str(), i.e. there are probably apps who
expect a type str. So we either need to add a size_to_unicode() or a
kwarg like as_unicode or add a warning in the documentation for the
py2 users.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#748922: python-apt: TagFile doesnt close file

[Michael Vogt]

On Thu, May 22, 2014 at 11:57:12AM +0200, Johannes Schauer wrote:
 Package: python-apt
 Version: 0.9.3.5
 Severity: normal

Thanks for your bugreport.
 
 Consider the following snippet:
 
 --%---
 import gc
 import os
 import sys
 import apt_pkg
 
 print os.listdir(/proc/self/fd/)
 f = apt_pkg.TagFile(sys.argv[1])
 print os.listdir(/proc/self/fd/)
 del f
 print os.listdir(/proc/self/fd/)
 gc.collect
 print os.listdir(/proc/self/fd/)
 --%---

There is a small typo in the above script. gc.collect should be 
gc.collect().

I verified that the following works and does not leak fds:

class LeakTestCase(unittest.TestCase):
def test_leak(self):
# clenaup gc first
import gc
gc.collect()
# see what fds we have
fds = os.listdir(/proc/self/fd)
testfile = __file__
tagf = apt_pkg.TagFile(testfile)
tagf.step()
del tagf
import gc
gc.collect()
# ensure fd is closed
self.assertEqual(fds, os.listdir(/proc/self/fd))


Unfortunately just doing a del tagf is not enough, the gc call is
needed afterwards. The reason that the del is not enough is that there
is there is a cyclic reference from the tagf to tagf.section. The
garbage collector breaks it, but a simple del sees a refcount 
0. This particular case could maybe fixed by copying the data from the
pkgTagFile to a pkgTagSection instead of letting it operator on the
Buffer of pkgTagFile. But that requires somework (plus additional
memory for the copied data).

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#750528: celery: build-depend on python-sphinxcontrib.issuetracker no longer needed(?)

[Michael Vogt]

Source: celery
Version: 3.1.11-1
Severity: minor

Hi,

it appears that with the latest version of shpinx the build-depend on 
python-sphinxcontrib.issuetracker is no longer needed. It builds fine
without and it was removed from requirements/docs.txt too.

Thanks,
 Michael


-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 
'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13.0-27-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#749795: apt: no authentication checks for source packages

[Michael Vogt]

On Sat, May 31, 2014 at 12:07:48AM +0200, David Kalnischkies wrote:
 On Fri, May 30, 2014 at 03:21:20PM +0200, Michael Vogt wrote:
  From b7f501b5cc8583f61467f0c7a0282acbb88e4b29 Mon Sep 17 00:00:00 2001
  From: Michael Vogt m...@debian.org
  Date: Fri, 30 May 2014 14:47:56 +0200
  Subject: [PATCH] Show unauthenticated warning for source packages as well
  
  This will show the same unauthenticated warning for source packages
  as for binary packages and will not download a source package if
  it is unauthenticated. This can be overriden with
 
 typo: overridden

Thanks, fixed.
 
  +   // check authentication status of the source as well
  +   if (UntrustedList !=   !AuthPrompt(UntrustedList, true))
  +  return false;
 
 As said, I don't think 'apt-get source' should be interactive, so this
 true should be a false, right?
 
 Reasons (as a repeat):
 - it was not interactive before
 - the error message on 'no' talks about install, so we would need a new
   string
 - 'apt-get download' isn't interactive either
 (- it is more in line with your own commit summary)
 
 Counter arguments?
[..]

Good point! No counter arguments, the risk of breaking script by
prompting is indeed a good reason not to show the prompt (and we do
the same for download).

I changed it to non-interactive now.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#749795: apt: no authentication checks for source packages

[Michael Vogt]

On Thu, May 29, 2014 at 11:04:35PM +0200, Jakub Wilk wrote:
 Package: apt
 Version: 1.0.3
 Severity: grave
 Tags: security

Thanks for your bugreport. You raise a important issue, but I agree
with David that its best if this goes through the security team for
coordination.
 
 I've been investigating how apt behaves when the repository doesn't
 contain any Release signatures (possibly because they were stripped
 off by a man-in-the-middle attacker).
 
 This is what I found out:
 
 | # cat /etc/apt/sources.list
 | deb http://ftp.debian.org/debian/ unstable main
 | deb-src http://ftp.debian.org/debian/ unstable main
 |
 | # apt-get update
 | Ign http://ftp.debian.org unstable InRelease
 | Ign http://ftp.debian.org unstable Release.gpg
 | Get:1 http://ftp.debian.org unstable Release [205 kB]
 | Get:2 http://ftp.debian.org unstable/main Sources [7249 kB]
 | Get:3 http://ftp.debian.org unstable/main amd64 Packages [6758 kB]
 | Fetched 14.2 MB in 29s (479 kB/s)
 | Reading package lists... Done
 |
 | # echo $?
 | 0
 
 Hmm. There is no warning suggesting that anything fishy is going on,
 and the exit code indicates success. (Perhaps the Igns could raise
 suspicion of an observant sysadmin. But who knows what Ign exactly
 means? At least the apt-get(1) manpage doesn't know.)

Right, I think apt should show a more prominent warning here. I will
look into this next.
 
[..]
 So far, so good. However, apt-get happily downloads unauthenticated
 source packages, with no warning:
 
 | $ apt-get source -d nyancat
 | Reading package lists... Done
 | Building dependency tree
 | Reading state information... Done
 | Selected version '1.2.2-1' (unstable) for nyancat
 | Need to get 20.6 kB of source archives.
 | Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) 
 [1782 B]
 | Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) 
 [14.1 kB]
 | Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) 
 [4748 B]
 | Fetched 20.6 kB in 0s (1838 kB/s)
 | Download complete and in download only mode
[..]

Indeed, this is a problem that needs fixing. Attached is a patch that
addresses the issue.

Cheers,
 Michael
From b7f501b5cc8583f61467f0c7a0282acbb88e4b29 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@debian.org
Date: Fri, 30 May 2014 14:47:56 +0200
Subject: [PATCH] Show unauthenticated warning for source packages as well

This will show the same unauthenticated warning for source packages
as for binary packages and will not download a source package if
it is unauthenticated. This can be overriden with
--allow-unauthenticated

Closes: #749795
---
 apt-private/private-download.cc|  5 +
 apt-private/private-download.h |  6 +
 cmdline/apt-get.cc |  9 
 test/integration/test-apt-get-source-authenticated | 26 ++
 4 files changed, 46 insertions(+)
 create mode 100755 test/integration/test-apt-get-source-authenticated

diff --git a/apt-private/private-download.cc b/apt-private/private-download.cc
index a095f0c..be7d23c 100644
--- a/apt-private/private-download.cc
+++ b/apt-private/private-download.cc
@@ -28,6 +28,11 @@ bool CheckAuth(pkgAcquire Fetcher, bool const PromptUser)
if (UntrustedList == )
   return true;
 
+   return AuthPrompt(UntrustedList, PromptUser);
+}
+
+bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
+{
ShowList(c2out,_(WARNING: The following packages cannot be authenticated!),UntrustedList,);
 
if (_config-FindB(APT::Get::AllowUnauthenticated,false) == true)
diff --git a/apt-private/private-download.h b/apt-private/private-download.h
index a108aa5..a90ac7e 100644
--- a/apt-private/private-download.h
+++ b/apt-private/private-download.h
@@ -5,7 +5,13 @@
 
 class pkgAcquire;
 
+// Check if all files in the fetcher are authenticated
 APT_PUBLIC bool CheckAuth(pkgAcquire Fetcher, bool const PromptUser);
+
+// show a authentication warning prompt and return true if the system
+// should continue
+APT_PUBLIC bool AuthPrompt(std::string UntrustedList, bool const PromptUser);
+
 APT_PUBLIC bool AcquireRun(pkgAcquire Fetcher, int const PulseInterval, bool * const Failure, bool * const TransientNetworkFailure);
 
 #endif
diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index 0f18b0e..d74d6d5 100644
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -76,6 +76,7 @@
 #include stdio.h
 #include stdlib.h
 #include string.h
+#include sys/ioctl.h
 #include sys/stat.h
 #include sys/statfs.h
 #include sys/statvfs.h
@@ -755,6 +756,7 @@ static bool DoSource(CommandLine CmdL)
 
// Load the requestd sources into the fetcher
unsigned J = 0;
+   std::string UntrustedList;
for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++)
{
   string Src;
@@ -763,6 +765,9 @@ static bool DoSource(CommandLine CmdL)
   if (Last == 0) {
 	 return _error-Error(_(Unable to find a source package for %s),Src.c_str

Bug#748389: apt: verbose option

[Michael Vogt]

On Fri, May 16, 2014 at 10:10:07PM +0200, Reiner wrote:
 Package: apt
 Version: 1.0.3
 Severity: wishlist

Thanks for your bugreport.
 
 it would be nice to get a verbose option in apt similar aptitude -v update 
 like this:
 
 apt -v update
 Hit ...
 Hit ...
 Current status: 0 broken [+0], 3 updates [+0], 42665 new [+0].

I added a similar feature to my feature/apt-update-info git branch,
apt does not currently track what packages are new so thats
missing. Would be good to have this directly in libapt though.

Cheers,
 Michael
 
 Thank you.
 
