* French manpage translation update

* spot & fix various typos in all manpages
* German manpage translation update
* cmdline/apt-cache.cc:
  - remove translatable marker from the "%4i %s\n" string
* buildlib/po4a_manpage.mak:
  - instruct debiandoc to build files with utf-8 encoding
* buildlib/tools.m4:
  - fix some warning from the buildtools
* apt-pkg/acquire-item.cc:
  - add configuration PDiffs::Limit-options to not download
    too many or too big patches (Closes: #554349)
* debian/control:
  - let all packages depend on ${misc:Depends}
* share/*-archive.gpg:
  - remove the horrible outdated files. We already depend on
    the keyring so we don't need to ship our own version
* cmdline/apt-key:
  - errors out if wget is not installed (Closes: #545754)
  - add --keyring option as we have now possibly many
* methods/gpgv.cc:
  - pass all keyrings (TrustedParts) to gpgv instead of
    using only one trusted.gpg keyring (Closes: #304846)
* methods/https.cc:
  - finally merge the rest of the patchset from Arnaud Ebalard
    with the CRL and Issuers options, thanks! (Closes: #485963)

.bzrignore

@@ -8,6 +8,8 @@ aclocal.m4
 autom4te.cache/
 build/
 configure
+buildlib/config.sub
+buildlib/config.guess
 
 # generated files in the progress to build all
 # apt man pages and other documentation

apt-pkg/acquire-item.cc

@@ -219,19 +219,19 @@ bool pkgAcqDiffIndex::ParseDiffIndex(string IndexDiffFile)		/*{{{*/
 
    if(TF.Step(Tags) == true)
    {
-      string local_sha1;
       bool found = false;
       DiffInfo d;
       string size;
 
-      string tmp = Tags.FindS("SHA1-Current");
+      string const tmp = Tags.FindS("SHA1-Current");
       std::stringstream ss(tmp);
-      ss >> ServerSha1;
+      ss >> ServerSha1 >> size;
+      unsigned long const ServerSize = atol(size.c_str());
 
       FileFd fd(CurrentPackagesFile, FileFd::ReadOnly);
       SHA1Summation SHA1;
       SHA1.AddFD(fd.Fd(), fd.Size());
-      local_sha1 = string(SHA1.Result());
+      string const local_sha1 = SHA1.Result();
 
       if(local_sha1 == ServerSha1) 
       {
@@ -248,20 +248,56 @@ bool pkgAcqDiffIndex::ParseDiffIndex(string IndexDiffFile)		/*{{{*/
 	    std::clog << "SHA1-Current: " << ServerSha1 << std::endl;
 
 	 // check the historie and see what patches we need
-	 string history = Tags.FindS("SHA1-History");     
+	 string const history = Tags.FindS("SHA1-History");
 	 std::stringstream hist(history);
-	 while(hist >> d.sha1 >> size >> d.file) 
+	 while(hist >> d.sha1 >> size >> d.file)
 	 {
-	    d.size = atoi(size.c_str());
 	    // read until the first match is found
+	    // from that point on, we probably need all diffs
 	    if(d.sha1 == local_sha1) 
 	       found=true;
-	    // from that point on, we probably need all diffs
-	    if(found) 
+	    else if (found == false)
+	       continue;
+
+	    if(Debug)
+	       std::clog << "Need to get diff: " << d.file << std::endl;
+	    available_patches.push_back(d);
+	 }
+
+	 if (available_patches.empty() == false)
+	 {
+	    // patching with too many files is rather slow compared to a fast download
+	    unsigned long const fileLimit = _config->FindI("Acquire::PDiffs::FileLimit", 0);
+	    if (fileLimit != 0 && fileLimit < available_patches.size())
+	    {
+	       if (Debug)
+		  std::clog << "Need " << available_patches.size() << " diffs (Limit is " << fileLimit
+			<< ") so fallback to complete download" << std::endl;
+	       return false;
+	    }
+
+	    // see if the patches are too big
+	    found = false; // it was true and it will be true again at the end
+	    d = *available_patches.begin();
+	    string const firstPatch = d.file;
+	    unsigned long patchesSize = 0;
+	    std::stringstream patches(Tags.FindS("SHA1-Patches"));
+	    while(patches >> d.sha1 >> size >> d.file)
+	    {
+	       if (firstPatch == d.file)
+		  found = true;
+	       else if (found == false)
+		  continue;
+
+	       patchesSize += atol(size.c_str());
+	    }
+	    unsigned long const sizeLimit = ServerSize * _config->FindI("Acquire::PDiffs::SizeLimit", 100);
+	    if (sizeLimit > 0 && (sizeLimit/100) < patchesSize)
 	    {
-	       if(Debug)
-		  std::clog << "Need to get diff: " << d.file << std::endl;
-	       available_patches.push_back(d);
+	       if (Debug)
+		  std::clog << "Need " << patchesSize << " bytes (Limit is " << sizeLimit/100
+			<< ") so fallback to complete download" << std::endl;
+	       return false;
 	    }
 	 }
       }
@@ -270,7 +306,7 @@ bool pkgAcqDiffIndex::ParseDiffIndex(string IndexDiffFile)		/*{{{*/
       if(found) 
       {
 	 // queue the diffs
-	 string::size_type last_space = Description.rfind(" ");
+	 string::size_type const last_space = Description.rfind(" ");
 	 if(last_space != string::npos)
 	    Description.erase(last_space, Description.size()-last_space);
 	 new pkgAcqIndexDiffs(Owner, RealURI, Description, Desc.ShortDesc,

apt-pkg/contrib/configuration.cc

@@ -22,14 +22,8 @@
 #include <apti18n.h>
 
 #include <vector>
-#include <algorithm>
 #include <fstream>
 #include <iostream>
-    
-#include <stdio.h>
-#include <dirent.h>
-#include <sys/stat.h>
-#include <unistd.h>
 
 using namespace std;
 									/*}}}*/
@@ -835,39 +829,8 @@ bool ReadConfigFile(Configuration &Conf,const string &FName,bool AsSectional,
 // ReadConfigDir - Read a directory of config files			/*{{{*/
 // ---------------------------------------------------------------------
 /* */
-bool ReadConfigDir(Configuration &Conf,const string &Dir,bool AsSectional,
-		   unsigned Depth)
-{   
-   DIR *D = opendir(Dir.c_str());
-   if (D == 0)
-      return _error->Errno("opendir",_("Unable to read %s"),Dir.c_str());
-
-   vector<string> List;
-   
-   for (struct dirent *Ent = readdir(D); Ent != 0; Ent = readdir(D))
-   {
-      if (Ent->d_name[0] == '.')
-	 continue;
-      
-      // Skip bad file names ala run-parts
-      const char *C = Ent->d_name;
-      for (; *C != 0; C++)
-	 if (isalpha(*C) == 0 && isdigit(*C) == 0 && *C != '_' && *C != '-')
-	    break;
-      if (*C != 0)
-	 continue;
-      
-      // Make sure it is a file and not something else
-      string File = flCombine(Dir,Ent->d_name);
-      struct stat St;
-      if (stat(File.c_str(),&St) != 0 || S_ISREG(St.st_mode) == 0)
-	 continue;
-      
-      List.push_back(File);      
-   }   
-   closedir(D);
-   
-   sort(List.begin(),List.end());
+{
+   vector<string> const List = GetListOfFilesInDir(Dir, "", true);
 
