Kaynağa Gözat

disable updating insecure repositories in apt by default

apt is an interactive command and the reasons we haven't this option set
for everything is mostly in keeping compatibility for a little while
longer to allow scripts to be changed if need be.
David Kalnischkies 10 yıl önce
ebeveyn
işleme
995a4bf6d7

+ 1 - 0
apt-private/private-cmndline.cc

@@ -332,6 +332,7 @@ static void BinarySpecificConfiguration(char const * const Binary)	/*{{{*/
       _config->CndSet("Binary::apt::APT::Get::Upgrade-Allow-New", true);
       _config->CndSet("Binary::apt::APT::Get::Upgrade-Allow-New", true);
       _config->CndSet("Binary::apt::APT::Cmd::Show-Update-Stats", true);
       _config->CndSet("Binary::apt::APT::Cmd::Show-Update-Stats", true);
       _config->CndSet("Binary::apt::DPkg::Progress-Fancy", true);
       _config->CndSet("Binary::apt::DPkg::Progress-Fancy", true);
+      _config->CndSet("Binary::apt::Acquire::AllowInsecureRepositories", false);
    }
    }
 
 
    _config->Set("Binary", binary);
    _config->Set("Binary", binary);

+ 1 - 11
test/integration/framework

@@ -388,12 +388,8 @@ EOF
 		TEST_DEFAULT_GROUP="$USER"
 		TEST_DEFAULT_GROUP="$USER"
 	fi
 	fi
 
 
-        # Acquire::AllowInsecureRepositories=false is not yet the default
-        # but we want it to be the default soon
-        configallowinsecurerepositories "false";
-
 	# cleanup the environment a bit
 	# cleanup the environment a bit
-        # prefer our apt binaries over the system apt binaries
+	# prefer our apt binaries over the system apt binaries
 	export PATH="${BUILDDIRECTORY}:${PATH}:/usr/local/sbin:/usr/sbin:/sbin"
 	export PATH="${BUILDDIRECTORY}:${PATH}:/usr/local/sbin:/usr/sbin:/sbin"
 	export LC_ALL=C.UTF-8
 	export LC_ALL=C.UTF-8
 	unset LANGUAGE APT_CONFIG
 	unset LANGUAGE APT_CONFIG
@@ -506,12 +502,6 @@ int execvp(const char *file, char *const argv[]) {
 EOF
 EOF
 	testsuccess --nomsg gcc -fPIC -shared -o noopchroot.so noopchroot.c -ldl
 	testsuccess --nomsg gcc -fPIC -shared -o noopchroot.so noopchroot.c -ldl
 }
 }
-
-configallowinsecurerepositories() {
-    echo "Acquire::AllowInsecureRepositories \"$1\";" >  rootdir/etc/apt/apt.conf.d/allow-insecure-repositories.conf
-
-}
-
 configcompression() {
 configcompression() {
 	while [ -n "$1" ]; do
 	while [ -n "$1" ]; do
 		case "$1" in
 		case "$1" in

+ 2 - 2
test/integration/test-apt-update-failure-propagation

@@ -43,7 +43,7 @@ testsuccessequal "foo:
 
 
 pretest
 pretest
 mv aptarchive/dists/stable aptarchive/dists/stable.good
 mv aptarchive/dists/stable aptarchive/dists/stable.good
-testfailuremsg "E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file." aptget update
+testfailuremsg "E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file." apt update
 testfailureequal "Hit:1 http://localhost:${APTHTTPPORT} sid InRelease
 testfailureequal "Hit:1 http://localhost:${APTHTTPPORT} sid InRelease
 Ign:2 https://localhost:${APTHTTPSPORT} stable InRelease
 Ign:2 https://localhost:${APTHTTPSPORT} stable InRelease
   404  Not Found
   404  Not Found
@@ -52,7 +52,7 @@ Err:3 https://localhost:${APTHTTPSPORT} stable Release
 Reading package lists...
 Reading package lists...
 E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file.
 E: The repository 'https://localhost:${APTHTTPSPORT} stable Release' does not have a Release file.
 N: Updating such a repository securily is impossible and therefore disabled by default.
 N: Updating such a repository securily is impossible and therefore disabled by default.
-N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update -q=0
+N: See apt-secure(8) manpage for repository creation and user configuration details." aptget update -q=0 --no-allow-insecure-repositories
 mv aptarchive/dists/stable.good aptarchive/dists/stable
 mv aptarchive/dists/stable.good aptarchive/dists/stable
 posttest() {
 posttest() {
 	testsuccessequal "foo:
 	testsuccessequal "foo:

