Explorar el Código

disable updating insecure repositories in apt by default

apt is an interactive command and the reasons we haven't this option set
for everything is mostly in keeping compatibility for a little while
longer to allow scripts to be changed if need be.
David Kalnischkies hace 10 años
padre
commit
995a4bf6d7

+ 1 - 0
apt-private/private-cmndline.cc

@@ -332,6 +332,7 @@ static void BinarySpecificConfiguration(char const * const Binary)	/*{{{*/
       _config->CndSet("Binary::apt::APT::Get::Upgrade-Allow-New", true);
       _config->CndSet("Binary::apt::APT::Cmd::Show-Update-Stats", true);
       _config->CndSet("Binary::apt::DPkg::Progress-Fancy", true);
+      _config->CndSet("Binary::apt::Acquire::AllowInsecureRepositories", false);
    }
 
    _config->Set("Binary", binary);

+ 1 - 11
test/integration/framework

@@ -388,12 +388,8 @@ EOF
 		TEST_DEFAULT_GROUP="$USER"
 	fi
 
-        # Acquire::AllowInsecureRepositories=false is not yet the default
-        # but we want it to be the default soon
-        configallowinsecurerepositories "false";
-
 	# cleanup the environment a bit
-        # prefer our apt binaries over the system apt binaries
+	# prefer our apt binaries over the system apt binaries
 	export PATH="${BUILDDIRECTORY}:${PATH}:/usr/local/sbin:/usr/sbin:/sbin"
 	export LC_ALL=C.UTF-8
 	unset LANGUAGE APT_CONFIG
@@ -506,12 +502,6 @@ int execvp(const char *file, char *const argv[]) {
 EOF
 	testsuccess --nomsg gcc -fPIC -shared -o noopchroot.so noopchroot.c -ldl
 }
-
-configallowinsecurerepositories() {
-    echo "Acquire::AllowInsecureRepositories \"$1\";" >  rootdir/etc/apt/apt.conf.d/allow-insecure-repositories.conf
-
-}
-
 configcompression() {
 	while [ -n "$1" ]; do
 		case "$1" in

+ 2 - 2
test/integration/test-apt-update-failure-propagation

@@ -43,7 +43,7 @@ testsuccessequal "foo:
 
 pretest
 mv aptarchive/dists/stable aptarchive/dists/stable.good
-testfailuremsg "E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file." aptget update
+testfailuremsg "E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file." apt update
 testfailureequal "Hit:1 http://localhost:${APTHTTPPORT} sid InRelease
 Ign:2 https://localhost:${APTHTTPSPORT} stable InRelease
   404  Not Found
@@ -52,7 +52,7 @@ Err:3 https://localhost:${APTHTTPSPORT} stable Release
 Reading package lists...
 E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file.
 N: Updating such a repository securily is impossible and therefore disabled by default.
-N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update -q=0
+N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update -q=0 --no-allow-insecure-repositories
 mv aptarchive/dists/stable.good aptarchive/dists/stable
 posttest() {
 	testsuccessequal "foo:

+ 7 - 6
test/integration/test-apt-update-ims

@@ -13,19 +13,20 @@ setupaptarchive --no-update
 changetowebserver
 
 runtest() {
+    local APTOPT=""
     if [ -n "$1" ]; then
-	configallowinsecurerepositories 'true'
+	APTOPT='--allow-insecure-repositories'
     else
-	configallowinsecurerepositories 'false'
+	APTOPT='--no-allow-insecure-repositories'
     fi
 
     rm -rf rootdir/var/lib/apt/lists/
 
     local TEST="test${1:-success}"
-    $TEST aptget update
+    $TEST aptget update $APTOPT
     if [ "$1" = 'failure' ]; then
 	# accept the outdated Release file so we can check Hit behaviour
-	"test${2:-success}" aptget update -o Acquire::Min-ValidTime=9999999
+	"test${2:-success}" aptget update -o Acquire::Min-ValidTime=9999999 $APTOPT
     fi
     listcurrentlistsdirectory > listsdir.lst
     testsuccess grep '_Packages\(\.gz\)\?$' listsdir.lst
@@ -37,14 +38,14 @@ runtest() {
 
     # check that I-M-S header is kept in redirections
     echo "$EXPECT" | sed -e 's#(invalid since [^)]\+)#(invalid since)#' > expected.output
-    $TEST aptget update  -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 -q=0
+    $TEST aptget update  -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 -q=0 $APTOPT
     sed -i -e 's#(invalid since [^)]\+)#(invalid since)#' rootdir/tmp/${TEST}.output
     testequal "$(cat expected.output)" cat rootdir/tmp/${TEST}.output
     testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
 
     # ensure that we still do a hash check for other files on ims hit of Release
     if grep -q '^Hit:[0-9]\+ .* InRelease$' expected.output || ! grep -q '^Ign:[0-9]\+ .* Release\(\.gpg\)\?$' expected.output; then
-	    $TEST aptget update -o Debug::Acquire::gpgv=1
+	    $TEST aptget update -o Debug::Acquire::gpgv=1 $APTOPT
 	    cp rootdir/tmp/${TEST}.output goodsign.output
 	    testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
 	    testsuccess grep '^Got GOODSIG, key ID:GOODSIG' goodsign.output

+ 1 - 1
test/integration/test-bug-624218-Translation-file-handling

@@ -61,7 +61,7 @@ translationslisted 'with full Index'
 # No Release file at all, so no records about Translation files
 # (fallback to guessing)
 find aptarchive \( -name 'Release' -o -name 'InRelease' \) -delete
-configallowinsecurerepositories "true";
+echo 'Acquire::AllowInsecureRepositories "true";' >  rootdir/etc/apt/apt.conf.d/allow-insecure-repositories.conf
 
 msgtest 'Download of en as forced language' 'without Index'
 testwarning --nomsg aptget update -o Acquire::Languages=en