    // Read the files
    for (vector<string>::const_iterator I = List.begin(); I != List.end(); I++)

apt-pkg/contrib/fileutl.cc

@@ -34,9 +34,11 @@
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/wait.h>
+#include <dirent.h>
 #include <signal.h>
 #include <errno.h>
 #include <set>
+#include <algorithm>
 									/*}}}*/
 
 using namespace std;
@@ -195,6 +197,54 @@ bool FileExists(string File)
    return true;
 }
 									/*}}}*/
+// GetListOfFilesInDir - returns a vector of files in the given dir	/*{{{*/
+// ---------------------------------------------------------------------
+/* If an extension is given only files with this extension are included
+   in the returned vector, otherwise every "normal" file is included. */
+std::vector<string> GetListOfFilesInDir(string const &Dir, string const &Ext,
+					bool const &SortList) 
+{
+   std::vector<string> List;
+   DIR *D = opendir(Dir.c_str());
+   if (D == 0) 
+   {
+      _error->Errno("opendir",_("Unable to read %s"),Dir.c_str());
+      return List;
+   }
+
+   for (struct dirent *Ent = readdir(D); Ent != 0; Ent = readdir(D)) 
+   {
+      if (Ent->d_name[0] == '.')
+	 continue;
+
+      if (Ext.empty() == false && flExtension(Ent->d_name) != Ext)
+	 continue;
+
+      // Skip bad file names ala run-parts
+      const char *C = Ent->d_name;
+      for (; *C != 0; ++C)
+	 if (isalpha(*C) == 0 && isdigit(*C) == 0
+	     && *C != '_' && *C != '-' && *C != '.')
+	    break;
+
+      if (*C != 0)
+	 continue;
+
+      // Make sure it is a file and not something else
+      string const File = flCombine(Dir,Ent->d_name);
+      struct stat St;
+      if (stat(File.c_str(),&St) != 0 || S_ISREG(St.st_mode) == 0)
+	 continue;
+
+      List.push_back(File);
+   }
+   closedir(D);
+
+   if (SortList == true)
+      std::sort(List.begin(),List.end());
+   return List;
+}
+									/*}}}*/
 // SafeGetCWD - This is a safer getcwd that returns a dynamic string	/*{{{*/
 // ---------------------------------------------------------------------
 /* We return / on failure. */

apt-pkg/contrib/fileutl.h

@@ -23,6 +23,7 @@
 
 
 #include <string>
+#include <vector>
 
 using std::string;
 
@@ -81,6 +82,8 @@ bool RunScripts(const char *Cnf);
 bool CopyFile(FileFd &From,FileFd &To);
 int GetLock(string File,bool Errors = true);
 bool FileExists(string File);
+std::vector<string> GetListOfFilesInDir(string const &Dir, string const &Ext,
+					bool const &SortList);
 string SafeGetCWD();
 void SetCloseExec(int Fd,bool Close);
 void SetNonBlock(int Fd,bool Block);

apt-pkg/indexcopy.cc

@@ -275,7 +275,7 @@ bool IndexCopy::CopyPackages(string CDROM,string Name,vector<string> &List,
       _error->Warning("No valid records were found.");
 
    if (NotFound + WrongSize > 10)
-      _error->Warning("Alot of entries were discarded, something may be wrong.\n");
+      _error->Warning("A lot of entries were discarded, something may be wrong.\n");
    
 
    return true;
@@ -847,7 +847,7 @@ bool TranslationsCopy::CopyTranslations(string CDROM,string Name,	/*{{{*/
       _error->Warning("No valid records were found.");
 
    if (NotFound + WrongSize > 10)
-      _error->Warning("Alot of entries were discarded, something may be wrong.\n");
+      _error->Warning("A lot of entries were discarded, something may be wrong.\n");
    
 
    return true;

apt-pkg/pkgcache.cc

@@ -298,7 +298,7 @@ const char *
 pkgCache::PkgIterator::CandVersion() const 
 {
   //TargetVer is empty, so don't use it.
-  VerIterator version = pkgPolicy::pkgPolicy(Owner).GetCandidateVer(*this);
+  VerIterator version = pkgPolicy(Owner).GetCandidateVer(*this);
   if (version.IsGood())
     return version.VerStr();
   return 0;

apt-pkg/policy.cc

@@ -27,14 +27,12 @@
 #include <apt-pkg/configuration.h>
 #include <apt-pkg/tagfile.h>
 #include <apt-pkg/strutl.h>
+#include <apt-pkg/fileutl.h>
 #include <apt-pkg/error.h>
 #include <apt-pkg/sptr.h>
-    
+
 #include <apti18n.h>
 
-#include <dirent.h>
-#include <sys/stat.h>
-#include <algorithm>
 #include <iostream>
 #include <sstream>
 									/*}}}*/
@@ -282,36 +280,7 @@ bool ReadPinDir(pkgPolicy &Plcy,string Dir)
       return true;
    }
 
-   DIR *D = opendir(Dir.c_str());
-   if (D == 0)
-      return _error->Errno("opendir",_("Unable to read %s"),Dir.c_str());
-
-   vector<string> List;
-
-   for (struct dirent *Ent = readdir(D); Ent != 0; Ent = readdir(D))
-   {
-      if (Ent->d_name[0] == '.')
-	 continue;
-
-      // Skip bad file names ala run-parts
-      const char *C = Ent->d_name;
-      for (; *C != 0; C++)
-	 if (isalpha(*C) == 0 && isdigit(*C) == 0 && *C != '_' && *C != '-')
-	    break;
-      if (*C != 0)
-	 continue;
-
-      // Make sure it is a file and not something else
-      string File = flCombine(Dir,Ent->d_name);
-      struct stat St;
-      if (stat(File.c_str(),&St) != 0 || S_ISREG(St.st_mode) == 0)
-	 continue;
-
-      List.push_back(File);
-   }
-   closedir(D);
-
-   sort(List.begin(),List.end());
+   vector<string> const List = GetListOfFilesInDir(Dir, "", true);
 
    // Read the files
    for (vector<string>::const_iterator I = List.begin(); I != List.end(); I++)

apt-pkg/sourcelist.cc

@@ -17,13 +17,6 @@
 #include <apti18n.h>
 
 #include <fstream>
-
-// CNC:2003-03-03 - This is needed for ReadDir stuff.
-#include <algorithm>
-#include <stdio.h>
-#include <dirent.h>
-#include <sys/stat.h>
-#include <unistd.h>
 									/*}}}*/
 
 using namespace std;
@@ -322,41 +315,7 @@ bool pkgSourceList::GetIndexes(pkgAcquire *Owner, bool GetAll) const
 /* */
 bool pkgSourceList::ReadSourceDir(string Dir)
 {
-   DIR *D = opendir(Dir.c_str());
-   if (D == 0)
-      return _error->Errno("opendir",_("Unable to read %s"),Dir.c_str());
-
-   vector<string> List;
-   
-   for (struct dirent *Ent = readdir(D); Ent != 0; Ent = readdir(D))
-   {
-      if (Ent->d_name[0] == '.')
-	 continue;
-
-      // CNC:2003-12-02 Only accept .list files as valid sourceparts
-      if (flExtension(Ent->d_name) != "list")
-	 continue;
-      
-      // Skip bad file names ala run-parts
-      const char *C = Ent->d_name;
-      for (; *C != 0; C++)
-	 if (isalpha(*C) == 0 && isdigit(*C) == 0
-             && *C != '_' && *C != '-' && *C != '.')
-	    break;
-      if (*C != 0)
-	 continue;
-      
-      // Make sure it is a file and not something else
-      string File = flCombine(Dir,Ent->d_name);
-      struct stat St;
-      if (stat(File.c_str(),&St) != 0 || S_ISREG(St.st_mode) == 0)
-	 continue;
-      
-      List.push_back(File);      
-   }   
-   closedir(D);
-   
-   sort(List.begin(),List.end());
+   vector<string> const List = GetListOfFilesInDir(Dir, "list", true);
 