 -- Package-specific info:
 
 -- apt-config dump --
 
 APT ;
 APT::Architecture i386;
 APT::Build-Essential ;
 APT::Build-Essential:: build-essential;
 APT::Install-Recommends 1;
 APT::Install-Suggests 0;
 APT::Authentication ;
 APT::Authentication::TrustCDROM true;
 APT::NeverAutoRemove ;
 APT::NeverAutoRemove:: ^firmware-linux.*;
 APT::NeverAutoRemove:: ^linux-firmware$;
 APT::NeverAutoRemove:: ^linux-image-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-image-686-pae$;
 APT::NeverAutoRemove:: ^linux-headers-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-headers-686-pae$;
 APT::NeverAutoRemove:: ^linux-image-extra-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-image-extra-686-pae$;
 APT::NeverAutoRemove:: ^linux-signed-image-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-signed-image-686-pae$;
 APT::NeverAutoRemove:: ^kfreebsd-image-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^kfreebsd-image-686-pae$;
 APT::NeverAutoRemove:: ^kfreebsd-headers-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^kfreebsd-headers-686-pae$;
 APT::NeverAutoRemove:: ^gnumach-image-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^gnumach-image-686-pae$;
 APT::NeverAutoRemove:: ^.*-modules-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^.*-modules-686-pae$;
 APT::NeverAutoRemove:: ^.*-kernel-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^.*-kernel-686-pae$;
 APT::NeverAutoRemove:: ^linux-backports-modules-.*-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-backports-modules-.*-686-pae$;
 APT::NeverAutoRemove:: ^linux-tools-3\.14-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-tools-686-pae$;
 APT::VersionedKernelPackages ;
 APT::VersionedKernelPackages:: linux-image;
 APT::VersionedKernelPackages:: linux-headers;
 APT::VersionedKernelPackages:: linux-image-extra;
 APT::VersionedKernelPackages:: linux-signed-image;
 APT::VersionedKernelPackages:: kfreebsd-image;
 APT::VersionedKernelPackages:: kfreebsd-headers;
 APT::VersionedKernelPackages:: gnumach-image;
 APT::VersionedKernelPackages:: .*-modules;
 APT::VersionedKernelPackages:: .*-kernel;
 APT::VersionedKernelPackages:: linux-backports-modules-.*;
 APT::VersionedKernelPackages:: linux-tools;
 APT::Never-MarkAuto-Sections ;
 APT::Never-MarkAuto-Sections:: metapackages;
 APT::Never-MarkAuto-Sections:: restricted/metapackages;
 APT::Never-MarkAuto-Sections:: universe/metapackages;
 APT::Never-MarkAuto-Sections:: multiverse/metapackages;
 APT::Never-MarkAuto-Sections:: oldlibs;
 APT::Never-MarkAuto-Sections:: restricted/oldlibs;
 APT::Never-MarkAuto-Sections:: universe/oldlibs;
 APT::Never-MarkAuto-Sections:: multiverse/oldlibs;
 APT::Periodic ;
 APT::Periodic::Update-Package-Lists 1;
 APT::Periodic::Download-Upgradeable-Packages 0;
 APT::Periodic::AutocleanInterval 0;
 APT::Update ;
 APT::Update::Post-Invoke ;
 APT::Update::Post-Invoke:: touch /var/lib/apt/periodic/update-success-stamp 
 2/dev/null || true;
 APT::Update::Post-Invoke-Success ;
 APT::Update::Post-Invoke-Success:: /usr/bin/test -e 
 /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service  
 /usr/bin/test -S /var/run/dbus/system_bus_socket  /usr/bin/gdbus call 
 --system --dest org.freedesktop.PackageKit --object-path 
 /org/freedesktop/PackageKit --timeout 4 --method 
 org.freedesktop.PackageKit.StateHasChanged cache-update  /dev/null; 
 /bin/echo  /dev/null;
 APT::Archives ;
 APT::Archives::MaxAge 30;
 APT::Archives::MinAge 2;
 APT::Archives::MaxSize 500;
 APT::Architectures ;
 APT::Architectures:: i386;
 APT::Compressor ;
 APT::Compressor::. ;
 APT::Compressor::.::Name .;
 APT::Compressor::.::Extension ;
 APT::Compressor::.::Binary ;
 APT::Compressor::.::Cost 1;
 APT::Compressor::gzip ;
 APT::Compressor::gzip::Name gzip;
 APT::Compressor::gzip::Extension .gz;
 APT::Compressor::gzip::Binary gzip;
 APT::Compressor::gzip::Cost 2;
 APT::Compressor::gzip::CompressArg ;
 APT::Compressor::gzip::CompressArg:: -9n;
 APT::Compressor::gzip::UncompressArg ;
 APT::Compressor::gzip::UncompressArg:: -d;
 APT::Compressor::bzip2 ;
 APT::Compressor::bzip2::Name bzip2;
 APT::Compressor::bzip2::Extension .bz2;
 APT::Compressor::bzip2::Binary bzip2;
 APT::Compressor::bzip2::Cost 3;
 APT::Compressor::bzip2::CompressArg ;
 APT::Compressor::bzip2::CompressArg:: -9;
 APT::Compressor::bzip2::UncompressArg ;
 APT::Compressor::bzip2::UncompressArg:: -d;
 APT::Compressor::xz ;
 APT::Compressor::xz::Name xz;
 APT::Compressor::xz::Extension .xz;
 APT::Compressor::xz::Binary xz;
 APT::Compressor::xz::Cost 4;
 

Bug#747566: synaptic: Filtered list rendered incorrectly after refresh

[Michael Vogt]

On Fri, May 09, 2014 at 09:22:44PM -0400, Scott Talbert wrote:
 Package: synaptic
 Version: 0.81.1
 Severity: normal

Thanks for your bugreport.
 
 Problem originally reported in Ubuntu (#1309369) but reproducible in Debian
 unstable:
 
 1) Open Synaptic
 2) (with apt-xapian-index) Search for something in Quick filter
 3) Choose a package and mark it for changed status
 4) List refreshes and item count is the same but these are phantom items 
 from the top of this same listing, but as if it was not filtered
 5) Move cursor over the list and the real items are revealed

I can reproduce this only sometimes, I think the attached patch fixes
it, it would be great if you (or someone else) could confirm, then I
can push a update to debian and ubuntu.

Thanks,
 Michael
 
 -- System Information:
 Debian Release: jessie/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
 Architecture: amd64 (x86_64)
 
 Kernel: Linux 3.14-1-amd64 (SMP w/1 CPU core)
 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages synaptic depends on:
 ii  hicolor-icon-theme   0.13-1
 ii  libapt-inst1.5   1.0.3
 ii  libapt-pkg4.12   1.0.3
 ii  libatk1.0-0  2.12.0-1
 ii  libc62.18-5
 ii  libcairo-gobject21.12.16-2
 ii  libcairo21.12.16-2
 ii  libept1.4.12 1.0.12
 ii  libgcc1  1:4.9.0-2
 ii  libgdk-pixbuf2.0-0   2.30.7-1
 ii  libglib2.0-0 2.40.0-3
 ii  libgtk-3-0   3.12.1-1
 ii  libpango-1.0-0   1.36.3-1
 ii  libpangocairo-1.0-0  1.36.3-1
 ii  libstdc++6   4.9.0-2
 ii  libvte-2.90-91:0.36.1-1
 ii  libx11-6 2:1.6.2-1
 ii  libxapian22  1.2.17-1
 ii  libxext6 2:1.3.2-1
 ii  zlib1g   1:1.2.8.dfsg-1
 
 Versions of packages synaptic recommends:
 ii  libgtk2-perl   2:1.2491-1
 ii  policykit-10.105-5
 ii  rarian-compat  0.8.1-5
 
 Versions of packages synaptic suggests:
 ii  apt-xapian-index 0.46
 pn  deborphannone
 pn  dwww none
 pn  menu none
 pn  software-properties-gtk  none
 ii  tasksel  3.20
 
 -- no debconf information
=== modified file 'gtk/rgmainwindow.cc'
--- gtk/rgmainwindow.cc	2014-03-18 19:58:18 +
+++ gtk/rgmainwindow.cc	2014-05-10 20:00:10 +
@@ -321,6 +321,9 @@
   GTK_TREE_MODEL(_pkgList));
}
 
+   // debian bug #747566
+   gtk_widget_queue_draw(_treeView);
+
 #if 0
// set selected pkg to be selected again
if(selectedPkg != NULL) {

Bug#726163: multiarch upgrade issue

[Michael Vogt]

On Wed, Apr 30, 2014 at 04:14:37PM +0200, Jelmer Vernooij wrote:
 Hi Michael,
Hi Jelmer,

[..]
  3. move libpytalloc-util.so.2 into its own libtalloc2-python (or
 similar) package
 I think this is the most reasonable option, though it's a pity we'd have to
 package something so small separately.
[..]
  I'm happy to work on a patch to get rid of the python-talloc
  dependency and unblock the multiarch upgrade, but I would like to hear
  from you what option you prefer.
 
 Hope this helps,

It did, thanks a bunch! Attached is a small patch for option 3 that
seperates the libpytalloc-util.so.2 into a new libtalloc2-pylibs
package.

Feedback, especially on the package name would be great as I would
like to apply this on Ubuntu as well and don't want to diverge on the
packagename of course :)

Cheers,
 Michael
diff -Nru talloc-2.1.0/debian/changelog talloc-2.1.0/debian/changelog
--- talloc-2.1.0/debian/changelog   2014-04-21 14:47:47.0 +0200
+++ talloc-2.1.0/debian/changelog   2014-05-05 08:10:02.0 +0200
@@ -1,3 +1,12 @@
+talloc (2.1.0-3) unstable; urgency=low
+
+  * debian/control:
+- move libpytalloc-util.so.2 into its own library package
+  to support multiarch upgrades of e.g. libsmbclient
+  (LP: #1308657)
+
+ -- Michael Vogt michael.v...@ubuntu.com  Mon, 05 May 2014 08:07:41 +0200
+
 talloc (2.1.0-2) unstable; urgency=medium
 
   * Change maintainer to Samba Debian maintainers.
diff -Nru talloc-2.1.0/debian/control talloc-2.1.0/debian/control
--- talloc-2.1.0/debian/control 2014-04-21 14:47:47.0 +0200
+++ talloc-2.1.0/debian/control 2014-05-05 08:23:54.0 +0200
@@ -42,6 +42,20 @@
  .
  This package contains the development files.
 