+ 7 - 6
test/integration/test-apt-update-ims

@@ -13,19 +13,20 @@ setupaptarchive --no-update
 changetowebserver
 changetowebserver
 
 
 runtest() {
 runtest() {
+    local APTOPT=""
     if [ -n "$1" ]; then
     if [ -n "$1" ]; then
-	configallowinsecurerepositories 'true'
+	APTOPT='--allow-insecure-repositories'
     else
     else
-	configallowinsecurerepositories 'false'
+	APTOPT='--no-allow-insecure-repositories'
     fi
     fi
 
 
     rm -rf rootdir/var/lib/apt/lists/
     rm -rf rootdir/var/lib/apt/lists/
 
 
     local TEST="test${1:-success}"
     local TEST="test${1:-success}"
-    $TEST aptget update
+    $TEST aptget update $APTOPT
     if [ "$1" = 'failure' ]; then
     if [ "$1" = 'failure' ]; then
 	# accept the outdated Release file so we can check Hit behaviour
 	# accept the outdated Release file so we can check Hit behaviour
-	"test${2:-success}" aptget update -o Acquire::Min-ValidTime=9999999
+	"test${2:-success}" aptget update -o Acquire::Min-ValidTime=9999999 $APTOPT
     fi
     fi
     listcurrentlistsdirectory > listsdir.lst
     listcurrentlistsdirectory > listsdir.lst
     testsuccess grep '_Packages\(\.gz\)\?$' listsdir.lst
     testsuccess grep '_Packages\(\.gz\)\?$' listsdir.lst
@@ -37,14 +38,14 @@ runtest() {
 
 
     # check that I-M-S header is kept in redirections
     # check that I-M-S header is kept in redirections
     echo "$EXPECT" | sed -e 's#(invalid since [^)]\+)#(invalid since)#' > expected.output
     echo "$EXPECT" | sed -e 's#(invalid since [^)]\+)#(invalid since)#' > expected.output
-    $TEST aptget update  -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 -q=0
+    $TEST aptget update  -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 -q=0 $APTOPT
     sed -i -e 's#(invalid since [^)]\+)#(invalid since)#' rootdir/tmp/${TEST}.output
     sed -i -e 's#(invalid since [^)]\+)#(invalid since)#' rootdir/tmp/${TEST}.output
     testequal "$(cat expected.output)" cat rootdir/tmp/${TEST}.output
     testequal "$(cat expected.output)" cat rootdir/tmp/${TEST}.output
     testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
     testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
 
 
     # ensure that we still do a hash check for other files on ims hit of Release
     # ensure that we still do a hash check for other files on ims hit of Release
     if grep -q '^Hit:[0-9]\+ .* InRelease$' expected.output || ! grep -q '^Ign:[0-9]\+ .* Release\(\.gpg\)\?$' expected.output; then
     if grep -q '^Hit:[0-9]\+ .* InRelease$' expected.output || ! grep -q '^Ign:[0-9]\+ .* Release\(\.gpg\)\?$' expected.output; then
-	    $TEST aptget update -o Debug::Acquire::gpgv=1
+	    $TEST aptget update -o Debug::Acquire::gpgv=1 $APTOPT
 	    cp rootdir/tmp/${TEST}.output goodsign.output
 	    cp rootdir/tmp/${TEST}.output goodsign.output
 	    testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
 	    testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
 	    testsuccess grep '^Got GOODSIG, key ID:GOODSIG' goodsign.output
 	    testsuccess grep '^Got GOODSIG, key ID:GOODSIG' goodsign.output

+ 1 - 1
test/integration/test-bug-624218-Translation-file-handling

@@ -61,7 +61,7 @@ translationslisted 'with full Index'
 # No Release file at all, so no records about Translation files
 # No Release file at all, so no records about Translation files
 # (fallback to guessing)
 # (fallback to guessing)
 find aptarchive \( -name 'Release' -o -name 'InRelease' \) -delete
 find aptarchive \( -name 'Release' -o -name 'InRelease' \) -delete
-configallowinsecurerepositories "true";
+echo 'Acquire::AllowInsecureRepositories "true";' >  rootdir/etc/apt/apt.conf.d/allow-insecure-repositories.conf
 
 
 msgtest 'Download of en as forced language' 'without Index'
 msgtest 'Download of en as forced language' 'without Index'
 testwarning --nomsg aptget update -o Acquire::Languages=en
 testwarning --nomsg aptget update -o Acquire::Languages=en