    // Read the files
    for (vector<string>::const_iterator I = List.begin(); I != List.end(); I++)

buildlib/po4a_manpage.mak

@@ -57,5 +57,5 @@ endif
 
 # Debian Doc SGML Documents
 SOURCE := $(wildcard *.$(LC).sgml)
-DEBIANDOC_HTML_OPTIONS=-l $(LC)
+DEBIANDOC_HTML_OPTIONS=-l $(LC).UTF-8
 include $(DEBIANDOC_H)

buildlib/tools.m4

@@ -1,4 +1,4 @@
-AC_DEFUN(ah_HAVE_GETCONF,
+AC_DEFUN([ah_HAVE_GETCONF],
 	[AC_ARG_WITH(getconf,
 		[  --with-getconf          Enable automagical buildtime configuration],
 		[if test "$withval" = "yes"; then
@@ -14,7 +14,7 @@ AC_DEFUN(ah_HAVE_GETCONF,
 ])
 
 dnl ah_GET_CONF(variable, value ..., [default])
-AC_DEFUN(ah_GET_GETCONF,
+AC_DEFUN([ah_GET_GETCONF],
 	[AC_REQUIRE([ah_HAVE_GETCONF])
 	if test ! -z "$GETCONF";then
 		old_args="[$]@"
@@ -28,7 +28,7 @@ AC_DEFUN(ah_GET_GETCONF,
 		eval $1="$3"
 	fi
 ])
-AC_DEFUN(ah_NUM_CPUS,
+AC_DEFUN([ah_NUM_CPUS],
 	[AC_MSG_CHECKING([number of cpus])
 	AC_ARG_WITH(cpus,
 		[  --with-cpus             The number of cpus to be used for building(see --with-procs, default 1)],
@@ -56,7 +56,7 @@ AC_DEFUN(ah_NUM_CPUS,
 	AC_MSG_RESULT([$ah_NUM_CPUS_msg])
 	AC_SUBST(NUM_CPUS)
 ])
-AC_DEFUN(ah_PROC_MULTIPLY,
+AC_DEFUN([ah_PROC_MULTIPLY],
 	[AC_REQUIRE([ah_NUM_CPUS])
 	AC_MSG_CHECKING([processor multiplier])
 	AC_ARG_WITH(proc-multiply,
@@ -72,7 +72,7 @@ AC_DEFUN(ah_PROC_MULTIPLY,
 	AC_SUBST(PROC_MULTIPLY)
 ])
 
-AC_DEFUN(ah_NUM_PROCS,
+AC_DEFUN([ah_NUM_PROCS],
 	[AC_REQUIRE([ah_PROC_MULTIPLY])
 	AC_REQUIRE([ah_NUM_CPUS])
 	AC_MSG_CHECKING([number of processes to run during make])
@@ -89,7 +89,7 @@ AC_DEFUN(ah_NUM_PROCS,
 	AC_SUBST(NUM_PROCS)
 ])
 
-AC_DEFUN(ah_GCC3DEP,[
+AC_DEFUN([ah_GCC3DEP],[
 	AC_MSG_CHECKING(if $CXX -MD works)
 	touch gcc3dep.cc
 	${CXX-c++} -MD -o gcc3dep_test.o -c gcc3dep.cc

cmdline/apt-cache.cc

@@ -1620,7 +1620,7 @@ bool Policy(CommandLine &CmdL)
 	    if (SrcList->FindIndex(VF.File(),Indx) == false &&
 		_system->FindIndex(VF.File(),Indx) == false)
 	       return _error->Error(_("Cache is out of sync, can't x-ref a package file"));
-	    printf(_("       %4i %s\n"),Plcy.GetPriority(VF.File()),
+	    printf("       %4i %s\n",Plcy.GetPriority(VF.File()),
 		   Indx->Describe(true).c_str());
 	 }	 
       }      

cmdline/apt-key

@@ -5,10 +5,8 @@ unset GREP_OPTIONS
 
 # We don't use a secret keyring, of course, but gpg panics and
 # implodes if there isn't one available
-
 GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg"
-GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg"
-
+GPG="$GPG_CMD"
 
 MASTER_KEYRING=""
 ARCHIVE_KEYRING_URI=""
@@ -56,7 +54,14 @@ add_keys_with_verify_against_master_keyring() {
 # (otherwise it does not make sense from a security POV)
 net_update() {
     if [ -z "$ARCHIVE_KEYRING_URI" ]; then
-	echo "ERROR: no location for the archive-keyring given" 
+	echo "ERROR: no location for the archive-keyring given"
+	exit 1
+    fi
+    # in theory we would need to depend on wget for this, but this feature
+    # isn't useable in debian anyway as we have no keyring uri nor a master key
+    if ! which wget >/dev/null 2>&1; then
+	echo "ERROR: an installed wget is required for a network-based update"
+	exit 1
     fi
     if [ ! -d /var/lib/apt/keyrings ]; then
 	mkdir -p /var/lib/apt/keyrings
@@ -108,7 +113,7 @@ update() {
 
 
 usage() {
-    echo "Usage: apt-key [command] [arguments]"
+    echo "Usage: apt-key [--keyring file] [command] [arguments]"
     echo
     echo "Manage apt's list of trusted keys"
     echo
@@ -122,8 +127,40 @@ usage() {
     echo "  apt-key finger              - list fingerprints"
     echo "  apt-key adv                 - pass advanced options to gpg (download key)"
     echo
+    echo "If no specific keyring file is given the command applies to all keyring files."
 }
 
+# Determine on which keyring we want to work
+if [ "$1" = "--keyring" ]; then
+        #echo "keyfile given"
+	shift
+	TRUSTEDFILE="$1"
+	if [ -r "$TRUSTEDFILE" ]; then
+		GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE"
+	else
+		echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable"
+		exit 1
+	fi
+	shift
+# otherwise use the default
+else
+	#echo "generate list"
+	TRUSTEDFILE="/etc/apt/trusted.gpg"
+	if [ -r "$TRUSTEDFILE" ]; then
+		GPG="$GPG --keyring $TRUSTEDFILE"
+	fi
+	GPG="$GPG --primary-keyring $TRUSTEDFILE"
+	TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
+	if [ -d "$TRUSTEDPARTS" ]; then
+		#echo "parts active"
+		for trusted in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do
+			#echo "part -> $trusted"
+			GPG="$GPG --keyring $trusted"
+		done
+	fi
+fi
+#echo "COMMAND: $GPG"
+
 command="$1"
 if [ -z "$command" ]; then
     usage

configure.in

@@ -96,10 +96,10 @@ AC_MSG_RESULT($archset)
 AC_DEFINE_UNQUOTED(COMMON_ARCH,"$archset")
 
