ソースを参照

rework errors and warnings around insecure repositories

Insecure (aka unsigned) repositories are bad, period. We want to get
right of them finally and as a first step we are printing scary
warnings. This is already done, this commit just changes the messages to
be more consistent and prevents them from being displayed if
authenticity is guaranteed some other way (as indicated with
trusted=yes).

The idea is to first print the pure fact like "repository isn't signed"
as a warning (and later as an error), while giving an explaination in a
immediately following notice (which is displayed only in quiet level 0:
so in interactive use, not in scripts and alike).

Closes: 796549
David Kalnischkies 10 年 前
コミット
f18f2338a1

+ 39 - 22
apt-pkg/acquire-item.cc

@@ -148,12 +148,41 @@ static bool BootstrapPDiffWith(std::string const &PartialFile, std::string const
 }
 }
 									/*}}}*/
 									/*}}}*/
 
 
-static bool AllowInsecureRepositories(metaIndex const * const MetaIndexParser, pkgAcqMetaClearSig * const TransactionManager, pkgAcquire::Item * const I) /*{{{*/
+static bool MessageInsecureRepository(bool const isError, std::string const &msg)/*{{{*/
 {
 {
-   if(MetaIndexParser->GetTrusted() == metaIndex::TRI_YES || _config->FindB("Acquire::AllowInsecureRepositories") == true)
+   if (isError)
+   {
+      _error->Error("%s", msg.c_str());
+      _error->Notice("%s", _("Updating such a repository securily is impossible and therefore disabled by default."));
+   }
+   else
+   {
+      _error->Warning("%s", msg.c_str());
+      _error->Notice("%s", _("Data from such a repository can not be authenticated and is therefore potentially dangerous to use."));
+   }
+   return false;
+}
+static bool MessageInsecureRepository(bool const isError, char const * const msg, std::string const &repo)
+{
+   std::string m;
+   strprintf(m, msg, repo.c_str());
+   return MessageInsecureRepository(isError, m);
+}
+									/*}}}*/
+static bool AllowInsecureRepositories(char const * const msg, std::string const &repo,/*{{{*/
+      metaIndex const * const MetaIndexParser, pkgAcqMetaClearSig * const TransactionManager, pkgAcquire::Item * const I)
+{
+   if(MetaIndexParser->GetTrusted() == metaIndex::TRI_YES)
       return true;
       return true;
 
 
-   _error->Error(_("Use --allow-insecure-repositories to force the update"));
+   if (_config->FindB("Acquire::AllowInsecureRepositories") == true)
+   {
+      MessageInsecureRepository(false, msg, repo);
+      return true;
+   }
+
+   MessageInsecureRepository(true, msg, repo);
+   _error->Notice(_("Use --allow-insecure-repositories to force an insecure update"));
    TransactionManager->AbortTransaction();
    TransactionManager->AbortTransaction();
    I->Status = pkgAcquire::Item::StatError;
    I->Status = pkgAcquire::Item::StatError;
    return false;
    return false;
@@ -1308,10 +1337,10 @@ void pkgAcqMetaClearSig::Failed(string const &Message,pkgAcquire::MethodConfig c
 
 
    if (AuthPass == false)
    if (AuthPass == false)
    {
    {
-      if (Status == StatAuthError)
+      if (Status == StatAuthError || Status == StatTransientNetworkError)
       {
       {
-	 // if we expected a ClearTextSignature (InRelease) and got a file,
-	 // but it wasn't valid we end up here (see VerifyDone).
+	 // if we expected a ClearTextSignature (InRelease) but got a network
+	 // error or got a file, but it wasn't valid, we end up here (see VerifyDone).
 	 // As these is usually called by web-portals we do not try Release/Release.gpg
 	 // As these is usually called by web-portals we do not try Release/Release.gpg
 	 // as this is gonna fail anyway and instead abort our try (LP#346386)
 	 // as this is gonna fail anyway and instead abort our try (LP#346386)
 	 TransactionManager->AbortTransaction();
 	 TransactionManager->AbortTransaction();
@@ -1331,14 +1360,10 @@ void pkgAcqMetaClearSig::Failed(string const &Message,pkgAcquire::MethodConfig c
       if(CheckStopAuthentication(this, Message))
       if(CheckStopAuthentication(this, Message))
          return;
          return;
 