+Package: libtalloc2-pylibs
+Multi-Arch: same
+Pre-Depends: ${misc:Pre-Depends}
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Section: libs
+Breaks: python-talloc ( 2.1.0-3)
+Replaces: python-talloc ( 2.1.0-3)
+Description: hierarchical pool based memory allocator - Python helper library
+ A hierarchical pool based memory allocator with destructors. It uses
+ reference counting to determine when memory should be freed.
+ .
+ This package contains the shared libraries for Python support.
+
 Package: python-talloc
 Pre-Depends: ${misc:Pre-Depends}
 Architecture: any
diff -Nru talloc-2.1.0/debian/libtalloc2-pylibs.install 
talloc-2.1.0/debian/libtalloc2-pylibs.install
--- talloc-2.1.0/debian/libtalloc2-pylibs.install   1970-01-01 
01:00:00.0 +0100
+++ talloc-2.1.0/debian/libtalloc2-pylibs.install   2014-05-05 
08:14:53.0 +0200
@@ -0,0 +1 @@
+usr/lib/*/libpytalloc-util.so.*
diff -Nru talloc-2.1.0/debian/libtalloc2-pylibs.symbols 
talloc-2.1.0/debian/libtalloc2-pylibs.symbols
--- talloc-2.1.0/debian/libtalloc2-pylibs.symbols   1970-01-01 
01:00:00.0 +0100
+++ talloc-2.1.0/debian/libtalloc2-pylibs.symbols   2014-05-05 
08:14:44.0 +0200
@@ -0,0 +1,11 @@
+libpytalloc-util.so.2 #PACKAGE# #MINVER#
+ PYTALLOC_UTIL_2.0.6@PYTALLOC_UTIL_2.0.6 2.0.6
+ PYTALLOC_UTIL_2.0.7@PYTALLOC_UTIL_2.0.7 2.0.7
+ PYTALLOC_UTIL_2.0.8@PYTALLOC_UTIL_2.0.8 2.0.8
+ PYTALLOC_UTIL_2.1.0@PYTALLOC_UTIL_2.1.0 2.1.0
+ pytalloc_CObject_FromTallocPtr@PYTALLOC_UTIL_2.0.6 2.0.6
+ pytalloc_Check@PYTALLOC_UTIL_2.0.6 2.0.6
+ pytalloc_GetObjectType@PYTALLOC_UTIL_2.0.6 2.0.6
+ pytalloc_reference_ex@PYTALLOC_UTIL_2.0.6 2.0.6
+ pytalloc_steal@PYTALLOC_UTIL_2.0.6 2.0.6
+ pytalloc_steal_ex@PYTALLOC_UTIL_2.0.6 2.0.6
diff -Nru talloc-2.1.0/debian/python-talloc.install 
talloc-2.1.0/debian/python-talloc.install
--- talloc-2.1.0/debian/python-talloc.install   2014-04-21 14:47:47.0 
+0200
+++ talloc-2.1.0/debian/python-talloc.install   2014-05-05 08:14:12.0 
+0200
@@ -1,2 +1 @@
 usr/lib/python*/*-packages/talloc.so
-usr/lib/*/libpytalloc-util.so.*
diff -Nru talloc-2.1.0/debian/python-talloc.symbols 
talloc-2.1.0/debian/python-talloc.symbols
--- talloc-2.1.0/debian/python-talloc.symbols   2014-04-21 14:47:47.0 
+0200
+++ talloc-2.1.0/debian/python-talloc.symbols   2014-05-05 08:14:36.0 
+0200
@@ -1,13 +1,2 @@
-libpytalloc-util.so.2 #PACKAGE# #MINVER#
- PYTALLOC_UTIL_2.0.6@PYTALLOC_UTIL_2.0.6 2.0.6
- PYTALLOC_UTIL_2.0.7@PYTALLOC_UTIL_2.0.7 2.0.7
- PYTALLOC_UTIL_2.0.8@PYTALLOC_UTIL_2.0.8 2.0.8
- PYTALLOC_UTIL_2.1.0@PYTALLOC_UTIL_2.1.0 2.1.0
- pytalloc_CObject_FromTallocPtr@PYTALLOC_UTIL_2.0.6 2.0.6
- pytalloc_Check@PYTALLOC_UTIL_2.0.6 2.0.6
- pytalloc_GetObjectType@PYTALLOC_UTIL_2.0.6 2.0.6
- pytalloc_reference_ex@PYTALLOC_UTIL_2.0.6 2.0.6
- pytalloc_steal@PYTALLOC_UTIL_2.0.6 2.0.6
- pytalloc_steal_ex@PYTALLOC_UTIL_2.0.6 2.0.6
 talloc.so #PACKAGE# #MINVER#
  inittalloc@Base 2.0.6

Bug#747094: bash-completion: [patch] add support for the new apt command

[Michael Vogt]

Package: bash-completion
Version: 1:2.1-4
Severity: wishlist
Tags: patch

Hi,

please consider adding bash completion support for the new apt command.
I filed a bug upstream with a patch some days ago:
https://alioth.debian.org/tracker/index.php?func=detailaid=314652group_id=100114atid=413095

The diff itself is here
https://alioth.debian.org/tracker/download.php/100114/413095/314652/6460/0001-add-bash-completions-for-the-new-apt-command.patch

Maybe we can add it as a distro patch until its merged upstream? I'm
happy to provide a debdiff if that helps.

Thanks,
 Michael


-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 
'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13.0-22-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bash-completion depends on:
ii  bash  4.3-6ubuntu1
ii  dpkg  1.17.5ubuntu5.2

bash-completion recommends no packages.

bash-completion suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#746200: apt: Apt-get install doesn't respect /target_release

[Michael Vogt]

On Sun, Apr 27, 2014 at 06:15:21PM -0500, Wayne Rowcliffe wrote:
 Package: apt
 Version: 1.0.2
 Severity: normal

Thanks for your bugreport.
 
 With the recent upgrade of apt to 1.0, /target_release flags do not seem
 to have any effect.
 
 For my particuluar situation, I am trying to upgrade gnome to use 3.12.
 This involves pulling packages from both experimental and unstable. So I
 attempt to do: `apt-get install gnome-shell/experimental
 empathy/unstable`, etc. However, when I do this apt seems to completely
 ignore the flags and instead tries to install the versions from testing.
 
 I have used this method many times in the past to specify a set of
 packages from different releases that won't conflict with each other.
 Since the upgrade to apt 1.0, I am not able to.
[..]

Could you include the output of same examples where it fails for you
please? We have some testcases that cover this feature and they are
still working, so it would be good to know some more details how to
reproduce the issue.

Thanks,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#746434: apt: new apt breaks a shell script by reading from standard input when it shouldn't

[Michael Vogt]

On Tue, Apr 29, 2014 at 10:40:52PM +, Gianluca Borello wrote:
 Package: apt
 Version: 1.0.2
 Severity: normal

Thanks for your bugeport.
 
 I have an automated installation script that doesn't work anymore on Sid. 
 This is a snippet of code:
 
 #!/bin/bash
 
 apt-get -qq -y install iftop
 neverexecuted
 
 If executed by piping it to bash, the very first time (when the package is 
 not installed), I get:
[..]

I can reproduce this and bisected it to commit 872816. The attached
diff fixes it for me, would be great if you could confirm.


Cheers,
 Michael
diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc
index 959d064..bc86258 100644
--- a/apt-pkg/deb/dpkgpm.cc
+++ b/apt-pkg/deb/dpkgpm.cc
@@ -1239,9 +1239,9 @@ bool pkgDPkgPM::Go(int OutStatusFd)
   // if tcgetattr does not return zero there was a error
   // and we do not do any pty magic
   _error-PushToStack();
-  if (tcgetattr(STDOUT_FILENO, tt) == 0)
+  if (tcgetattr(STDIN_FILENO, tt) == 0)
   {
-	 ioctl(0, TIOCGWINSZ, (char *)win);
+	 ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)win);
 	 if (openpty(master, slave, NULL, tt, win)  0)
 	 {
 	_error-Errno(openpty, _(Can not write log (%s)), _(Is /dev/pts mounted?));

Bug#726163: multiarch upgrade issue

[Michael Vogt]

Hi,

just wanted to mention that the current dependency of libsmbclient to
python-talloc cause a regression when upgrading from a samba3 based
libsmbclient to a samba4 based libsmbclient in certain multiarch
environments.

The problem is that libsmbclient:i386 and libsmbclient:amd64 can be
co-installed with samba3 but no longer with samba4 because of the
python-talloc dependency. Right now samba-libs contains a dependency
on libpytalloc-util.so.2 library which is part of python-talloc.
See https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/1308657 for
the details.

The options are:
1. move libpytalloc-util.so.2 to libtalloc2
2. move /usr/lib/x86_64-linux-gnu/samba/libsamba_python.so.0 to
   samba-python
3. move libpytalloc-util.so.2 into its own libtalloc2-python (or
   similar) package

I don't know enough about the samba4 packaging to have a strong
opinion, but it seems like (1) is a reasonable solution as it does not
require changing existing dependencies. It would mean a tiny
additional lib (libpytalloc-util.so.2 - 11k on my system) in
libtalloc2 that not everyone needs.

I'm happy to work on a patch to get rid of the python-talloc
dependency and unblock the multiarch upgrade, but I would like to hear
from you what option you prefer.


Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#745992: Please add the attached systemd service file

[Michael Vogt]

On Sun, Apr 27, 2014 at 12:12:05AM +0200, Michael Stapelberg wrote:
 Package: unattended-upgrades
 Version: 0.82.6
 Severity: wishlist
 User: pkg-systemd-maintain...@lists.alioth.debian.org 
 Usertags: systemd-units 

Thanks for your bugreport and your patch!
 
 Dear maintainer,
 
 please add the attached systemd service file.
[..]

This is merged and will be part of the next upload.

Thanks,
 Michael 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#745726: apt: shell is left colored when abborting colored output of apt

[Michael Vogt]

On Thu, Apr 24, 2014 at 03:44:28PM +0200, Sven Bartscher wrote:
 Package: apt
 Version: 1.0.1
 Severity: minor

Thanks for your bugreport.
 
 When pressing ctrl+c to interrupt apt while downloading packages the color
 doesn't get reset for the rest of the shell session. So the shell is colored
 orange until the color is set to something else.

This is fixed in git and will be part of the next upload.

Cheers,
 Michael

 -- Package-specific info:
 
 -- apt-config dump --
 
 APT ;
 APT::Architecture i386;
 APT::Build-Essential ;
 APT::Build-Essential:: build-essential;
 APT::Install-Recommends true;
 APT::Install-Suggests 0;
 APT::Authentication ;
 APT::Authentication::TrustCDROM true;
 APT::NeverAutoRemove ;
 APT::NeverAutoRemove:: ^firmware-linux.*;
 APT::NeverAutoRemove:: ^linux-firmware$;
 APT::NeverAutoRemove:: ^linux-image-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-image-686-pae$;
 APT::NeverAutoRemove:: ^linux-headers-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-headers-686-pae$;
 APT::NeverAutoRemove:: ^linux-image-extra-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-image-extra-686-pae$;
 APT::NeverAutoRemove:: ^linux-signed-image-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-signed-image-686-pae$;
 APT::NeverAutoRemove:: ^kfreebsd-image-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^kfreebsd-image-686-pae$;
 APT::NeverAutoRemove:: ^kfreebsd-headers-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^kfreebsd-headers-686-pae$;
 APT::NeverAutoRemove:: ^gnumach-image-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^gnumach-image-686-pae$;
 APT::NeverAutoRemove:: ^.*-modules-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^.*-modules-686-pae$;
 APT::NeverAutoRemove:: ^.*-kernel-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^.*-kernel-686-pae$;
 APT::NeverAutoRemove:: ^linux-backports-modules-.*-3\.13-1-686-pae$;
 APT::NeverAutoRemove:: ^linux-backports-modules-.*-686-pae$;
 APT::VersionedKernelPackages ;
 APT::VersionedKernelPackages:: linux-image;
 APT::VersionedKernelPackages:: linux-headers;
 APT::VersionedKernelPackages:: linux-image-extra;
 APT::VersionedKernelPackages:: linux-signed-image;
 APT::VersionedKernelPackages:: kfreebsd-image;
 APT::VersionedKernelPackages:: kfreebsd-headers;
 APT::VersionedKernelPackages:: gnumach-image;
 APT::VersionedKernelPackages:: .*-modules;
 APT::VersionedKernelPackages:: .*-kernel;
 APT::VersionedKernelPackages:: linux-backports-modules-.*;
 APT::Never-MarkAuto-Sections ;
 APT::Never-MarkAuto-Sections:: metapackages;
 APT::Never-MarkAuto-Sections:: restricted/metapackages;
 APT::Never-MarkAuto-Sections:: universe/metapackages;
 APT::Never-MarkAuto-Sections:: multiverse/metapackages;
 APT::Never-MarkAuto-Sections:: oldlibs;
 APT::Never-MarkAuto-Sections:: restricted/oldlibs;
 APT::Never-MarkAuto-Sections:: universe/oldlibs;
 APT::Never-MarkAuto-Sections:: multiverse/oldlibs;
 APT::Periodic ;
 APT::Periodic::Update-Package-Lists 1;
 APT::Periodic::Download-Upgradeable-Packages 0;
 APT::Periodic::AutocleanInterval 0;
 APT::Update ;
 APT::Update::Post-Invoke ;
 APT::Update::Post-Invoke:: touch /var/lib/apt/periodic/update-success-stamp 
 2/dev/null || true;
 APT::Update::Post-Invoke-Success ;
 APT::Update::Post-Invoke-Success:: /usr/bin/test -e 
 /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service  
 /usr/bin/test -S /var/run/dbus/system_bus_socket  /usr/bin/gdbus call 
 --system --dest org.freedesktop.PackageKit --object-path 
 /org/freedesktop/PackageKit --timeout 4 --method 
 org.freedesktop.PackageKit.StateHasChanged cache-update  /dev/null; 
 /bin/echo  /dev/null;
 APT::Archives ;
 APT::Archives::MaxAge 30;
 APT::Archives::MinAge 2;
 APT::Archives::MaxSize 500;
 APT::Architectures ;
 APT::Architectures:: i386;
 APT::Compressor ;
 APT::Compressor::. ;
 APT::Compressor::.::Name .;
 APT::Compressor::.::Extension ;
 APT::Compressor::.::Binary ;
 APT::Compressor::.::Cost 1;
 APT::Compressor::gzip ;
 APT::Compressor::gzip::Name gzip;
 APT::Compressor::gzip::Extension .gz;
 APT::Compressor::gzip::Binary gzip;
 APT::Compressor::gzip::Cost 2;
 APT::Compressor::gzip::CompressArg ;
 APT::Compressor::gzip::CompressArg:: -9n;
 APT::Compressor::gzip::UncompressArg ;
 APT::Compressor::gzip::UncompressArg:: -d;
 APT::Compressor::bzip2 ;
 APT::Compressor::bzip2::Name bzip2;
 APT::Compressor::bzip2::Extension .bz2;
 APT::Compressor::bzip2::Binary bzip2;
 APT::Compressor::bzip2::Cost 3;
 APT::Compressor::bzip2::CompressArg ;
 APT::Compressor::bzip2::CompressArg:: -9;
 APT::Compressor::bzip2::UncompressArg ;
 APT::Compressor::bzip2::UncompressArg:: -d;
 APT::Compressor::xz ;
 APT::Compressor::xz::Name xz;
 APT::Compressor::xz::Extension .xz;
 APT::Compressor::xz::Binary xz;
 APT::Compressor::xz::Cost 4;
 APT::Compressor::xz::CompressArg ;
 APT::Compressor::xz::CompressArg:: -6;
 APT::Compressor::xz::UncompressArg ;
 APT::Compressor::xz::UncompressArg:: -d;
 APT::Compressor::lzma ;
 APT::Compressor::lzma::Name lzma;
 APT::Compressor::lzma::Extension .lzma;
 

Bug#745487: apt python library leak memory and file descriptors

[Michael Vogt]

On Tue, Apr 22, 2014 at 11:23:24AM +0200, Petter Reinholdtsen wrote:
 Package: python-apt
 Version: 0.8.8.2
 Severity: important

Thanks for your bugreport.
 
 Since I wrote the isenkram package, it have been plagued with a nasty
 resourse leak.  It leak memory and file descriptors every time some
 hardware is inserted.  The amount of leaked memory varies, but seem to
 be 30-40 MiB every time.  The amount of file descriptors depend on the
 number of APT sources listed in /etc/apt/.
 URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730704 
 is an example on what happen when the process run out of file
 descriptors, and
 URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719837  is the
 initial report about leaking memory.

This is a good test scenario, afaik python-apt is not being used in
daemons so far.

 I've been able to track down the problem to the python-apt library, and
 the following test program demonstrate the leak:
 
   #!/usr/bin/python
   import apt
   while True:
 cache = apt.Cache()
 cache.open(None)
 
 When left alone running for a while, it crashes like this:
 
   % ./apt-leak.py 
   Traceback (most recent call last):
 File ./apt-leak.py, line 6, in module
   cache.open(None)
 File /usr/lib/python2.7/dist-packages/apt/cache.py, line 147, in open
   self._records = apt_pkg.PackageRecords(self._cache)

Thanks for this demo, I can reproduce the issue with it. However, if I
change it a little bit and force the python garbage collector there
seems to be no leak (or a small memory leak but no fd leak).

#!/usr/bin/python

import gc
import os
import timeit

import apt

def show_resource_stats():
mem = open(/proc/self/statm).read().strip().split()[0:2]
open_fds = len(os.listdir(/proc/self/fd/))
print(mem: %s % mem)
print(open fds: %s % open_fds)



if __name__ == __main__:
i=0
while True:
cache = apt.Cache()
cache.open()
i += 1
if i%10 == 0:
print(\nAfter %s runs % i)
show_resource_stats()
print(timeit.timeit(gc.collect, number=1))
print(After collect:)
show_resource_stats()


I see numbers like:

After 20 runs
mem: ['181774', '165966']
open fds: 653
0.236461877823
After collect:
mem: ['68298', '57910']
open fds: 63

After 30 runs
mem: ['181774', '165980']
open fds: 653
0.229271888733
After collect:
mem: ['68938', '58564']
open fds: 63


Mem is size (VmSize) first and resident (VmRSS) second.

I suspect that the behavior without running the GC is caused by the
way we handle the pkgCache and pkgDepCache internally. Both are
managed via a CacheFile and it seems that a del of the
pkgCache/pkgDepCache leave the CacheFile (that really has the
resources open) with zero references, but the resources are only
really freed once the GC runs. This needs some investigation in the
python/cache.cc code to see if we can explicitly trigger the free.

 Am I using the library wrong (ie should I do something to release the
 resources when I am done with the cache), or is it a bug in the library
 leaking memory and file descriptors?
 