 dnl We use C99 types if at all possible
-AC_CACHE_CHECK([for C99 integer types],c9x_ints,[
+AC_CACHE_CHECK([for C99 integer types],apt_cv_c9x_ints,[
     AC_TRY_COMPILE([#include <inttypes.h>],
                    [uint8_t Foo1;uint16_t Foo2;uint32_t Foo3;],
-		   c9x_ints=yes,c9x_ints=no)])
+		   apt_cv_c9x_ints=yes,apt_cv_c9x_ints=no)])
 
 dnl Single Unix Spec statvfs
 AC_CHECK_FUNC(statvfs,[HAVE_STATVFS=yes])
@@ -150,7 +150,7 @@ AC_C_BIGENDIAN
    
 dnl We do not need this if we have inttypes!
 HAVE_C9X=yes
-if test x"$c9x_ints" = x"no"; then
+if test x"$apt_cv_c9x_ints" = x"no"; then
    AC_CHECK_SIZEOF(char,$size_char)
    AC_CHECK_SIZEOF(int,$size_int)
    AC_CHECK_SIZEOF(short,$size_short)

debian/apt.dirs

@@ -5,6 +5,7 @@ etc/apt
 etc/apt/apt.conf.d
 etc/apt/preferences.d
 etc/apt/sources.list.d
+etc/apt/trusted.gpg.d
 etc/logrotate.d
 var/cache/apt/archives/partial
 var/lib/apt/lists/partial

debian/apt.postinst

@@ -15,13 +15,7 @@ set -e
 
 case "$1" in
     configure)
-
-        if ! test -f /etc/apt/trusted.gpg; then
-                cp /usr/share/apt/debian-archive.gpg /etc/apt/trusted.gpg
-        fi
-
 	apt-key update
-
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

debian/changelog

@@ -1,3 +1,39 @@
+apt (0.7.25.1) UNRELEASED; urgency=low
+
+  [ Christian Perrier ]
+  * French manpage translation update
+  
+  [Chris Leick]
+  * spot & fix various typos in all manpages
+  * German manpage translation update
+
+  [ David Kalnischkies ]
+  * cmdline/apt-cache.cc:
+    - remove translatable marker from the "%4i %s\n" string
+  * buildlib/po4a_manpage.mak:
+    - instruct debiandoc to build files with utf-8 encoding
+  * buildlib/tools.m4:
+    - fix some warning from the buildtools
+  * apt-pkg/acquire-item.cc:
+    - add configuration PDiffs::Limit-options to not download
+      too many or too big patches (Closes: #554349)
+  * debian/control:
+    - let all packages depend on ${misc:Depends}
+  * share/*-archive.gpg:
+    - remove the horrible outdated files. We already depend on
+      the keyring so we don't need to ship our own version
+  * cmdline/apt-key:
+    - errors out if wget is not installed (Closes: #545754)
+    - add --keyring option as we have now possibly many
+  * methods/gpgv.cc:
+    - pass all keyrings (TrustedParts) to gpgv instead of
+      using only one trusted.gpg keyring (Closes: #304846)
+  * methods/https.cc:
+    - finally merge the rest of the patchset from Arnaud Ebalard
+      with the CRL and Issuers options, thanks! (Closes: #485963)
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 08 Jan 2010 20:17:28 +0100
+
 apt (0.7.25) unstable; urgency=low
 
   [ Christian Perrier ]

debian/control

@@ -11,7 +11,7 @@ Vcs-Bzr: http://bzr.debian.org/apt/debian-sid/
 
 Package: apt
 Architecture: any
-Depends: ${shlibs:Depends}, debian-archive-keyring
+Depends: ${shlibs:Depends}, debian-archive-keyring, ${misc:Depends}
 Replaces: libapt-pkg-doc (<< 0.3.7), libapt-pkg-dev (<< 0.3.7)
 Provides: ${libapt-pkg:provides}
 Suggests: aptitude | synaptic | wajig, dpkg-dev, apt-doc, bzip2, lzma, python-apt
@@ -26,6 +26,7 @@ Description: Advanced front-end for dpkg
 Package: apt-doc
 Architecture: all
 Priority: optional
+Depends: ${misc:Depends}
 Replaces: apt (<< 0.5.4.9)
 Section: doc
 Description: Documentation for APT
@@ -35,7 +36,7 @@ Description: Documentation for APT
 Package: libapt-pkg-dev
 Architecture: any
 Priority: optional
-Depends: apt (= ${binary:Version}), apt-utils (= ${binary:Version}), ${libapt-pkg:provides}, ${libapt-inst:provides}
+Depends: apt (= ${binary:Version}), apt-utils (= ${binary:Version}), ${libapt-pkg:provides}, ${libapt-inst:provides}, ${misc:Depends}
 Section: libdevel
 Description: Development files for APT's libapt-pkg and libapt-inst
  This package contains the header files and libraries for
@@ -45,6 +46,7 @@ Description: Development files for APT's libapt-pkg and libapt-inst
 Package: libapt-pkg-doc
 Architecture: all
 Priority: optional
+Depends: ${misc:Depends}
 Section: doc
 Description: Documentation for APT development
  This package contains documentation for development of the APT
@@ -52,7 +54,7 @@ Description: Documentation for APT development
 
 Package: apt-utils
 Architecture: any
-Depends: ${shlibs:Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}
 Provides: ${libapt-inst:provides}
 Replaces: apt (<< 0.5.9)
 Description: APT utility programs
@@ -65,7 +67,7 @@ Description: APT utility programs
 
 Package: apt-transport-https
 Architecture: any
-Depends: ${shlibs:Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}
 Priority: optional
 Description: APT https transport
  This package contains a APT https transport. It makes it possible to

debian/rules

@@ -213,7 +213,6 @@ apt: build build-doc debian/shlibs.local
 	cp debian/bugscript debian/$@/usr/share/bug/apt/script
 	cp debian/apt.logrotate debian/$@/etc/logrotate.d/apt
 
-	cp share/debian-archive.gpg debian/$@/usr/share/$@
 	cp debian/apt.conf.autoremove debian/$@/etc/apt/apt.conf.d/01autoremove
 #	head -n 500 ChangeLog > debian/ChangeLog
 

doc/apt-key.8.xml

@@ -26,7 +26,8 @@
  <refsynopsisdiv>
    <cmdsynopsis>
       <command>apt-key</command>
-      <arg><replaceable>command</replaceable>/</arg>
+      <arg><option>--keyring <replaceable>filename</replaceable></option></arg>
+      <arg><replaceable>command</replaceable></arg>
       <arg rep="repeat"><option><replaceable>arguments</replaceable></option></arg>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -135,11 +136,24 @@
    </variablelist>
 </refsect1>
 
+ <refsect1><title>Options</title>
+<para>Note that options need to be defined before the commands described in the previous section.</para>
+   <variablelist>
+      <varlistentry><term>--keyring <replaceable>filename</replaceable></term>
+      <listitem><para>With this option it is possible to specify a specific keyring
+      file the command should operate on. The default is that a command is executed
+      on the <filename>trusted.gpg</filename> file as well as on all parts in the
+      <filename>trusted.gpg.d</filename> directory, through <filename>trusted.gpg</filename>
+      is the primary keyring which means that e.g. new keys are added to this one.
+      </para></listitem>
+      </varlistentry>
+   </variablelist>
+ </refsect1>
+
  <refsect1><title>Files</title>
    <variablelist>
-     <varlistentry><term><filename>/etc/apt/trusted.gpg</filename></term>
-     <listitem><para>Keyring of local trusted keys, new keys will be added here.</para></listitem>
-     </varlistentry>
+
+     &file-trustedgpg;
 
