From: Michael Vogt <michael.vogt@ubuntu.com>
Date: Mon, 4 Feb 2008 14:36:11 +0000 (+0100)
Subject: merged from apt-authentication-reliability
X-Git-Tag: 0.7.24ubuntu1~101
X-Git-Url: https://git.saurik.com/apt.git/commitdiff_plain/e779ece477b9af1cc774c80c17d1dbfa6feb2b01

merged from apt-authentication-reliability
---

e779ece477b9af1cc774c80c17d1dbfa6feb2b01
diff --cc cmdline/apt-key
index d9739461c,048105320..860895ae2
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@@ -9,9 -9,39 +9,38 @@@ GPG_CMD="gpg --ignore-time-conflict --n
  GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg"
  
  
 -MASTER_KEYRING=""
 -#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg
 -ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg
 -REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg
++MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg
 +ARCHIVE_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
 +REMOVED_KEYS=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
  
+ add_keys_with_verify_against_master_keyring() {
+     ADD_KEYRING=$1
+     MASTER=$2
+     
+     if [ ! -f "$ADD_KEYRING" ]; then
+ 	echo "ERROR: '$ADD_KEYRING' not found"
+ 	return
+     fi 
+     if [ ! -f "$MASTER" ]; then
+ 	echo "ERROR: '$MASTER' not found"
+ 	return
+     fi
+ 
+     # when adding new keys, make sure that the archive-master-keyring
+     # is honored. so:
+     #   all keys that are exported and have the name
+     #   "Ubuntu Archive Automatic Signing Key" must have a valid signature
+     #   from a key in the ubuntu-master-keyring
+     add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+     master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
+     for add_key in $add_keys; do
+ 	for master_key in $master_keys; do
+ 	    if $GPG --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
+ 		$GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import
+ 	    fi
+ 	done
+     done
+ }
  
  update() {
      if [ ! -f $ARCHIVE_KEYRING ]; then
diff --cc debian/changelog
index 12b3b5ddc,497053111..b94835a35
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,44 -1,36 +1,54 @@@
 -apt (0.7.11) UNRELEASED; urgency=low
 +apt (0.7.9ubuntu6) hardy; urgency=low
  
 -  [ Colin Watson ]
 -  * apt-pkg/algorithms.cc:
 -    - Since APT::Get::List-Cleanup and APT::List-Cleanup both default to
 -      true, the effect of the compatibility code was to require both of them
 -      to be set to false in order to disable list cleanup; this broke the
 -      installer. Instead, disable list cleanup if either of them is set to
 -      false.
 -  
+   [ Michael Vogt ]
+   * cmdline/apt-key:
+     - add support for a master-keyring that contains signing keys
+       that can be used to sign the archive signing keys. This should
+       make key-rollover easier.
+   * apt-pkg/deb/dpkgpm.cc:
+     - merged patch from Kees Cook to fix anoying upper-case display
+       on amd64 in sbuild
+   * apt-pkg/algorithms.cc: 
+     - add APT::Update::Post-Invoke-Success script slot
 +  * apt-pkg/deb/dpkgpm.cc:
 +    - add APT::Apport::MaxReports to limit the maximum number
 +      of reports generated in a single run (default to 3)
 +
-  --
++ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 04 Feb 2008 14:28:02 +0100
 +
 +apt (0.7.9ubuntu5) hardy; urgency=low
 +
 +  * Merged apt-authentication-reliabilty branch. This means
 +    that apt will refuse to update and use the old lists if
 +    the authentication of a repository that used to be 
 +    authenticated fails. See
 +    https://wiki.ubuntu.com/AptAuthenticationReliability
 +    for more details.
  
 - -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 10 Jan 2008 12:06:12 +0100
 + -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 Jan 2008 10:36:10 +0100
  
 -apt (0.7.10) unstable; urgency=low
 +apt (0.7.9ubuntu4) hardy; urgency=low
 +
 +  * apt-pkg/algorithms.cc:
 +    - Since APT::Get::List-Cleanup and APT::List-Cleanup both default to
 +      true, the effect of the compatibility code was to require both of them
 +      to be set to false in order to disable list cleanup; this broke the
 +      installer. Instead, disable list cleanup if either of them is set to
 +      false.
 +
 + -- Colin Watson <cjwatson@ubuntu.com>  Wed, 09 Jan 2008 22:34:37 +0000
 +
 +apt (0.7.9ubuntu3) hardy; urgency=low
 +
 +  * merged the apt--DoListUpdate branch, this provides a common interface
 +    for "apt-get update" like operations for the frontends and also provides
 +    hooks to run stuff in APT::Update::{Pre,Post}-Invoke
 +
 + -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 07 Jan 2008 19:02:11 +0100
 +
 +apt (0.7.9ubuntu2) hardy; urgency=low
  
    [ Otavio Salvador ]
 -  * Applied patch from Mike O'Connor <stew@vireo.org> to add a manpage to
 -    apt-mark, closes: #430207.
 -  * Applied patch from Andrei Popescu <andreimpopescu@gmail.com> to add a
 -    note about some frontends in apt.8 manpage, closes: #438545.
 -  * Applied patch from Aurelien Jarno <aurel32@debian.org> to avoid CPU
 -    getting crazy when /dev/null is redirected to stdin (which breaks
 -    buildds), closes: #452858.
    * Applied patch from Aurelien Jarno <aurel32@debian.org> to fix building
      with newest dpkg-shlibdeps changing the packaging building order and a
      patch from Robert Millan <rmh@aybabtu.com> to fix parallel building,