 
-      _error->Warning(_("The data from '%s' is not signed. Packages "
-                        "from that repository can not be authenticated."),
-                      ClearsignedTarget.Description.c_str());
-
       // No Release file was present, or verification failed, so fall
       // No Release file was present, or verification failed, so fall
       // back to queueing Packages files without verification
       // back to queueing Packages files without verification
       // only allow going further if the users explicitely wants it
       // only allow going further if the users explicitely wants it
-      if(AllowInsecureRepositories(TransactionManager->MetaIndexParser, TransactionManager, this) == true)
+      if(AllowInsecureRepositories(_("The repository '%s' is not signed."), ClearsignedTarget.Description, TransactionManager->MetaIndexParser, TransactionManager, this) == true)
       {
       {
 	 Status = StatDone;
 	 Status = StatDone;
 
 
@@ -1433,14 +1458,10 @@ void pkgAcqMetaIndex::Failed(string const &Message,
    pkgAcquire::Item::Failed(Message, Cnf);
    pkgAcquire::Item::Failed(Message, Cnf);
    Status = StatDone;
    Status = StatDone;
 
 
-   _error->Warning(_("The repository '%s' does not have a Release file. "
-                     "This is deprecated, please contact the owner of the "
-                     "repository."), Target.Description.c_str());
-
    // No Release file was present so fall
    // No Release file was present so fall
    // back to queueing Packages files without verification
    // back to queueing Packages files without verification
    // only allow going further if the users explicitely wants it
    // only allow going further if the users explicitely wants it
-   if(AllowInsecureRepositories(TransactionManager->MetaIndexParser, TransactionManager, this) == true)
+   if(AllowInsecureRepositories(_("The repository '%s' does not have a Release file."), Target.Description, TransactionManager->MetaIndexParser, TransactionManager, this) == true)
    {
    {
       // ensure old Release files are removed
       // ensure old Release files are removed
       TransactionManager->TransactionStageRemoval(this, GetFinalFilename());
       TransactionManager->TransactionStageRemoval(this, GetFinalFilename());
@@ -1578,7 +1599,7 @@ void pkgAcqMetaSig::Failed(string const &Message,pkgAcquire::MethodConfig const
                            "given to override it."));
                            "given to override it."));
          Status = StatDone;
          Status = StatDone;
       } else {
       } else {
-         _error->Error("%s", downgrade_msg.c_str());
+	 MessageInsecureRepository(true, downgrade_msg);
 	 if (TransactionManager->IMSHit == false)
 	 if (TransactionManager->IMSHit == false)
 	    Rename(MetaIndex->DestFile, MetaIndex->DestFile + ".FAILED");
 	    Rename(MetaIndex->DestFile, MetaIndex->DestFile + ".FAILED");
 	 Item::Failed("Message: " + downgrade_msg, Cnf);
 	 Item::Failed("Message: " + downgrade_msg, Cnf);
@@ -1586,16 +1607,12 @@ void pkgAcqMetaSig::Failed(string const &Message,pkgAcquire::MethodConfig const
          return;
          return;
       }
       }
    }
    }
-   else
-      _error->Warning(_("The data from '%s' is not signed. Packages "
-	       "from that repository can not be authenticated."),
-	    MetaIndex->Target.Description.c_str());
 
 
    // ensures that a Release.gpg file in the lists/ is removed by the transaction
    // ensures that a Release.gpg file in the lists/ is removed by the transaction
    TransactionManager->TransactionStageRemoval(this, DestFile);
    TransactionManager->TransactionStageRemoval(this, DestFile);
 