      <varlistentry><term><filename>/etc/apt/trustdb.gpg</filename></term>
      <listitem><para>Local trust database of archive keys.</para></listitem>
@@ -153,8 +167,6 @@
      <listitem><para>Keyring of Debian archive removed trusted keys.</para></listitem>
      </varlistentry>
 
-
-
    </variablelist>
 
 </refsect1>

doc/apt.conf.5.xml

@@ -166,10 +166,10 @@ DPkg::Pre-Install-Pkgs {"/usr/sbin/dpkg-preconfigure --apt";};
      longer guaranteed to work as their dependency on A is not longer satisfied. The immediate configuration marker
      is also applied to all dependencies which can generate a problem if the dependencies e.g. form a circle
      as a dependency with the immediate flag is comparable with a Pre-Dependency. So in theory it is possible
-     that APT encounters a situation in which it is unable to perform immediate configuration, error out and
-     refers to this option so the user can deactivate the immediate configuration temporary to be able to perform
+     that APT encounters a situation in which it is unable to perform immediate configuration, errors out and
+     refers to this option so the user can deactivate the immediate configuration temporarily to be able to perform
      an install/upgrade again. Note the use of the word "theory" here as this problem was only encountered by now
-     in real world a few times in non-stable distribution versions and caused by wrong dependencies of the package
+     in real world a few times in non-stable distribution versions and was caused by wrong dependencies of the package
      in question or by a system in an already broken state, so you should not blindly disable this option as
      the mentioned scenario above is not the only problem immediate configuration can help to prevent in the first place.
      Before a big operation like <literal>dist-upgrade</literal> is run with this option disabled it should be tried to
@@ -221,7 +221,14 @@ DPkg::Pre-Install-Pkgs {"/usr/sbin/dpkg-preconfigure --apt";};
      <varlistentry><term>PDiffs</term>
 	 <listitem><para>Try to download deltas called <literal>PDiffs</literal> for
 	 Packages or Sources files instead of downloading whole ones. True
-	 by default.</para></listitem>
+	 by default.</para>
+	 <para>Two sub-options to limit the use of PDiffs are also available:
+	 With <literal>FileLimit</literal> can be specified how many PDiff files
+	 are downloaded at most to patch a file. <literal>SizeLimit</literal>
+	 on the other hand is the maximum precentage of the size of all patches
+	 compared to the size of the targeted file. If one of these limits is
+	 exceeded the complete file is downloaded instead of the patches.
+	 </para></listitem>
      </varlistentry>
 
      <varlistentry><term>Queue-Mode</term>

doc/apt.ent

@@ -353,3 +353,16 @@
      Configuration Item: <literal>Dir::State::Lists</literal> (implicit partial).</para></listitem>
      </varlistentry>
 ">
+
+<!ENTITY file-trustedgpg "
+     <varlistentry><term><filename>/etc/apt/trusted.gpg</filename></term>
+     <listitem><para>Keyring of local trusted keys, new keys will be added here.
+     Configuration Item: <literal>Dir::Etc::Trusted</literal>.</para></listitem>
+     </varlistentry>
+
+     <varlistentry><term><filename>/etc/apt/trusted.gpg.d/</filename></term>
+     <listitem><para>File fragments for the trusted keys, additional keyrings can
+     be stored here (by other packages or the administrator).
+     Configuration Item <literal>Dir::Etc::TrustedParts</literal>.</para></listitem>
+     </varlistentry>
+">

doc/examples/apt-https-method-example.conf

@@ -36,6 +36,8 @@
       to access its content.
     - The certificate presented by both server have (as expected) a CN that
       matches their respective DNS names.
+    - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
+      to use them.
     - It somtimes happens that we had other more generic https available
       repository to our list. We want the checks to be performed against
       a common list of anchors (like the one provided by ca-certificates
@@ -56,10 +58,13 @@ Acquire::https::CaInfo     "/etc/ssl/certs/ca-certificates.pem";
 // Use a specific anchor and associated CRL. Enforce issuer of
 // server certificate using its cert.
 Acquire::https::secure.dom1.tld::CaInfo     "/etc/apt/certs/ca-dom1-crt.pem";
+Acquire::https::secure.dom1.tld::CrlFile    "/etc/apt/certs/ca-dom1-crl.pem";
+Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";
 
 // Like previous for anchor and CRL, but also provide our
 // certificate and keys for client authentication.
 Acquire::https::secure.dom2.tld::CaInfo  "/etc/apt/certs/ca-dom2-crt.pem";
+Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
 Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
 Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
 
@@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
     used for the https entries in the sources.list file that use that
     repository (with the same name).
 
+  Acquire::https[::repo.domain.tld]::CrlFile  "/path/to/all/crl.pem";
+
+    Like previous knob but for passing the list of CRL files (in PEM
+    format) to be used to verify revocation status. Again, if the
+    option is defined with no specific mirror (probably makes little
+    sense), this CRL information is used for all defined https entries
+    in sources.list file. In a mirror specific context, it only applies
+    to that mirror.
+
+  Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
+
+    Allows to constrain the issuer of the server certificate (for all
+    https mirrors or a specific one) to a specific issuer. If the
+    server certificate has not been issued by this certificate,
+    connection fails.
+
   Acquire::https[::repo.domain.tld]::Verify-Peer "true";
 
     When authenticating the server, if the certificate verification fails

doc/examples/configure-index

@@ -90,11 +90,6 @@ APT
      TrustCDROM "false";            // consider the CDROM always trusted
   };
 
-  GPGV
-  {
-     TrustedKeyring "/etc/apt/trusted.gpg";
-  };
-
   // Some general options
   Ignore-Hold "false";
   Clean-Installed "true";
@@ -176,7 +171,10 @@ Acquire
   Source-Symlinks "true";
 
   PDiffs "true";     // try to get the IndexFile diffs
-  
+  PDiffs::FileLimit "4"; // don't use diffs if we would need more than 4 diffs
+  PDiffs::SizeLimit "50"; // don't use diffs if size of all patches excess
+			  // 50% of the size of the original file
+
   // HTTP method configuration
   http 
   {
@@ -308,6 +306,8 @@ Dir "/"
      SourceParts "sources.list.d";
      VendorList "vendors.list";
      VendorParts "vendors.list.d";
+     Trusted "trusted.gpg";
+     TrustedParts "trusted.gpg.d";
   };
   
   // Locations of binaries

doc/guide.sgml

@@ -56,7 +56,7 @@ requires another package to be installed at the same time to work properly.
 
 <p>
 For instance, mailcrypt is an emacs extension that aids in encrypting email
-with GPG. Without GPGP installed mail-crypt is useless, so mailcrypt has a
+with GPG. Without GPGP installed mailcrypt is useless, so mailcrypt has a
 simple dependency on GPG. Also, because it is an emacs extension it has a 
 simple dependency on emacs, without emacs it is completely useless.
 
@@ -171,7 +171,7 @@ the <prgn>dselect</> package selection GUI. <prgn>dselect</> is used to
 select the packages to be installed or removed and APT actually installs them.
 
 <p>
-To enable the APT method you need to to select [A]ccess in <prgn>dselect</> 
+To enable the APT method you need to select [A]ccess in <prgn>dselect</> 
 and then choose the APT method. You will be prompted for a set of 
 <em>Sources</> which are places to fetch archives from. These can be remote
 Internet sites, local Debian mirrors or CDROMs. Each source can provide
@@ -239,7 +239,7 @@ prompt until you have specified all that you want.
 