 Setting severity to important.  I guess one could argue that it should
 be critical because it causes isenkram to fail, but that severity seemed
 a bit high when I do not know if I am using the library wrong or not.

Even if you would use the library wrong I would argue its a bug
because the library should work well in the simple test case you
provided. 

Cheers,
 Michael#!/usr/bin/python

import gc
import os
import timeit

import apt

def show_resource_stats():
mem = open(/proc/self/statm).read().strip().split()[0:2]
open_fds = len(os.listdir(/proc/self/fd/))
print(mem: %s % mem)
print(open fds: %s % open_fds)



if __name__ == __main__:
i=0
while True:
cache = apt.Cache()
cache.open()
i += 1
if i%10 == 0:
print(\nAfter %s runs % i)
show_resource_stats()
print(timeit.timeit(gc.collect, number=1))
print(After collect:)
show_resource_stats()

Bug#744297: apt: doesn't reset colors after Ctrl+C

[Michael Vogt]

On Sat, Apr 12, 2014 at 05:48:55PM +0200, Jakub Wilk wrote:
 Package: apt
 Version: 1.0.1
 Severity: minor

Thanks for your bugreport.
 
 When I press Ctrl+C when apt is working, it doesn't reset colors,
 leaving my shell prompt yellowish. See the attached screenshot.

This is fixed in the git tree and it will be part of the next upload.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#745120: apt: [INTL] Updated Thai program translation

[Michael Vogt]

On Sun, Apr 20, 2014 at 09:42:52AM +0700, Theppitak Karoonboonyanan wrote:
 On Fri, Apr 18, 2014 at 9:31 PM, David Kalnischkies
 da...@kalnischkies.de wrote:
 
  Refreshing the po file (attached) with the latest git reveals a fuzzy
  string (changing 'record' to 'version'), so I would like to ask if you
  could update accordingly so that we have 100% translated for th. :)
 
 Here you are. I've also fixed a few other translations with this.
[..]

Thanks! Merged to git and will be part of the next upload.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#745452: apt: Consistently use Dpkg::Progress* in documentation

[Michael Vogt]

On Mon, Apr 21, 2014 at 04:54:04PM -0400, James McCoy wrote:
 Package: apt
 Version: 1.0.1
 Severity: minor

Thanks for your bugreport and your patch.
 
 Dear Maintainer,
 
 Apt's documentation refers to DpkgPM::Progress, Dpkg::Progress-Fancy,
 and DpkgPM::Progress-Fancy.  DpkgPM::Progress was renamed to
 Dpkg::Progress in 6c5ae8ed, although the former is still understood for
 backwards-compatibility, and DpkgPM::Progress-Fancy was renamed to
 Dpkg::Progress-Fancy in 1c6089d7.
 
 The attached patch updates the documentation to consistently use the
 Dpkg:: variants of the options.

Thanks for the cleanup, I merged your patch and it will be part of the
next upload.

Cheers,
 Michael
 
 -- Package-specific info:
 
 -- (no /etc/apt/preferences present) --
 
 
 -- (/etc/apt/sources.list present, but not submitted) --
 
 
 -- System Information:
 Debian Release: jessie/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
 Architecture: amd64 (x86_64)
 Foreign Architectures: i386
 
 Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages apt depends on:
 ii  debian-archive-keyring  2012.4
 ii  gnupg   1.4.16-1.1
 ii  libapt-pkg4.12  1.0.1
 ii  libc6   2.18-4
 ii  libgcc1 1:4.9-20140411-2
 ii  libstdc++6  4.9-20140411-2
 
 apt recommends no packages.
 
 Versions of packages apt suggests:
 pn  apt-doc none
 ii  aptitude0.6.10-1
 ii  dpkg-dev1.17.6
 ii  python-apt  0.9.3.5
 
 -- no debconf information

 From 10bc7148eedba84b237b3b91b41f97dc5596db80 Mon Sep 17 00:00:00 2001
 From: James McCoy james...@debian.org
 Date: Mon, 21 Apr 2014 16:35:28 -0400
 Subject: [PATCH] Consistently use Dpkg::Progress* in documentation
 
 Signed-off-by: James McCoy james...@debian.org
 ---
  doc/apt-get.8.xml | 2 +-
  doc/apt.8.xml | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml
 index 1ed0890..a3bfc33 100644
 --- a/doc/apt-get.8.xml
 +++ b/doc/apt-get.8.xml
 @@ -536,7 +536,7 @@
   terminal window when packages are installed, upgraded or
   removed. For a machine parsable version of this data see
   README.progress-reporting in the apt doc directory.
 - Configuration Item: literalDpkgPM::Progress/literal and 
 literalDpkg::Progress-Fancy/literal./para/listitem
 + Configuration Item: literalDpkg::Progress/literal and 
 literalDpkg::Progress-Fancy/literal./para/listitem
   /varlistentry
  
  
 diff --git a/doc/apt.8.xml b/doc/apt.8.xml
 index 85e7276..bcad5ee 100644
 --- a/doc/apt.8.xml
 +++ b/doc/apt.8.xml
 @@ -148,7 +148,7 @@
   
   itemizedlist
 listitem
 - paraThe option literalDPkgPM::Progress-Fancy/literal is enabled.
 + paraThe option literalDPkg::Progress-Fancy/literal is enabled.
   /para
 /listitem
 listitem
 -- 
 1.9.2
 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#745130: apt should tell if updates are available

[Michael Vogt]

On Fri, Apr 18, 2014 at 05:13:46PM +0200, David Kalnischkies wrote:
 On Fri, Apr 18, 2014 at 02:44:06PM +0530, shirish शिरीष wrote:
  I tried apt few days back and it's refreshing from aptitude in the
  sense it doesn't take as many resources as aptitude to update the
  index. There is one issue though, it doesn't tell if there are any
  updates and I have to manually run aptitude safe-upgrade in order to
  figure out if there are any updates or not.
 […]
  Unlike aptitude, apt doesn't tell if there are any updates. Just
  having that info. would make my life much easier.
 
 Could you perhaps mention what sort of info that might be and in which
 form? Also what 'updates' are in this context depends on which
 operation will be used to apply these updates (think: ugrade vs.
 dist-upgrade), so I would tend to say no at the moment as I don't know
 which info you ask for here and displaying potentially wrong info
 could be confusing at best and might even be dangerous.
 (a package manager confusing its users is never a good idea)
 
 (/me has never really used aptitude)
[..]

I like the idea, attached is a trivial patch that implements some very
simple information for apt update. But I agree with Davids concerns,
that we need to be careful about the message displayed to avoid
confusing the users. 


Cheers,
 Michael

From 72610548d2993e30fb5b8d633044c7f2af3fb392 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@debian.org
Date: Tue, 22 Apr 2014 16:07:32 +0200
Subject: [PATCH] show upgradable packages after apt update

---
 apt-private/private-update.cc| 18 ++
 cmdline/apt.cc   |  1 +
 test/integration/test-apt-cli-update | 17 +
 3 files changed, 36 insertions(+)
 create mode 100755 test/integration/test-apt-cli-update

diff --git a/apt-private/private-update.cc b/apt-private/private-update.cc
index da83d77..fa827de 100644
--- a/apt-private/private-update.cc
+++ b/apt-private/private-update.cc
@@ -75,6 +75,24 @@ bool DoUpdate(CommandLine CmdL)
 	 return false;
}
 
+   // show basic stats (if the user whishes)
+   if (_config-FindB(APT::Cmd::Show-Update-Stats, false) == true)
+   {
+  int upgradable = 0;
+  Cache.Open();
+  for (pkgCache::PkgIterator I = Cache-PkgBegin(); I.end() != true; ++I)
+  {
+ pkgDepCache::StateCache state = Cache[I];
+ if (I-CurrentVer != 0  state.Upgradable())
+upgradable++;
+  }
+  const char *msg = ngettext(
+ %i package can be upgraded. Run 'apt list --upgradable' to see it.\n,
+ %i packages can be upgraded. Run 'apt list --upgradable' to see them.\n,
+ upgradable);
+  ioprintf(c1out, msg, upgradable);
+   }
+
return true;
 }
 	/*}}}*/
diff --git a/cmdline/apt.cc b/cmdline/apt.cc
index 4813861..8a6f96a 100644
--- a/cmdline/apt.cc
+++ b/cmdline/apt.cc
@@ -112,6 +112,7 @@ int main(int argc, const char *argv[])	/*{{{*/
_config-CndSet(DPkg::Progress-Fancy, 1);
_config-CndSet(Apt::Color, 1);
_config-CndSet(APT::Get::Upgrade-Allow-New, true);
+   _config-CndSet(APT::Cmd::Show-Update-Stats, true);
 
// Parse the command line and initialize the package library
CommandLine CmdL(Args.data(), _config);
diff --git a/test/integration/test-apt-cli-update b/test/integration/test-apt-cli-update
new file mode 100755
index 000..8237bf0
--- /dev/null
+++ b/test/integration/test-apt-cli-update
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture i386
+
+insertpackage 'unstable' 'foo' 'all' '2.0'
+insertinstalledpackage 'foo' 'all' '1.0'
+
+setupaptarchive
+
+APTARCHIVE=$(readlink -f ./aptarchive)
+
+testequal 1 package can be upgraded. Run 'apt list --upgradable' to see it. apt update -q
-- 
1.9.1

Bug#743616: Adding sun-java 5,6-jdk in breaks / replaces forces removal of apt on oracle 7 and 8 package install

[Michael Vogt]

On Fri, Apr 04, 2014 at 06:36:53PM +1000, Bryan Cebuliak wrote:
 package: apt
 
 version: 1.0

Thanks for your bugreport. 
 