 
    // only allow going further if the users explicitely wants it
    // only allow going further if the users explicitely wants it
-   if(AllowInsecureRepositories(TransactionManager->MetaIndexParser, TransactionManager, this) == true)
+   if (AllowInsecureRepositories(_("The repository '%s' is not signed."), MetaIndex->Target.Description, TransactionManager->MetaIndexParser, TransactionManager, this) == true)
    {
    {
       if (RealFileExists(FinalReleasegpg) || RealFileExists(FinalInRelease))
       if (RealFileExists(FinalReleasegpg) || RealFileExists(FinalInRelease))
       {
       {

+ 11 - 0
test/integration/framework

@@ -1665,6 +1665,17 @@ testfailuremsg() {
 	testoutputequal "$COMPAREFILE" echo "$CMP"
 	testoutputequal "$COMPAREFILE" echo "$CMP"
 	msggroup
 	msggroup
 }
 }
+testwarningmsg() {
+	msggroup 'testwarningmsg'
+	local CMP="$1"
+	shift
+	testwarning "$@"
+	msgtest 'Check that the output of the previous warned command has expected' 'warnings'
+	local COMPAREFILE="${TMPWORKINGDIRECTORY}/rootdir/tmp/testwarningmsg.comparefile"
+	grep '^\(W\|E\):' "${TMPWORKINGDIRECTORY}/rootdir/tmp/testwarning.output" > "$COMPAREFILE" 2>&1 || true
+	testoutputequal "$COMPAREFILE" echo "$CMP"
+	msggroup
+}
 
 
 testfilestats() {
 testfilestats() {
 	msggroup 'testfilestats'
 	msggroup 'testfilestats'

+ 5 - 3
test/integration/test-apt-get-update-unauth-warning

@@ -27,8 +27,9 @@ Get:2 file:$APTARCHIVE unstable Release
 Err:2 file:$APTARCHIVE unstable Release
 Err:2 file:$APTARCHIVE unstable Release
   File not found
   File not found
 Reading package lists...
 Reading package lists...
-W: The repository 'file:$APTARCHIVE unstable Release' does not have a Release file. This is deprecated, please contact the owner of the repository.
-E: Use --allow-insecure-repositories to force the update" aptget update --no-allow-insecure-repositories
+E: The repository 'file:$APTARCHIVE unstable Release' does not have a Release file.
+N: Updating such a repository securily is impossible and therefore disabled by default.
+N: Use --allow-insecure-repositories to force an insecure update" aptget update --no-allow-insecure-repositories -q=0
 
 
 # no package foo
 # no package foo
 testsuccessequal 'Listing...' apt list foo
 testsuccessequal 'Listing...' apt list foo
@@ -78,7 +79,8 @@ Get:3 file:$APTARCHIVE unstable/main Sources [$(filesize 'Sources') B]
 Get:4 file:$APTARCHIVE unstable/main i386 Packages [$(filesize 'Packages') B]
 Get:4 file:$APTARCHIVE unstable/main i386 Packages [$(filesize 'Packages') B]
 Get:5 file:$APTARCHIVE unstable/main Translation-en [$(filesize 'Translations') B]
 Get:5 file:$APTARCHIVE unstable/main Translation-en [$(filesize 'Translations') B]
 Reading package lists...
 Reading package lists...
-W: The repository 'file:$APTARCHIVE unstable Release' does not have a Release file. This is deprecated, please contact the owner of the repository." aptget update --allow-insecure-repositories
+W: The repository 'file:$APTARCHIVE unstable Release' does not have a Release file.
+N: Data from such a repository can not be authenticated and is therefore potentially dangerous to use." aptget update --allow-insecure-repositories -q=0
 # ensure we can not install the package
 # ensure we can not install the package
 testfailureequal "WARNING: The following packages cannot be authenticated!
 testfailureequal "WARNING: The following packages cannot be authenticated!
   foo
   foo