 <p>
 Before starting to use <prgn>dselect</> it is necessary to update the 
-available list by selecting [U]pdate from the menu. This is a super-set of 
+available list by selecting [U]pdate from the menu. This is a superset of 
 <tt>apt-get update</> that makes the fetched information available to
 <prgn>dselect</>. [U]pdate must be performed even if <tt>apt-get update</>
 has been run before.

doc/makefile

@@ -8,7 +8,7 @@ include ../buildlib/defaults.mak
 
 # Debian Doc SGML Documents
 SOURCE = $(wildcard *.sgml)
-DEBIANDOC_HTML_OPTIONS=-l en
+DEBIANDOC_HTML_OPTIONS=-l en.UTF-8
 include $(DEBIANDOC_H)
 
 # Do not use XMLTO, build the manpages directly with XSLTPROC

doc/offline.sgml

@@ -50,7 +50,7 @@ no connection.
 
 <p>
 This is achieved by creatively manipulating the APT configuration file. The
-essential premis to tell APT to look on a disc for it's archive files. Note
+essential premise to tell APT to look on a disc for it's archive files. Note
 that the disc should be formated with a filesystem that can handle long file
 names such as ext2, fat32 or vfat.
 
@@ -129,7 +129,7 @@ configuration file in <em>/usr/share/doc/apt/examples/apt.conf</em>.
 <p>
 On the target machine the first thing to do is mount the disc and copy 
 <em>/var/lib/dpkg/status</em> to it. You will also need to create the directories
-outlined in the Overview, <em>archives/partial/</em> and <em>lists/partial/</em>
+outlined in the Overview, <em>archives/partial/</em> and <em>lists/partial/</em>.
 Then take the disc to the remote machine and configure the sources.list. 
 On the remote machine execute the following:
 
@@ -141,9 +141,9 @@ On the remote machine execute the following:
  [ APT fetches all the packages needed to upgrade the target machine ]
 </example>
 
-The dist-upgrade command can be replaced with any-other standard APT commands,
+The dist-upgrade command can be replaced with any other standard APT commands,
 particularly dselect-upgrade. You can even use an APT front end such as 
-<em>dselect</em> However this presents a problem in communicating your 
+<em>dselect</em>. However this presents a problem in communicating your 
 selections back to the local computer.
 
 <p>

doc/po/fr.po

@@ -2597,7 +2597,8 @@ msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-ftparchive.1.xml:82 apt-ftparchive.1.xml:106
-msgid "The option <option>--db</option> can be used to specify a binary caching DB."
+msgid ""
+"The option <option>--db</option> can be used to specify a binary caching DB."
 msgstr ""
 "On peut se servir de l'option <option>--db</option> pour demander un cache "
 "binaire."
@@ -2752,8 +2753,10 @@ msgstr ""
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt-ftparchive.1.xml:155
-msgid "The generate configuration has 4 separate sections, each described below."
-msgstr "Ce fichier de configuration possède quatre sections, décrites ci-dessous."
+msgid ""
+"The generate configuration has 4 separate sections, each described below."
+msgstr ""
+"Ce fichier de configuration possède quatre sections, décrites ci-dessous."
 
 #. type: Content of: <refentry><refsect1><refsect2><title>
 #: apt-ftparchive.1.xml:157
@@ -4949,7 +4952,8 @@ msgstr "<filename>/etc/apt/trusted.gpg</filename>"
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:141
 msgid "Keyring of local trusted keys, new keys will be added here."
-msgstr "Trousseau de clés locales fiables : les nouvelles clés y seront ajoutées."
+msgstr ""
+"Trousseau de clés locales fiables : les nouvelles clés y seront ajoutées."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:144
@@ -4973,8 +4977,10 @@ msgstr "Trousseau des clés fiables de l'archive Debian."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-key.8.xml:152
-msgid "<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
-msgstr "<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+msgid ""
+"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
+msgstr ""
+"<filename>/usr/share/keyrings/debian-archive-removed-keys.gpg</filename>"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt-key.8.xml:153
@@ -5114,8 +5120,10 @@ msgstr ""
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-mark.8.xml:93
-msgid "<option>-f=<filename><replaceable>FILENAME</replaceable></filename></option>"
-msgstr "<option>-f=<filename><replaceable>FICHIER</replaceable></filename></option>"
+msgid ""
+"<option>-f=<filename><replaceable>FILENAME</replaceable></filename></option>"
+msgstr ""
+"<option>-f=<filename><replaceable>FICHIER</replaceable></filename></option>"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt-mark.8.xml:94
@@ -5866,6 +5874,7 @@ msgstr ""
 
 #. type: Content of: <refentry><refsect1><para>
 #: apt.conf.5.xml:118
+#, fuzzy
 msgid ""
 "Note that you can use :: only for appending one item per line to a list and "
 "that you should not use it in combination with the scope syntax.  (The scope "
@@ -7413,7 +7422,8 @@ msgstr "<literal>Debug::Acquire::cdrom</literal>"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt.conf.5.xml:693
-msgid "Print information related to accessing <literal>cdrom://</literal> sources."
+msgid ""
+"Print information related to accessing <literal>cdrom://</literal> sources."
 msgstr ""
 "Affiche les informations concernant les sources de type <literal>cdrom://</"
 "literal>"
@@ -7426,7 +7436,8 @@ msgstr "<literal>Debug::Acquire::ftp</literal>"
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt.conf.5.xml:704
 msgid "Print information related to downloading packages using FTP."
-msgstr "Affiche les informations concernant le téléchargement de paquets par FTP."
+msgstr ""
+"Affiche les informations concernant le téléchargement de paquets par FTP."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt.conf.5.xml:711
@@ -7436,7 +7447,8 @@ msgstr "<literal>Debug::Acquire::http</literal>"
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt.conf.5.xml:715
 msgid "Print information related to downloading packages using HTTP."
-msgstr "Affiche les informations concernant le téléchargement de paquets par HTTP."
+msgstr ""
+"Affiche les informations concernant le téléchargement de paquets par HTTP."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
 #: apt.conf.5.xml:722
@@ -7597,7 +7609,8 @@ msgstr "<literal>Debug::pkgAcquire::Worker</literal>"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt.conf.5.xml:844
-msgid "Log all interactions with the sub-processes that actually perform downloads."
+msgid ""
+"Log all interactions with the sub-processes that actually perform downloads."
 msgstr ""
 "Affiche toutes les interactions avec les processus enfants qui se chargent "
 "effectivement des téléchargements."
@@ -7738,7 +7751,8 @@ msgstr "<literal>Debug::pkgPackageManager</literal>"
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: apt.conf.5.xml:945
-msgid "Output status messages tracing the steps performed when invoking &dpkg;."
+msgid ""
+"Output status messages tracing the steps performed when invoking &dpkg;."
 msgstr "Affiche le détail des opérations liées à l'invocation de &dpkg;."
 