 Why does  oracle-java 7 and  8 installer from http://www.webupd8.org force
 a remove of apt 1.0 in Debian Sid if  the Java apt binary is deprecated??
[..]

The older sun-java-{5,6}-jdk packages shiped a apt alternative for
their annotation processing tool. This is why the breaks/replaces
was added. 

This was also discussed in
https://bugs.edge.launchpad.net/ubuntu/+bug/1302736 

Attached is a simple patch that make the replaces versionized and also
adds a versionized openjdk-6-jdk (which is against a very old version
so its probably not needed).

Cheers,
 Michael
From a75a293f19d315b491972b688747702e017a5625 Mon Sep 17 00:00:00 2001
From: Michael Vogt m...@ubuntu.com
Date: Mon, 7 Apr 2014 08:18:14 +0200
Subject: [PATCH] make Replaces/Breaks for sun-java-{5,6}-jdk versionized and
 add missing openjdk-6-jdk versionized breaks too (LP: #1302736)

Closes: #743616
---
 debian/control | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/control b/debian/control
index 41c9529..ce43ac9 100644
--- a/debian/control
+++ b/debian/control
@@ -19,8 +19,8 @@ XS-Testsuite: autopkgtest
 Package: apt
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, ${apt:keyring}, gnupg
-Replaces: manpages-pl ( 20060617-3~), manpages-it ( 2.80-4~), sun-java6-jdk, sun-java5-jdk
-Breaks: manpages-pl ( 20060617-3~), manpages-it ( 2.80-4~), sun-java6-jdk, sun-java5-jdk
+Replaces: manpages-pl ( 20060617-3~), manpages-it ( 2.80-4~), sun-java6-jdk ( 6.24-1build0.8.04.1), sun-java5-jdk ( 1.5.0-22-0ubuntu0.8.04), openjdk-6-jdk ( 6b24-1.11-0ubuntu1)
+Breaks: manpages-pl ( 20060617-3~), manpages-it ( 2.80-4~), sun-java6-jdk ( 6.24-1build0.8.04.1), sun-java5-jdk ( 1.5.0-22-0ubuntu0.8.04), openjdk-6-jdk ( 6b24-1.11-0ubuntu1)
 Conflicts: python-apt ( 0.7.93.2~)
 Suggests: aptitude | synaptic | wajig, dpkg-dev (= 1.17.2), apt-doc, python-apt
 Description: commandline package manager
-- 
1.9.1

Bug#743594: +1

[Michael Vogt]

On Sun, Apr 06, 2014 at 08:16:30AM -0700, Martin Gallant wrote:
 Same here on all 3 of my jessie machines, amd64  i386

Thanks everyone, I have a testcase now and work on a fix.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#743771: synaptic: fix french translation : History Historique des opérations

[Michael Vogt]

On Sun, Apr 06, 2014 at 10:57:38AM +0200, Ghent wrote:
 Package: synaptic
 Version: 0.81.1
 Severity: minor
 Tags: l10n
 
 Dear Maintainer,
 
 In the french translation, History of File menu is translate Historique 
 des recherches, search history in english
 but it's the history of actions performed on the packages.
 I suggest to replace by Historique des opérations.

Thanks for your bugreport. I merged your patch and it will be part of
the next upload.

Cheers,
 Michael
 
 Regards,
 Ghent
 
 -- System Information:
 Debian Release: jessie/sid
   APT prefers testing
   APT policy: (960, 'testing'), (950, 'stable-updates'), (950, 'testing'), 
 (950, 'stable'), (180, 'unstable'), (60, 'experimental')
 Architecture: amd64 (x86_64)
 Foreign Architectures: i386
 
 Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
 Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages synaptic depends on:
 ii  hicolor-icon-theme   0.13-1
 ii  libapt-inst1.5   0.9.16.1
 ii  libapt-pkg4.12   0.9.16.1
 ii  libatk1.0-0  2.10.0-2
 ii  libc62.18-4
 ii  libcairo-gobject21.12.16-2
 ii  libcairo21.12.16-2
 ii  libept1.4.12 1.0.12
 ii  libgcc1  1:4.8.2-16
 ii  libgdk-pixbuf2.0-0   2.30.6-1
 ii  libglib2.0-0 2.38.2-5
 ii  libgtk-3-0   3.10.7-1
 ii  libpango-1.0-0   1.36.3-1
 ii  libpangocairo-1.0-0  1.36.3-1
 ii  libstdc++6   4.8.2-16
 ii  libvte-2.90-91:0.34.9-1
 ii  libx11-6 2:1.6.2-1
 ii  libxapian22  1.2.17-1
 ii  libxext6 2:1.3.2-1
 ii  zlib1g   1:1.2.8.dfsg-1
 
 Versions of packages synaptic recommends:
 ii  gksu   2.0.2-6
 ii  libgtk2-perl   2:1.249-2
 ii  policykit-10.105-4
 ii  rarian-compat  0.8.1-5
 
 Versions of packages synaptic suggests:
 ii  apt-xapian-index 0.46
 ii  deborphan1.7.28.8
 pn  dwww none
 ii  menu 2.1.46
 ii  software-properties-gtk  0.92.25debian1
 ii  tasksel  3.20
 
 -- no debconf information

 --- fr.po 2014-03-18 21:02:04.0 +0100
 +++ fr-new.po 2014-04-06 10:39:00.901347032 +0200
 @@ -2512,7 +2512,7 @@
  
  #: ../gtk/gtkbuilder/window_main.ui.h:62
  msgid _History
 -msgstr _Historique des recherches
 +msgstr _Historique des opérations
  
  #: ../gtk/gtkbuilder/window_main.ui.h:63
  msgid _Icons Only


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#743594: +1

[Michael Vogt]

Thanks for your bugreport. 

Could you please attach or mail privately the /var/lib/dpkg/stautus file? This 
should help me to reproduce the bug. 

Thanks, 
 Michael 

On 6 April 2014 17:16:30 CEST, Martin Gallant mar...@goodbit.net wrote:
Same here on all 3 of my jessie machines, amd64  i386

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Bug#743413: 'apt list' seg-faults if sources.list file is unreadable

[Michael Vogt]

On Wed, Apr 02, 2014 at 02:22:50PM +0100, Ben Hutchings wrote:
 Package: apt
 Version: 1.0
 Severity: normal

Thanks for your bugreport.
 
 I accidentally gave /etc/apt/sources.list permissions 640 rather than
 644.  'apt list' would then consistently seg-fault.

This is fixed in git and will be part of the next upload.

Cheers,
 Michael
 
 Ben.
 
 -- System Information:
 Debian Release: jessie/sid
   APT prefers unstable
   APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
 'experimental')
 Architecture: i386 (x86_64)
 Foreign Architectures: amd64
 
 Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
 Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages apt depends on:
 ii  debian-archive-keyring  2012.4
 ii  gnupg   1.4.16-1.1
 ii  libapt-pkg4.12  1.0
 ii  libc6   2.18-4
 ii  libgcc1 1:4.8.2-18
 ii  libstdc++6  4.8.2-18
 
 apt recommends no packages.
 
 Versions of packages apt suggests:
 pn  apt-doc none
 ii  aptitude0.6.10-1
 ii  dpkg-dev1.17.6
 ii  python-apt  0.9.3.5
 ii  synaptic0.81.1
 
 -- no debconf information
 
 
 -- 
 To UNSUBSCRIBE, email to deity-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: 
 https://lists.debian.org/20140402132250.9973.53933.report...@deadeye.wl.decadent.org.uk
 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#743295: RM: vdkxdb2, vdkbuilder2 - old unmaintained software

[Michael Vogt]

On Tue, Apr 01, 2014 at 04:10:41PM +0200, Matthias Klose wrote:
 Package: ftp.debian.org
 
 According to the maintainer (CCed Michael Vogt), these packages are
 old and unmaintained, and should be removed from the archive.
 
 #726232 already suggests removing vdkbuilder2.

I agree with this request, there haven't been updates since ~2011 and
I don't have the time to put lots of effort into the package.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#740551: documentation for APT::Periodic::MaxSize v.s. processing in apt.cron.daily

[Michael Vogt]

On Sun, Mar 02, 2014 at 01:09:55PM -0500, Nathan Stratton Treadway wrote:
 Package: apt
 Severity: minor
 Version: 0.9.15.5

Thanks for your bugreport.
 
 Near the top of /etc/cron.daily/apt, the documentation for the MaxSize
 variable says:
 
 #  APT::Periodic::MaxSize 0; (new)
 #  - Set maximum size of the cache in MB (0=disable). If the cache
 #is bigger, cached package files are deleted until the size
 #requirement is met (the biggest packages will be deleted 
 #first).
 
 (This same text is also found in 
 /usr/share/doc/apt/examples/configure-index.gz )
[..]

Indeed, this is incorrect since a very long time. I updated the
documentation to match what the script is really doing.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#741867: apt: [INTL:it] Updated Italian translation of apt po4a docs

[Michael Vogt]

On Sun, Mar 16, 2014 at 07:00:03PM +0100, Beatrice Torracca wrote:
 Package: apt
 Version: 0.9.15.5
 Severity: wishlist
 Tags: l10n patch

 Hi!
 
 I updated the po4a docs of apt. You can find the gzipped file attached
 here. Please include it in your next upload.

Thanks for your translation update. I merged it into the git
repository and it will be part of the next upload.

Cheers,
 Michael
 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#741627: insecure temporary file usage in apt-extracttemplates

[Michael Vogt]

On Fri, Mar 14, 2014 at 05:10:05PM +, Steve Kemp wrote:
 Package: apt
 Version: 0.9.7.9+deb7u1
 Severity: important
 Tags: security

Thanks for your bugreport. 
 
[..]
 Anyway given that the generated file names are output to the console
 it feels like we should use mkstemp and do it properly, right?
[..]