+ 7 - 4
test/integration/test-apt-update-ims

@@ -37,7 +37,7 @@ runtest() {
 
 
     # check that I-M-S header is kept in redirections
     # check that I-M-S header is kept in redirections
     echo "$EXPECT" | sed -e 's#(invalid since [^)]\+)#(invalid since)#' > expected.output
     echo "$EXPECT" | sed -e 's#(invalid since [^)]\+)#(invalid since)#' > expected.output
-    $TEST aptget update  -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0
+    $TEST aptget update  -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 -q=0
     sed -i -e 's#(invalid since [^)]\+)#(invalid since)#' rootdir/tmp/${TEST}.output
     sed -i -e 's#(invalid since [^)]\+)#(invalid since)#' rootdir/tmp/${TEST}.output
     testequal "$(cat expected.output)" cat rootdir/tmp/${TEST}.output
     testequal "$(cat expected.output)" cat rootdir/tmp/${TEST}.output
     testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
     testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)"
@@ -80,7 +80,8 @@ Hit:2 http://localhost:${APTHTTPPORT} unstable Release
 Ign:3 http://localhost:${APTHTTPPORT} unstable Release.gpg
 Ign:3 http://localhost:${APTHTTPPORT} unstable Release.gpg
   404  Not Found
   404  Not Found
 Reading package lists...
 Reading package lists...
-W: The data from 'http://localhost:${APTHTTPPORT} unstable Release' is not signed. Packages from that repository can not be authenticated."
+W: The repository 'http://localhost:${APTHTTPPORT} unstable Release' is not signed.
+N: Data from such a repository can not be authenticated and is therefore potentially dangerous to use."
 find aptarchive -name 'Release.gpg' -delete
 find aptarchive -name 'Release.gpg' -delete
 echo 'Acquire::GzipIndexes "0";' > rootdir/etc/apt/apt.conf.d/02compressindex
 echo 'Acquire::GzipIndexes "0";' > rootdir/etc/apt/apt.conf.d/02compressindex
 runtest 'warning'
 runtest 'warning'
@@ -123,7 +124,8 @@ Hit:2 http://localhost:${APTHTTPPORT} unstable Release
 Ign:3 http://localhost:${APTHTTPPORT} unstable Release.gpg
 Ign:3 http://localhost:${APTHTTPPORT} unstable Release.gpg
   404  Not Found
   404  Not Found
 Reading package lists...
 Reading package lists...
-W: The data from 'http://localhost:${APTHTTPPORT} unstable Release' is not signed. Packages from that repository can not be authenticated.
+W: The repository 'http://localhost:${APTHTTPPORT} unstable Release' is not signed.
+N: Data from such a repository can not be authenticated and is therefore potentially dangerous to use.
 E: Release file for http://localhost:${APTHTTPPORT}/dists/unstable/Release is expired (invalid since). Updates for this repository will not be applied."
 E: Release file for http://localhost:${APTHTTPPORT}/dists/unstable/Release is expired (invalid since). Updates for this repository will not be applied."
 find aptarchive -name 'Release.gpg' -delete
 find aptarchive -name 'Release.gpg' -delete
 echo 'Acquire::GzipIndexes "0";' > rootdir/etc/apt/apt.conf.d/02compressindex
 echo 'Acquire::GzipIndexes "0";' > rootdir/etc/apt/apt.conf.d/02compressindex
@@ -159,7 +161,8 @@ Hit:3 http://localhost:${APTHTTPPORT} unstable/main Sources
 Hit:4 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages
 Hit:4 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages
 Hit:5 http://localhost:${APTHTTPPORT} unstable/main Translation-en
 Hit:5 http://localhost:${APTHTTPPORT} unstable/main Translation-en
 Reading package lists...
 Reading package lists...
-W: The repository 'http://localhost:${APTHTTPPORT} unstable Release' does not have a Release file. This is deprecated, please contact the owner of the repository."
+W: The repository 'http://localhost:${APTHTTPPORT} unstable Release' does not have a Release file.
+N: Data from such a repository can not be authenticated and is therefore potentially dangerous to use."
 find aptarchive -name '*Release*' -delete
 find aptarchive -name '*Release*' -delete
 echo 'Acquire::GzipIndexes "0";
 echo 'Acquire::GzipIndexes "0";
 Acquire::PDiffs "0";' > rootdir/etc/apt/apt.conf.d/02compressindex
 Acquire::PDiffs "0";' > rootdir/etc/apt/apt.conf.d/02compressindex