 #. type: Content of: <refentry><refsect1><variablelist><varlistentry><term>
@@ -7959,7 +7973,8 @@ msgstr "une priorité égale à 990"
 
 #. type: Content of: <refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><simpara>
 #: apt_preferences.5.xml:94
-msgid "to the versions that are not installed and belong to the target release."
+msgid ""
+"to the versions that are not installed and belong to the target release."
 msgstr ""
 "est affectée aux versions qui ne sont pas installées et qui appartiennent à "
 "la distribution par défaut."
@@ -8444,7 +8459,8 @@ msgstr ""
 #. type: Content of: <refentry><refsect1><refsect2><title>
 #: apt_preferences.5.xml:306
 msgid "Determination of Package Version and Distribution Properties"
-msgstr "Détermination de la version des paquets et des propriétés des distributions"
+msgstr ""
+"Détermination de la version des paquets et des propriétés des distributions"
 
 #. type: Content of: <refentry><refsect1><refsect2><para>
 #: apt_preferences.5.xml:308

doc/sources.list.5.xml

@@ -180,7 +180,7 @@ deb http://http.us.debian.org/debian dists/stable-updates/
     APT can be extended with more methods shipped in other optional packages which should
     follow the nameing scheme <literal>apt-transport-<replaceable>method</replaceable></literal>.
     The APT team e.g. maintains also the <literal>apt-transport-https</literal> package which
-    provides access methods for https-URIs with features similiar to the http method, but other
+    provides access methods for https-URIs with features similar to the http method, but other
     methods for using e.g. debtorrent are also available, see <citerefentry>
     <refentrytitle><filename>apt-transport-debtorrent</filename></refentrytitle>
     <manvolnum>1</manvolnum></citerefentry>.

methods/gpgv.cc

@@ -1,10 +1,9 @@
 #include <apt-pkg/error.h>
 #include <apt-pkg/acquire-method.h>
 #include <apt-pkg/strutl.h>
+#include <apt-pkg/fileutl.h>
 #include <apti18n.h>
 
-#include <sys/stat.h>
-#include <unistd.h>
 #include <utime.h>
 #include <stdio.h>
 #include <fcntl.h>
@@ -45,42 +44,47 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
 					 vector<string> &WorthlessSigners,
 					 vector<string> &NoPubKeySigners)
 {
+   bool const Debug = _config->FindB("Debug::Acquire::gpgv", false);
    // setup a (empty) stringstream for formating the return value
    std::stringstream ret;
    ret.str("");
 
-   if (_config->FindB("Debug::Acquire::gpgv", false))
-   {
-      std::cerr << "inside VerifyGetSigners" << std::endl;
-   }
+   if (Debug == true)
+      std::clog << "inside VerifyGetSigners" << std::endl;
+
    pid_t pid;
    int fd[2];
    FILE *pipein;
    int status;
-   struct stat buff;
-   string gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv");
-   string pubringpath = _config->Find("APT::GPGV::TrustedKeyring", "/etc/apt/trusted.gpg");
-   if (_config->FindB("Debug::Acquire::gpgv", false))
+   string const gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv");
+   // FIXME: remove support for deprecated APT::GPGV setting
+   string const trustedFile = _config->FindFile("Dir::Etc::Trusted",
+			_config->Find("APT::GPGV::TrustedKeyring", "/etc/apt/trusted.gpg").c_str());
+   string const trustedPath = _config->FindDir("Dir::Etc::TrustedParts", "/etc/apt/trusted.gpg.d");
+   if (Debug == true)
    {
-      std::cerr << "gpgv path: " << gpgvpath << std::endl;
-      std::cerr << "Keyring path: " << pubringpath << std::endl;
+      std::clog << "gpgv path: " << gpgvpath << std::endl;
+      std::clog << "Keyring file: " << trustedFile << std::endl;
+      std::clog << "Keyring path: " << trustedPath << std::endl;
    }
 
-   if (stat(pubringpath.c_str(), &buff) != 0) 
+   vector<string> keyrings = GetListOfFilesInDir(trustedPath, "gpg", false);
+   if (FileExists(trustedFile) == true)
+      keyrings.push_back(trustedFile);
+
+   if (keyrings.empty() == true)
    {
-      ioprintf(ret, _("Couldn't access keyring: '%s'"), strerror(errno)); 
+      // TRANSLATOR: %s is the trusted keyring parts directory
+      ioprintf(ret, _("No keyring installed in %s."), trustedPath.c_str());
       return ret.str();
    }
+
    if (pipe(fd) < 0)
-   {
       return "Couldn't create pipe";
-   }
 
    pid = fork();
    if (pid < 0)
-   {
       return string("Couldn't spawn new process") + strerror(errno);
-   }
    else if (pid == 0)
    {
       const char *Args[400];
@@ -90,8 +94,17 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
       Args[i++] = "--status-fd";
       Args[i++] = "3";
       Args[i++] = "--ignore-time-conflict";
-      Args[i++] = "--keyring";
-      Args[i++] = pubringpath.c_str();
+      for (vector<string>::const_iterator K = keyrings.begin();
+	   K != keyrings.end(); ++K)
+      {
+	 Args[i++] = "--keyring";
+	 Args[i++] = K->c_str();
+	 // check overflow (minus a bit of extra space at the end)
+	 if(i >= sizeof(Args)/sizeof(char*)-5) {
+	    std::clog << _("E: Too many keyrings should be passed to gpgv. Exiting.") << std::endl;
+	    exit(111);
+	 }
+      }
 
       Configuration::Item const *Opts;
       Opts = _config->Tree("Acquire::gpgv::Options");
@@ -103,8 +116,9 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
             if (Opts->Value.empty() == true)
                continue;
             Args[i++] = Opts->Value.c_str();
-	    if(i >= 395) { 
-	       std::cerr << _("E: Argument list from Acquire::gpgv::Options too long. Exiting.") << std::endl;
+	    // check overflow (minus a bit of extra space at the end)
+	    if(i >= sizeof(Args)/sizeof(char*)-5) { 
+	       std::clog << _("E: Argument list from Acquire::gpgv::Options too long. Exiting.") << std::endl;
 	       exit(111);
 	    }
          }
@@ -113,14 +127,14 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
       Args[i++] = outfile;
       Args[i++] = NULL;
 
-      if (_config->FindB("Debug::Acquire::gpgv", false))
+      if (Debug == true)
       {
-         std::cerr << "Preparing to exec: " << gpgvpath;
+         std::clog << "Preparing to exec: " << gpgvpath;
 	 for(unsigned int j=0;Args[j] != NULL; j++)
-	    std::cerr << " " << Args[j];
-	 std::cerr << std::endl;
+	    std::clog << " " << Args[j];
+	 std::clog << std::endl;
       }
-      int nullfd = open("/dev/null", O_RDONLY);
+      int const nullfd = open("/dev/null", O_RDONLY);
       close(fd[0]);
       // Redirect output to /dev/null; we read from the status fd
       dup2(nullfd, STDOUT_FILENO); 
@@ -159,8 +173,8 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
          break;
       *(buffer+bufferoff) = '\0';
       bufferoff = 0;
-      if (_config->FindB("Debug::Acquire::gpgv", false))
-         std::cerr << "Read: " << buffer << std::endl;
+      if (Debug == true)
+         std::clog << "Read: " << buffer << std::endl;
 