I agree and changed the code to use mkstemp() now instead of using the
pid/static integer combination. Changing this means that the format of
the ouput changes slightly, the last field after the . is fixed size
now and no longer contains only numbers. I don't expect this to cause
issues, but I will run it on my system first for a couple of days
(I also added a small integration test for this functionatlity).

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#742166: closed by Michael Vogt m...@debian.org (Bug#742166: fixed in synaptic 0.81.1)

[Michael Vogt]

On Wed, Mar 26, 2014 at 09:45:06PM -0400, Filipus Klutiero wrote:
[..]
 Their explanation is attached below along with your original report.
 If this explanation is unsatisfactory and you have not received a
 better one in a separate message then please contact Michael Vogt 
 m...@debian.org by
 replying to this email.
 
 The issue appears to remain the same in 0.81.1.

Thanks and sorry for the premature closing of bug. I assumed that
adding iceweasel would fix it. 

So just to clarify - the effect is the same when using gksu or kdesu?
It could be that gksu does not provide any information what UID the
calling user has. If you run kdesu env, do you see anything that
indicates your username or your userid in the environment?

Thanks,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#741154: fixed in bzr

[Michael Vogt]

Thanks for your bugreport and your description how to reproduce the
issue. This is fixed in bzr now and the fix will be part of the next
upload. 

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#742212: synaptic: Quick search field is missing

[Michael Vogt]

On Thu, Mar 20, 2014 at 08:02:14PM +0100, Piotr Jurkiewicz wrote:
 Package: synaptic
 Version: 0.80.4
 Severity: important

Thanks for your bugreport.
 
 As in topic, on the present Jessie preview quick search field in toolbar is
 missing.
 
Do you have apt-xapian-index installed? This is what is needed to
create the quick-search box. Its only a suggests at this point, iirc
because there were bugreports from low-power system that building the
xapian cache is too demanding on low(er)-end hardware.

Cheers,
 Michael
 
 -- System Information:
 Debian Release: jessie/sid
   APT prefers testing-updates
   APT policy: (500, 'testing-updates'), (500, 'testing')
 Architecture: amd64 (x86_64)
 
 Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages synaptic depends on:
 ii  hicolor-icon-theme   0.13-1
 ii  libapt-inst1.5   0.9.15.5+b1
 ii  libapt-pkg4.12   0.9.15.5+b1
 ii  libatk1.0-0  2.10.0-2
 ii  libc62.18-4
 ii  libcairo-gobject21.12.16-2
 ii  libcairo21.12.16-2
 ii  libept1.4.12 1.0.12
 ii  libgcc1  1:4.8.2-16
 ii  libgdk-pixbuf2.0-0   2.30.6-1
 ii  libglib2.0-0 2.38.2-5
 ii  libgtk-3-0   3.10.7-1
 ii  libpango-1.0-0   1.36.2-2
 ii  libpangocairo-1.0-0  1.36.2-2
 ii  libstdc++6   4.8.2-16
 ii  libvte-2.90-91:0.34.9-1
 ii  libx11-6 2:1.6.2-1
 ii  libxapian22  1.2.17-1
 ii  libxext6 2:1.3.2-1
 ii  zlib1g   1:1.2.8.dfsg-1
 
 Versions of packages synaptic recommends:
 ii  libgtk2-perl   2:1.249-1
 ii  policykit-10.105-4
 ii  rarian-compat  0.8.1-5
 
 Versions of packages synaptic suggests:
 ii  apt-xapian-index 0.46
 pn  deborphannone
 pn  dwww none
 pn  menu none
 pn  software-properties-gtk  none
 ii  tasksel  3.20
 
 -- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#742166: [synaptic] Visit Homepage has no effect (KDE)

[Michael Vogt]

On Wed, Mar 19, 2014 at 11:00:07PM -0400, Filipus Klutiero wrote:
 Package: synaptic
 Version: 0.81
 Severity: normal

Thanks for your bugreport.
 
 Many packages define their homepage. For example, filelight does. Synaptic 
 now displays a curious Visit Homepage link for these packages (initially 
 looks like a simple link, but looks like a button when clicked). When I click 
 this button, Synaptic fails to open the requested homepage. Note that in 
 previous versions, it crashed, as reported in #725885.
 
 Synaptic can still help to reach the homepage as one can right-click the link 
 and copy the URL.
 
 I use KDE 4.11. This happens for 2 users on 2 tested. All homepages appear to 
 be affected. My default browser is Iceweasel. There is no error message, even 
 in .xsession-errors, just nothing happens - whether Iceweasel is already open 
 or not.

I added a fallback to iceweasel now in bzr and this should work in the
next upload. 

Currently synaptic is using xdg-open to find the default
browser. There is already a fallback for konqueror - if this is
installed, the fallback mechanism is not working for some
reason. If you have xdg-open installed, could you please run xdg-open
http://www.debian.org in this case and let me know what happens?

Cheers,
 Michael
 
 --- System information. ---
 Architecture: i386
 Kernel: Linux 3.12-1-amd64
 
 Debian Release: jessie/sid
 990 testing debian.mirror.iweb.ca
 500 unstable debian.mirror.iweb.ca
 1 experimental ftp3.nrc.ca
 
 --- Package information. ---
 Depends (Version) | Installed
 =-+-==
 libapt-inst1.5 (= 0.8.16~exp12) | 0.9.15.5
 libapt-pkg4.12 (= 0.9.11) | 0.9.15.5
 libatk1.0-0 (= 1.12.4) | 2.10.0-2
 libc6 (= 2.3.6-6~) | 2.18-4
 libcairo-gobject2 (= 1.10.0) | 1.12.16-2
 libcairo2 (= 1.2.4) | 1.12.16-2
 libept1.4.12 | 1.0.12
 libgcc1 (= 1:4.1.1) | 1:4.8.2-16
 libgdk-pixbuf2.0-0 (= 2.22.0) | 2.30.6-1
 libglib2.0-0 (= 2.14.0) | 2.38.2-5
 libgtk-3-0 (= 3.0.0) | 3.10.7-1
 libpango-1.0-0 (= 1.14.0) | 1.36.2-2
 libpangocairo-1.0-0 (= 1.14.0) | 1.36.2-2
 libstdc++6 (= 4.6) | 4.8.2-16
 libvte-2.90-9 (= 1:0.27.2) | 1:0.34.9-1
 libx11-6 | 2:1.6.2-1
 libxapian22 | 1.2.17-1
 libxext6 | 2:1.3.2-1
 zlib1g (= 1:1.1.4) | 1:1.2.8.dfsg-1
 hicolor-icon-theme | 0.13-1
 
 
 Recommends (Version) | Installed
 ==-+-=
 gksu | 2.0.2-6
 OR kdebase-bin |
 OR policykit-1 | 0.105-4
 libgtk2-perl (= 1:1.130) |
 rarian-compat | 0.8.1-5
 
 
 Suggests (Version) | Installed
 ==-+-===
 dwww |
 menu | 2.1.46
 deborphan |
 apt-xapian-index | 0.46
 tasksel | 3.20
 software-properties-gtk | 0.82.7.1debian1
 
 -- 
 Filipus Klutiero
 http://www.philippecloutier.com


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#741109: can not open synaptic package manager

[Michael Vogt]

On Sun, Mar 09, 2014 at 12:01:57AM +0700, gil79 wrote:
 Package: synaptic
 Version: 0.70~pre1+b1
 Severity: important

Thanks for your bugreport.
 
 I can not open synaptic, and a message window appears, stated:
 
 E: The package needs to be reinstalled giada, but I can not find an archive 
 for
 it.
 E: Internal error opening cache (1). Please report.
 
 W: Ignoring file 'google-chrome.list.save' in directory '/ etc / apt /
 sources.list.d /' as it has an invalid filename extension
 
Please run:
$ sudo dpkg --remove giada

Your system is in a inconsitent state for some reason (maybe the
install of giada failed earlier).



Cheers,
 Michael

 
 -- System Information:
 Debian Release: 6.0.9
   APT prefers oldstable-proposed-updates
   APT policy: (500, 'oldstable-proposed-updates'), (500, 'oldstable')
 Architecture: i386 (i686)
 
 Kernel: Linux 3.6.11.2-avl1 (SMP w/2 CPU cores; PREEMPT)
 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/bash
 
 Versions of packages synaptic depends on:
 ii  apt [libapt-pkg4. 0.8.10.3+squeeze1  Advanced front-end for dpkg
 ii  apt-utils [libapt 0.8.10.3+squeeze1  APT utility programs
 ii  hicolor-icon-them 0.12-1 default fallback theme for 
 FreeDes
 ii  libatk1.0-0   1.30.0-1   The ATK accessibility toolkit
 ii  libc6 2.13-21Embedded GNU C Library: Shared 
 lib
 ii  libcairo2 1.10.2-7~bpo60+1   The Cairo 2D vector graphics 
 libra
 ii  libept1   1.0.4  High-level library for managing 
 De
 ii  libfontconfig12.9.0-5generic font configuration 
 library
 ii  libfreetype6  2.4.2-2.1+squeeze4 FreeType 2 font engine, shared 
 lib
 ii  libgcc1   1:4.6.1-15 GCC support library
 ii  libglade2-0   1:2.6.4-1  library to load .glade files at 
 ru
 ii  libglib2.0-0  2.33.12+really2.32.4-3 GLib library of C routines
 ii  libgtk2.0-0   2.20.1-2   The GTK+ graphical user interface
 ii  libpango1.0-0 1.28.3-1+squeeze2  Layout and rendering of 
 internatio
 ii  libstdc++64.6.1-15   GNU Standard C++ Library v3
 ii  libvte9   1:0.24.3-4 Terminal emulator widget for GTK+
 ii  libx11-6  2:1.3.3-4+squeeze1 X11 client-side library
 ii  libxapian22   1.2.3-2Search engine library
 ii  libxml2   2.7.8.dfsg-2+squeeze8  GNOME XML library
 ii  zlib1g1:1.2.3.4.dfsg-3   compression library - runtime
 
 Versions of packages synaptic recommends:
 ii  apt-xapian-index   0.41  maintenance and search tools for 
 a
 ii  gksu   2.0.2-5   graphical frontend to su
 ii  libgnome2-perl 1.042-2   Perl interface to the GNOME 
 librar
 ii  rarian-compat  0.8.1-5   Documentation meta-data library 
 (c
 ii  software-properties-gtk0.60.debian-3 manage the repositories that you 
 i
 
 Versions of packages synaptic suggests:
 pn  deborphan none (no description available)
 pn  dwww  none (no description available)
 ii  menu  2.1.44 generates programs menu for all 
 me


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#735385: synaptic: quick search / xapian not installed by default in jessie

[Michael Vogt]

On Thu, Jan 16, 2014 at 04:46:21PM +0100, Andreas Cadhalpun wrote:
 On 15.01.2014 04:33, Lars Cebulla wrote:
 On a new installed Debian Jessie, I can't see the quick search input field in
 synaptic.
 