+ 5 - 1
test/integration/test-bug-596498-trusted-unsigned-repo

@@ -8,6 +8,7 @@ configarchitecture 'i386'
 
 
 buildsimplenativepackage 'cool' 'i386' '1.0' 'unstable'
 buildsimplenativepackage 'cool' 'i386' '1.0' 'unstable'
 
 
+msgmsg 'default setup'
 setupaptarchive
 setupaptarchive
 
 
 aptgetupdate() {
 aptgetupdate() {
@@ -28,6 +29,7 @@ testsuccessequal "$PKGTEXT
 $DOWNLOG
 $DOWNLOG
 Download complete and in download only mode" aptget install cool --assume-no -d --allow-unauthenticated
 Download complete and in download only mode" aptget install cool --assume-no -d --allow-unauthenticated
 
 
+msgmsg 'sources marked trusted=no'
 sed -i -e 's#\(deb\(-src\)\?\) #\1 [trusted=no] #' $DEBFILE
 sed -i -e 's#\(deb\(-src\)\?\) #\1 [trusted=no] #' $DEBFILE
 aptgetupdate 'testsuccess'
 aptgetupdate 'testsuccess'
 
 
@@ -47,6 +49,7 @@ Download complete and in download only mode" aptget install cool:i386 --assume-n
 configarchitecture 'i386'
 configarchitecture 'i386'
 
 
 find aptarchive/ \( -name 'Release.gpg' -o -name 'InRelease' \) -delete
 find aptarchive/ \( -name 'Release.gpg' -o -name 'InRelease' \) -delete
+msgmsg 'unsigned repo'
 sed -i -e 's#\(deb\(-src\)\?\) \[trusted=no\] #\1 #' $DEBFILE
 sed -i -e 's#\(deb\(-src\)\?\) \[trusted=no\] #\1 #' $DEBFILE
 aptgetupdate
 aptgetupdate
 
 
@@ -63,8 +66,9 @@ Authentication warning overridden.
 $DOWNLOG
 $DOWNLOG
 Download complete and in download only mode" aptget install cool --assume-no -d --allow-unauthenticated
 Download complete and in download only mode" aptget install cool --assume-no -d --allow-unauthenticated
 
 
+msgmsg 'sources marked trusted=yes'
 sed -i -e 's#\(deb\(-src\)\?\) #\1 [trusted=yes] #' $DEBFILE
 sed -i -e 's#\(deb\(-src\)\?\) #\1 [trusted=yes] #' $DEBFILE
-aptgetupdate
+aptgetupdate 'testsuccess'
 
 
 testsuccessequal "$PKGTEXT
 testsuccessequal "$PKGTEXT
 $DOWNLOG
 $DOWNLOG

+ 2 - 2
test/integration/test-sourceslist-trusted-options

@@ -109,7 +109,7 @@ everythingsucceeds -t testing
 msgmsg 'Test with trusted=yes option and good and unsigned sources'
 msgmsg 'Test with trusted=yes option and good and unsigned sources'
 cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
 cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
 sed -i 's#^deb\(-src\)\? #deb\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
 sed -i 's#^deb\(-src\)\? #deb\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
-aptgetupdate 'testwarning'
+aptgetupdate
 everythingsucceeds
 everythingsucceeds
 everythingsucceeds -t stable
 everythingsucceeds -t stable
 everythingsucceeds -t testing
 everythingsucceeds -t testing
@@ -187,7 +187,7 @@ everythingfails -t testing
 msgmsg 'Test with trusted=yes option and unsigned and good sources'
 msgmsg 'Test with trusted=yes option and unsigned and good sources'
 cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
 cp -a rootdir/etc/apt/sources.list.d.bak/* rootdir/etc/apt/sources.list.d/
 sed -i 's#^deb\(-src\)\? #deb\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
 sed -i 's#^deb\(-src\)\? #deb\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/*
-aptgetupdate 'testwarning'
+aptgetupdate
 everythingsucceeds
 everythingsucceeds
 everythingsucceeds -t stable
 everythingsucceeds -t stable
 everythingsucceeds -t testing
 everythingsucceeds -t testing