if (Start->Type == pkgCache::Dep::DpkgBreaks)
{
- /* Would it help if we upgraded? */
- if (Cache[End] & pkgDepCache::DepGCVer) {
+ // first, try upgradring the package, if that
+ // does not help, the breaks goes onto the
+ // kill list
+ // FIXME: use DoUpgrade(Pkg) instead?
+ if (Cache[End] & pkgDepCache::DepGCVer)
+ {
if (Debug)
clog << " Upgrading " << Pkg.Name() << " due to Breaks field in " << I.Name() << endl;
Cache.MarkInstall(Pkg, false, 0, false);
continue;
}
- if (Debug)
- clog << " Will not break " << Pkg.Name() << " as stated in Breaks field in " << I.Name() <<endl;
- Cache.MarkKeep(I, false, false);
- continue;
}
// Skip adding to the kill list if it is protected
if ((Cache[J->Dep] & pkgDepCache::DepGNow) == 0)
{
if (J->Dep->Type == pkgCache::Dep::Conflicts ||
+ J->Dep->Type == pkgCache::Dep::DpkgBreaks ||
J->Dep->Type == pkgCache::Dep::Obsoletes)
{
if (Debug == true)
return _error->Error(_("Some index files failed to download, they have been ignored, or old ones used instead."));
- // Run the scripts if all was fine
+ // Run the success scripts if all was fine
+ if(!TransientNetworkFailure && !Failed)
+ RunScripts("APT::Update::Post-Invoke-Success");
+
+ // Run the other scripts
RunScripts("APT::Update::Post-Invoke");
return true;
}
new pkgAcqIndex(Owner, (*Target)->URI, (*Target)->Description,
(*Target)->ShortDesc, HashString());
}
+ // this is normally created in pkgAcqMetaSig, but if we run
+ // in --print-uris mode, we add it here
+ new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"),
+ MetaIndexInfo("Release"), "Release",
+ MetaIndexURI("Release.gpg"),
+ ComputeIndexTargets(),
+ new indexRecords (Dist));
+
}
+
new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"),
MetaIndexInfo("Release.gpg"), "Release.gpg",
MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
sighandler_t old_SIGINT = signal(SIGINT,SIG_IGN);
struct termios tt;
+ struct termios tt_out;
struct winsize win;
int master;
int slave;
// FIXME: setup sensible signal handling (*ick*)
tcgetattr(0, &tt);
+ tcgetattr(1, &tt_out);
ioctl(0, TIOCGWINSZ, (char *)&win);
- if (openpty(&master, &slave, NULL, &tt, &win) < 0)
+ if (openpty(&master, &slave, NULL, &tt_out, &win) < 0)
{
const char *s = _("Can not write log, openpty() "
"failed (/dev/pts not mounted?)\n");
buf[end-start] = 0x0;
if (regexec(&Pattern,buf,0,0,0) != 0)
continue;
- res &= TryToInstall(Pkg,Cache,Fix,Remove,true,ExpectedInst);
+ res &= TryToInstall(Pkg,Cache,Fix,Remove,false,ExpectedInst);
found = true;
}
GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg"
+MASTER_KEYRING=""
+ARCHIVE_KEYRING_URI=""
+#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg
+#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg
+
ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg
REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg
+add_keys_with_verify_against_master_keyring() {
+ ADD_KEYRING=$1
+ MASTER=$2
+
+ if [ ! -f "$ADD_KEYRING" ]; then
+ echo "ERROR: '$ADD_KEYRING' not found"
+ return
+ fi
+ if [ ! -f "$MASTER" ]; then
+ echo "ERROR: '$MASTER' not found"
+ return
+ fi
+
+ # when adding new keys, make sure that the archive-master-keyring
+ # is honored. so:
+ # all keys that are exported and have the name
+ # "Ubuntu Archive Automatic Signing Key" must have a valid signature
+ # from a key in the ubuntu-master-keyring
+ add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+ master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
+ for add_key in $add_keys; do
+ ADDED=0
+ for master_key in $master_keys; do
+ if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
+ $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import
+ ADDED=1
+ fi
+ done
+ if [ $ADDED = 0 ]; then
+ echo >&2 "Key '$add_key' not added. It is not signed with a master key"
+ fi
+ done
+}
+
+# update the current archive signing keyring from a network URI
+# the archive-keyring keys needs to be signed with the master key
+# (otherwise it does not make sense from a security POV)
+net_update() {
+ if [ -z "$ARCHIVE_KEYRING_URI" ]; then
+ echo "ERROR: no location for the archive-keyring given"
+ fi
+ if [ ! -d /var/lib/apt/keyrings ]; then
+ mkdir -p /var/lib/apt/keyrings
+ fi
+ keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
+ old_mtime=0
+ if [ -e $keyring ]; then
+ old_mtime=$(stat -c %Y $keyring)
+ fi
+ (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)
+ if [ ! -e $keyring ]; then
+ return
+ fi
+ new_mtime=$(stat -c %Y $keyring)
+ if [ $new_mtime -ne $old_mtime ]; then
+ echo "Checking for new archive signing keys now"
+ add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
+ fi
+}
update() {
if [ ! -f $ARCHIVE_KEYRING ]; then
exit 1
fi
- # add new keys
- $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
+ # add new keys, if no MASTER_KEYRING is used, use the traditional
+ # way
+ if [ -z "$MASTER_KEYRING" ]; then
+ $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
+ else
+ add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING
+ fi
- # remove no-longer used keys
+ # remove no-longer supported/used keys
keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
for key in $keys; do
if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
done
}
+
usage() {
echo "Usage: apt-key [command] [arguments]"
echo
echo " apt-key export <keyid> - output the key <keyid>"
echo " apt-key exportall - output all trusted keys"
echo " apt-key update - update keys using the keyring package"
+ echo " apt-key net-update - update keys using the network"
echo " apt-key list - list keys"
echo
}
update)
update
;;
+ net-update)
+ net_update
+ ;;
list)
$GPG --batch --list-keys
;;
apt (0.7.12) UNRELEASED; urgency=low
+ [ Michael Vogt ]
+ * cmdline/apt-key:
+ - add support for a master-keyring that contains signing keys
+ that can be used to sign the archive signing keys. This should
+ make key-rollover easier.