 After searching on the internet, I've found a solution:
 
 apt-get install apt-xapian-index
 update-apt-xapian-index
 
 http://debianforum.de/forum/viewtopic.php?f=12t=144140
 
 This should be done by default !
 
 I agree that this should be the default, since the normal search is
 not really an alternative. But I fear that this will not happen,
 because it was explicitly reduced to a Suggests from a Recommends
 due to performance problems on low end hardware, see [1].
[..]

Its really a bit tricky to get this right it seems :) I guess what we
could do is to add a button to install the quick search package if its
missing. Something like Install quick filter support in the
preferences window or even in the toolbar?

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#276655: [synaptic] Bug#276655: replace 'lock version' with dpkg holds

[Michael Vogt]

On Fri, Nov 15, 2013 at 06:07:30PM +0100, Andreas Cadhalpun wrote:
 Package: synaptic
 Version: 0.80.4

Thanks for your mail.

 I want to second Daniel Hartwig: synaptic should really use the
 universal dpkg holds. Anything else is quite confusing.

Back when the locks got implemented in synaptic apt was not honoring
dpkg hold iirc and there was also the worry about portability
(i.e. using it on rpm systems). But I agree that nowdays it should use
dpkg holds.

 I expect that 'apt-get (dist)upgrade' respects the holds I have set
 with synaptic. If anyone does not, there should at least be an
 option were one can choose which behavior is wanted.

I pushed a branch to lp:~mvo/synaptic/use-dpkg-hold that implements
the hold via dpkg holds. Its not doing a transition from the old to
the new style yet, that probably needs fixing but otherwise I think
its ready.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#720605: [synaptic] Bug#720605: Gtk-CRITICAL: assertion `iter_is_valid (iter, list_store)' failed

[Michael Vogt]

On Fri, Nov 15, 2013 at 05:44:53PM +0100, Andreas Cadhalpun wrote:
 Package: synaptic
 Version: 0.80.4

Thanks for the mail.
 
 for me the error in the terminal has one more line, which I suspect
 is the main problem, since it is called 'CRITICAL':
 (synaptic:30019): Gtk-CRITICAL **: gtk_list_store_get_value:
 assertion `iter_is_valid (iter, list_store)' failed
 
 (synaptic:30019): GLib-GObject-WARNING **:
 /tmp/buildd/glib2.0-2.36.4/./gobject/gtype.c:4239: type id `0' is
 invalid
 
 (synaptic:30019): GLib-GObject-WARNING **: can't peek value table
 for type `invalid' which is not currently referenced

I was able to reproduce this and I fixed it in my repository. It will
be part of the next upload.

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#724709: [synaptic] Bug#724709: custom filters are quite broken

[Michael Vogt]

On Fri, Nov 15, 2013 at 05:35:24PM +0100, Andreas Cadhalpun wrote:
 Package: synaptic
 Version: 0.80.4

Thanks for your mail.
 
 I can confirm this problem and report another, probably closely
 related bug, that can be reproduced as follows:
  * Create a custom filter and change any setting.
  * Close the filter creation window.
  * Open the window again and find, that the setting you changed for
 the custom filter was also changed in the topmost filter (for me the
 filter for defect packages).
 
 Example: If your custom filter only looks in section admin, the
 defect package filter will also look only in this section and not
 for defect packages anymore.
 
 This is very weird behavior which renders the custom filters quite unusable.

Sorry for the long wait, this is fixed in bzr now and it will be part
of the next upload. I (or someone :) will need to check if that fix
also fixes the original report. I hope to find time for this soon(ish).

Cheers,
 Michael


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#682365: Possible dpkg fix?

[Michael Vogt]

Hi,

I stumbled on this today and was wondering if something like the
attached patch might help. It will allow packages that are normally
not co-installable on the system if the other package(s) are in
stat_configfiles.

The patch is a bit of a proof-of-concept for now, but I'm happy to
clean it up and look (much) more deeply into the issue if you are ok
with the general direction of the idea, its against the ubuntu dpkg
verson as I ran into the problem on a ubuntu machine.

I'm happy to make it a proper git am mergable patch, give
really_installed_instances a better name and add a test for the new
really_installed_instances member. It might even be possible to merge
it with installed_instances if that is desired, I took the
conservative approach here because I don't know if on the other places
where its used the stat_configfiles might be relevant.

Thanks for your consideration,
 Michael
diff -Nru dpkg-1.17.5ubuntu5/lib/dpkg/dpkg-db.h dpkg-1.17.5ubuntu6/lib/dpkg/dpkg-db.h
--- dpkg-1.17.5ubuntu5/lib/dpkg/dpkg-db.h	2013-12-10 07:14:22.0 +0100
+++ dpkg-1.17.5ubuntu6/lib/dpkg/dpkg-db.h	2014-03-20 21:35:13.0 +0100
@@ -215,6 +215,7 @@
 struct deppossi *installed;
   } depended;
   int installed_instances;
+  int really_installed_instances;
 };
 
 /*** from dbdir.c ***/
diff -Nru dpkg-1.17.5ubuntu5/lib/dpkg/parse.c dpkg-1.17.5ubuntu6/lib/dpkg/parse.c
--- dpkg-1.17.5ubuntu5/lib/dpkg/parse.c	2014-01-17 00:01:36.0 +0100
+++ dpkg-1.17.5ubuntu6/lib/dpkg/parse.c	2014-03-20 22:08:16.0 +0100
@@ -297,6 +297,7 @@
 struct pkgcount {
   int single;
   int multi;
+  int configfiles;
   int total;
 };
 
@@ -307,7 +308,9 @@
   if (pkg-status == stat_notinstalled)
  return;
 
-  if (pkgbin-multiarch == multiarch_same)
+  if (pkg-status == stat_configfiles)
+count-configfiles++;
+  else if (pkgbin-multiarch == multiarch_same)
 count-multi++;
   else
 count-single++;
@@ -326,7 +328,7 @@
 parse_find_set_slot(struct parsedb_state *ps,
 struct pkginfo *new_pkg, struct pkgbin *new_pkgbin)
 {
-  struct pkgcount count = { .single = 0, .multi = 0, .total = 0 };
+  struct pkgcount count = { .single = 0, .multi = 0, .configfiles = 0,.total = 0 };
   struct pkgset *set;
   struct pkginfo *pkg;
 
@@ -405,7 +407,7 @@
   selection = true;
 
 /* Verify we don't allow something that will mess up the db. */
-if (pkgset_installed_instances(db_set)  1 
+if (pkgset_really_installed_instances(db_set)  1 
 !selection  new_pkgbin-multiarch != multiarch_same)
   ohshit(_(%s %s (Multi-Arch: %s) is not co-installable with 
%s which has multiple installed instances),
diff -Nru dpkg-1.17.5ubuntu5/lib/dpkg/pkg.c dpkg-1.17.5ubuntu6/lib/dpkg/pkg.c
--- dpkg-1.17.5ubuntu5/lib/dpkg/pkg.c	2013-12-10 07:15:02.0 +0100
+++ dpkg-1.17.5ubuntu6/lib/dpkg/pkg.c	2014-03-20 21:52:08.0 +0100
@@ -37,13 +37,18 @@
 {
 	if (pkg-status == status)
 		return;
-	else if (pkg-status == stat_notinstalled)
+	if (pkg-status == stat_notinstalled)
 		pkg-set-installed_instances++;
 	else if (status == stat_notinstalled)
 		pkg-set-installed_instances--;
 
 	assert(pkg-set-installed_instances = 0);
 
+if((pkg-status == stat_notinstalled || pkg-status == stat_configfiles)  (status != stat_notinstalled  status != stat_configfiles))
+pkg-set-really_installed_instances++;
+else if ((pkg-status != stat_notinstalled  pkg-status != stat_configfiles)  (status == stat_notinstalled || status == stat_configfiles))
+pkg-set-really_installed_instances--;
+
 	pkg-status = status;
 }
 
@@ -145,6 +150,7 @@
 	set-depended.installed = NULL;
 	pkg_blank(set-pkg);
 	set-installed_instances = 0;
+	set-really_installed_instances = 0;
 	set-pkg.set = set;
 	set-pkg.arch_next = NULL;
 }
@@ -176,6 +182,12 @@
 	return set-installed_instances;
 }
 
+int
+pkgset_really_installed_instances(struct pkgset *set)
+{
+	return set-really_installed_instances;
+}
+
 /**
  * Check if a pkg is informative.
  *