       // Push the data into three separate vectors, which
       // we later concatenate.  They're kept separate so
@@ -168,33 +182,33 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
       // it will be better.
       if (strncmp(buffer, GNUPGBADSIG, sizeof(GNUPGBADSIG)-1) == 0)
       {
-         if (_config->FindB("Debug::Acquire::gpgv", false))
-            std::cerr << "Got BADSIG! " << std::endl;
+         if (Debug == true)
+            std::clog << "Got BADSIG! " << std::endl;
          BadSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
       }
       
       if (strncmp(buffer, GNUPGNOPUBKEY, sizeof(GNUPGNOPUBKEY)-1) == 0)
       {
-         if (_config->FindB("Debug::Acquire::gpgv", false))
-            std::cerr << "Got NO_PUBKEY " << std::endl;
+         if (Debug == true)
+            std::clog << "Got NO_PUBKEY " << std::endl;
          NoPubKeySigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
       }
       if (strncmp(buffer, GNUPGNODATA, sizeof(GNUPGBADSIG)-1) == 0)
       {
-         if (_config->FindB("Debug::Acquire::gpgv", false))
-            std::cerr << "Got NODATA! " << std::endl;
+         if (Debug == true)
+            std::clog << "Got NODATA! " << std::endl;
          BadSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
       }
       if (strncmp(buffer, GNUPGKEYEXPIRED, sizeof(GNUPGKEYEXPIRED)-1) == 0)
       {
-         if (_config->FindB("Debug::Acquire::gpgv", false))
-            std::cerr << "Got KEYEXPIRED! " << std::endl;
+         if (Debug == true)
+            std::clog << "Got KEYEXPIRED! " << std::endl;
          WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
       }
       if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0)
       {
-         if (_config->FindB("Debug::Acquire::gpgv", false))
-            std::cerr << "Got REVKEYSIG! " << std::endl;
+         if (Debug == true)
+            std::clog << "Got REVKEYSIG! " << std::endl;
          WorthlessSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
       }
       if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0)
@@ -204,17 +218,17 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
          while (*p && isxdigit(*p)) 
             p++;
          *p = 0;
-         if (_config->FindB("Debug::Acquire::gpgv", false))
-            std::cerr << "Got GOODSIG, key ID:" << sig << std::endl;
+         if (Debug == true)
+            std::clog << "Got GOODSIG, key ID:" << sig << std::endl;
          GoodSigners.push_back(string(sig));
       }
    }
    fclose(pipein);
 
    waitpid(pid, &status, 0);
-   if (_config->FindB("Debug::Acquire::gpgv", false))
+   if (Debug == true)
    {
-      std::cerr << "gpgv exited\n";
+      std::clog << "gpgv exited\n";
    }
    
    if (WEXITSTATUS(status) == 0)
@@ -305,7 +319,7 @@ bool GPGVMethod::Fetch(FetchItem *Itm)
 
    if (_config->FindB("Debug::Acquire::gpgv", false))
    {
-      std::cerr << "gpgv succeeded\n";
+      std::clog << "gpgv succeeded\n";
    }
 
    return true;

methods/https.cc

@@ -133,7 +133,7 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
    string cainfo = _config->Find("Acquire::https::CaInfo","");
    string knob = "Acquire::https::"+remotehost+"::CaInfo";
    cainfo = _config->Find(knob.c_str(),cainfo.c_str());
-   if(cainfo != "")
+   if(cainfo.empty() == false)
       curl_easy_setopt(curl, CURLOPT_CAINFO,cainfo.c_str());
 
    // Check server certificate against previous CA list ...
@@ -151,18 +151,25 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
       default_verify = 0;
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);
 
+   // Also enforce issuer of server certificate using its cert
+   string issuercert = _config->Find("Acquire::https::IssuerCert","");
+   knob = "Acquire::https::"+remotehost+"::IssuerCert";
+   issuercert = _config->Find(knob.c_str(),issuercert.c_str());
+   if(issuercert.empty() == false)
+      curl_easy_setopt(curl, CURLOPT_ISSUERCERT,issuercert.c_str());
+
    // For client authentication, certificate file ...
    string pem = _config->Find("Acquire::https::SslCert","");
    knob = "Acquire::https::"+remotehost+"::SslCert";
    pem = _config->Find(knob.c_str(),pem.c_str());
-   if(pem != "")
+   if(pem.empty() == false)
       curl_easy_setopt(curl, CURLOPT_SSLCERT, pem.c_str());
 
    // ... and associated key.
    string key = _config->Find("Acquire::https::SslKey","");
    knob = "Acquire::https::"+remotehost+"::SslKey";
    key = _config->Find(knob.c_str(),key.c_str());
-   if(key != "")
+   if(key.empty() == false)
       curl_easy_setopt(curl, CURLOPT_SSLKEY, key.c_str());
 
    // Allow forcing SSL version to SSLv3 or TLSv1 (SSLv2 is not
@@ -177,6 +184,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
      final_version = CURL_SSLVERSION_SSLv3;
    curl_easy_setopt(curl, CURLOPT_SSLVERSION, final_version);
 
+   // CRL file
+   string crlfile = _config->Find("Acquire::https::CrlFile","");
+   knob = "Acquire::https::"+remotehost+"::CrlFile";
+   crlfile = _config->Find(knob.c_str(),crlfile.c_str());
+   if(crlfile.empty() == false)
+      curl_easy_setopt(curl, CURLOPT_CRLFILE, crlfile.c_str());
+
    // cache-control
    if(_config->FindB("Acquire::https::No-Cache",
 	_config->FindB("Acquire::http::No-Cache",false)) == false)
@@ -196,7 +210,7 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
 
    // speed limit
-   int dlLimit = _config->FindI("Acquire::https::Dl-Limit",
+   int const dlLimit = _config->FindI("Acquire::https::Dl-Limit",
 		_config->FindI("Acquire::http::Dl-Limit",0))*1024;
    if (dlLimit > 0)
       curl_easy_setopt(curl, CURLOPT_MAX_RECV_SPEED_LARGE, dlLimit);
@@ -208,7 +222,7 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
 			"Debian APT-CURL/1.0 ("VERSION")").c_str()).c_str());
 
    // set timeout
-   int timeout = _config->FindI("Acquire::https::Timeout",
+   int const timeout = _config->FindI("Acquire::https::Timeout",
 		_config->FindI("Acquire::http::Timeout",120));
    curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout);
    //set really low lowspeed timeout (see #497983)
@@ -216,7 +230,7 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
    curl_easy_setopt(curl, CURLOPT_LOW_SPEED_TIME, timeout);
 
    // set redirect options and default to 10 redirects
-   bool AllowRedirect = _config->FindB("Acquire::https::AllowRedirect",
+   bool const AllowRedirect = _config->FindB("Acquire::https::AllowRedirect",
 	_config->FindB("Acquire::http::AllowRedirect",true));
    curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, AllowRedirect);
    curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 10);

po/apt-all.pot

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2009-12-10 22:06+0100\n"
+"POT-Creation-Date: 2010-01-01 19:13+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -144,11 +144,6 @@ msgstr ""
 msgid "  Version table:"
 msgstr ""
 
-#: cmdline/apt-cache.cc:1623
-#, c-format
-msgid "       %4i %s\n"
-msgstr ""
-
 #: cmdline/apt-cache.cc:1718 cmdline/apt-cdrom.cc:134 cmdline/apt-config.cc:70
 #: cmdline/apt-extracttemplates.cc:225 ftparchive/apt-ftparchive.cc:547
 #: cmdline/apt-get.cc:2665 cmdline/apt-sortpkgs.cc:144
@@ -2781,7 +2776,7 @@ msgstr ""
 msgid "Can not write log, openpty() failed (/dev/pts not mounted?)\n"
 msgstr ""
 
-#: apt-pkg/deb/dpkgpm.cc:908
+#: apt-pkg/deb/dpkgpm.cc:909
 msgid "Running dpkg"
 msgstr ""