Bug#895217: aptitude: Uses hostname of repo to determine what is a security update instead of repo metadata

2018-04-08 Thread Axel Beckert 
Hi,

Axel Beckert wrote:
> aptitude uses the hostname of APT repository (e.g. "security.debian.org"
> to determine what is a security update and what isn't instead of using
> the repository metadata provided by apt's libraries.

JFTR: This was prompted by
https://bugs.launchpad.net/debian/+source/aptitude/+bug/1370416, see
https://bugs.launchpad.net/debian/+source/aptitude/+bug/1370416/comments/14

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#895217: aptitude: Uses hostname of repo to determine what is a security update instead of repo metadata

2018-04-08 Thread Axel Beckert 
Package: aptitude
Version: 0.8.10-6
Severity: normal
Tags: confirmed upstream

aptitude uses the hostname of APT repository (e.g. "security.debian.org"
to determine what is a security update and what isn't instead of using
the repository metadata provided by apt's libraries.

>From src/generic/apt/apt.cc:

bool is_security(const pkgCache::VerIterator )
{
  static std::regex site_regex { "^security\\.(.+\\.)?debian.org$" };
  std::smatch site_match;

  for (pkgCache::VerFileIterator F = ver.FileList(); !F.end(); ++F)
{
  pkgCache::PkgFileIterator fileit = F.File();
  if (!fileit.end())
{
  string site  = fileit.Site()  ? fileit.Site()  : "";
  string label = fileit.Label() ? fileit.Label() : "";
  std::regex_search(site, site_match, site_regex);

  if (!site_match.empty() && label == "Debian-Security")
return true;
}
}

  return false;
}

This should rather look at metadata (especially the label) like this:

$ apt-cache policy | fgrep -i security
 990 http://security.debian.org stretch/updates/non-free i386 Packages
 release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=non-free,b=i386
 origin security.debian.org
 990 http://security.debian.org stretch/updates/contrib i386 Packages
 release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=contrib,b=i386
 origin security.debian.org
 990 http://security.debian.org stretch/updates/main i386 Packages
 release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=main,b=i386
 origin security.debian.org
 990 https://security.debian.ethz.ch stretch/updates/non-free i386 Packages
 release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=non-free,b=i386
 origin security.debian.ethz.ch
 990 https://security.debian.ethz.ch stretch/updates/contrib i386 Packages
 release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=contrib,b=i386
 origin security.debian.ethz.ch
 990 https://security.debian.ethz.ch stretch/updates/main i386 Packages
 release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=main,b=i386
 origin security.debian.ethz.ch

-- Package-specific info:
Terminal: eterm-color
$DISPLAY is set.
which aptitude: /usr/bin/aptitude

aptitude version information:
aptitude 0.8.10
Compiler: g++ 7.2.0
Compiled against:
  apt version 5.0.2
  NCurses version 6.0
  libsigc++ version: 2.10.0
  Gtk+ support disabled.
  Qt support disabled.

Current library versions:
  NCurses version: ncurses 6.1.20180127
  cwidget version: 0.5.17
  Apt version: 5.0.2

aptitude linkage:
linux-vdso.so.1 (0x7ffe162c2000)
libapt-pkg.so.5.0 => /usr/lib/x86_64-linux-gnu/libapt-pkg.so.5.0 
(0x7f25c9b42000)
libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 
(0x7f25c9912000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 
(0x7f25c96e8000)
libsigc-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libsigc-2.0.so.0 
(0x7f25c94e1000)
libcwidget.so.3 => /usr/lib/x86_64-linux-gnu/libcwidget.so.3 
(0x7f25c91e9000)
libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 
(0x7f25c8edc000)
libboost_iostreams.so.1.62.0 => 
/usr/lib/x86_64-linux-gnu/libboost_iostreams.so.1.62.0 (0x7f25c8cc4000)
libboost_filesystem.so.1.62.0 => 
/usr/lib/x86_64-linux-gnu/libboost_filesystem.so.1.62.0 (0x7f25c8aab000)
libboost_system.so.1.62.0 => 
/usr/lib/x86_64-linux-gnu/libboost_system.so.1.62.0 (0x7f25c88a7000)
libxapian.so.30 => /usr/lib/x86_64-linux-gnu/libxapian.so.30 
(0x7f25c849c000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x7f25c827e000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 
(0x7f25c7ef9000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x7f25c7b66000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 
(0x7f25c794e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7f25c7594000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 
(0x7f25c737d000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x7f25c7163000)
libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 
(0x7f25c6f53000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x7f25c6d2d000)
liblz4.so.1 => /usr/lib/x86_64-linux-gnu/liblz4.so.1 
(0x7f25c6b18000)
libudev.so.1 => /lib/x86_64-linux-gnu/libudev.so.1 (0x7f25c68fa000)
/lib64/ld-linux-x86-64.so.2 (0x7f25ca511000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7f25c66f6000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x7f25c64ee000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x7f25c62e7000)

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), 
(500, 'buildd-unstable'), (110, 'experimental'), (1,