+ * apt-pkg/deb/dpkgpm.cc:
+ - merged patch from Kees Cook to fix anoying upper-case display
+ on amd64 in sbuild
+ * apt-pkg/algorithms.cc:
+ - add APT::Update::Post-Invoke-Success script slot
+ - Make the breaks handling use the kill list. This means, that a
+ Breaks: Pkg (<< version) may put Pkg onto the remove list.
+ * apt-pkg/deb/debmetaindex.cc:
+ - add missing "Release" file uri when apt-get update --print-uris
+ is run
+ * methods/connect.cc:
+ - remember hosts with Resolve failures or connect Timeouts
+
[ Christian Perrier ]
* Fix typos in manpages. Thanks to Daniel Leidert for the fixes
Closes: #444922
- -- Christian Perrier <bubulle@debian.org> Tue, 19 Feb 2008 20:34:02 +0100
+ -- Michael Vogt <mvo@debian.org> Thu, 10 Jan 2008 12:06:12 +0100
apt (0.7.11) unstable; urgency=critical
#include <errno.h>
#include <unistd.h>
+#include<set>
+#include<string>
+
// Internet stuff
#include <netinet/in.h>
#include <sys/socket.h>
static struct addrinfo *LastHostAddr = 0;
static struct addrinfo *LastUsed = 0;
+// Set of IP/hostnames that we timed out before or couldn't resolve
+static std::set<string> bad_addr;
+
// RotateDNS - Select a new server from a DNS rotation /*{{{*/
// ---------------------------------------------------------------------
/* This is called during certain errors in order to recover by selecting a
NI_NUMERICHOST|NI_NUMERICSERV);
Owner->Status(_("Connecting to %s (%s)"),Host.c_str(),Name);
+ // if that addr did timeout before, we do not try it again
+ if(bad_addr.find(string(Name)) != bad_addr.end())
+ return false;
+
/* If this is an IP rotation store the IP we are using.. If something goes
wrong this will get tacked onto the end of the error message */
if (LastHostAddr->ai_next != 0)
/* This implements a timeout for connect by opening the connection
nonblocking */
if (WaitFd(Fd,true,TimeOut) == false) {
+ bad_addr.insert(bad_addr.begin(), string(Name));
Owner->SetFailExtraMsg("\nFailReason: Timeout");
return _error->Error(_("Could not connect to %s:%s (%s), "
"connection timed out"),Host.c_str(),Service,Name);
Hints.ai_socktype = SOCK_STREAM;
Hints.ai_protocol = 0;
+ // if we couldn't resolve the host before, we don't try now
+ if(bad_addr.find(Host) != bad_addr.end())
+ return _error->Error(_("Could not resolve '%s'"),Host.c_str());
+
// Resolve both the host and service simultaneously
while (1)
{
DefPort = 0;
continue;
}
+ bad_addr.insert(bad_addr.begin(), Host);
Owner->SetFailExtraMsg("\nFailReason: ResolveFailure");
return _error->Error(_("Could not resolve '%s'"),Host.c_str());
}
--- /dev/null
+
+Those tests aim at making the networkless install timeout
+quicker, see
+https://wiki.ubuntu.com/NetworklessInstallationFixes
+for details
--- /dev/null
+
+# archive.ubuntu.com
+deb http://archive.ubuntu.com/ubuntu/ hardy main restricted
+deb-src http://archive.ubuntu.com/ubuntu/ hardy main restricted
+
+deb http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted
+deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates main restricted
+
+deb http://archive.ubuntu.com/ubuntu/ hardy universe
+deb-src http://archive.ubuntu.com/ubuntu/ hardy universe
+
+deb http://archive.ubuntu.com/ubuntu/ hardy-updates universe
+deb-src http://archive.ubuntu.com/ubuntu/ hardy-updates universe
+
+# security.ubuntu.com
+deb http://security.ubuntu.com/ubuntu/ hardy-security main restricted
+deb-src http://security.ubuntu.com/ubuntu/ hardy-security main restricted
+
+deb http://security.ubuntu.com/ubuntu/ hardy-security universe
+deb-src http://security.ubuntu.com/ubuntu/ hardy-security universe
+
+
+# archive.canonical.com
+deb http://archive.canonical.com/ubuntu/ hardy-partner universe
+deb-src http://archive.canonical.com/ubuntu/ hardy-partner universe
--- /dev/null
+#!/bin/sh
+
+OPTS="-o Dir::Etc::sourcelist=./sources.test.list -o Acquire::http::timeout=20"
+
+# setup
+unset http_proxy
+iptables --flush
+
+echo "No network at all"
+ifdown eth0
+time apt-get update $OPTS 2>&1 |grep system
+ifup eth0
+echo ""
+
+echo "no working DNS (port 53 DROP)"
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+time apt-get update $OPTS 2>&1 |grep system
+iptables --flush
+echo ""
+
+echo "DNS but no access to archive.ubuntu.com (port 80 DROP)"
+iptables -A OUTPUT -p tcp --dport 80 -j DROP
+time apt-get update $OPTS 2>&1 |grep system
+iptables --flush
+echo ""
projects / apt.git / commitdiff
