| Commit message (Expand) | Author | Age |
|---|
| * | updatebuildenv: correctly detect if debdelta is available•••Closes: #805392
| Mattia Rizzolo | 2015-11-18 |
| * | use log.w() instead of log() | Mattia Rizzolo | 2015-11-15 |
| * | use log.i() instead of log() | Mattia Rizzolo | 2015-11-15 |
| * | {create,update}buildenv: consider APTGETOPT also when running apt-get update | Mattia Rizzolo | 2015-11-12 |
| * | use relative sources where possible•••This way it's a lot easier to test stuff without actually installing it
Use BASH_SOURCE, which contains the path of the current script being executed.
BASH_SOURCE is clearly a bashism, but it's cheaper than using dirname(1).
Thanks to Gianfranco Costamagna for noticing how this bit could have be improved.
Gbp-Dch: Short
| Mattia Rizzolo | 2015-11-01 |
| * | no need to load runhooks anymore now that it's all handled in -modules•••Gbp-Dch: ignore
| Mattia Rizzolo | 2015-10-28 |
| * | always load hooks just after extracting the build place, and unload them when...•••So, no need to load&run&unload everywhere as it is now.
Gbp-Dch: Short
| Mattia Rizzolo | 2015-10-13 |
| * | use `hash` instead of `which`, for all the good it brings•••Gbp: Ignore
| Mattia Rizzolo | 2015-10-07 |
| * | updatebuildenv: also explicitely install 2 de-facto dependencies of debdelta ...•••Those 2 are real deps, as debdelta-upgrade won't work without them, though the
maintainer thinks otherwise: https://bugs.debian.org/545831
Install them manually (since using --install-recommends would install way too
much stuff), and then mark them as automatically installed, so they will be
removed by the `apt-get autoremove` thing once debdelta's gone (but won't before
because debdelta references them someway).
Gbp-Dch: Ignore
| Mattia Rizzolo | 2015-10-05 |
| * | Make the debdelta implementation more rubost and document the new options in ... | Mattia Rizzolo | 2015-10-05 |
| * | Add debdelta support, enable optionally via pbuilderrc or the command line.•••Closes: #602711
Signed-off-by: Ritesh Raj Sarraf <rrs@debian.org>
| Ritesh Raj Sarraf | 2015-10-04 |
| * | fix a whole bunch of warning from shellcheck•••There are still quite some, this is a first chunk based on a given patch
applied where i felt confident enough.
Thanks: Herbert Parentes Fortes Neto <hpfn@ig.com.br> for the initial patch-set
| Mattia Rizzolo | 2015-09-18 |
| * | Revert "test failure."•••This reverts commit eac13303c66da4e22447c1132b214593a3865130.
| Junichi Uekawa | 2012-03-31 |
| * | test failure. | Junichi Uekawa | 2012-03-31 |
| * | Show current time in create / update operations too. (closes: #613854)•••It's probably useful to see them in the logs.
| Junichi Uekawa | 2012-03-28 |
| * | factor out common code for apt key rings. | Junichi Uekawa | 2012-03-13 |
| * | make longer lines wrap so reading patch files aren't as painful. | Junichi Uekawa | 2012-03-09 |
| * | Bug#579028: pbuilder: installs untrusted packages without asking•••Package: pbuilder
Version: 0.206
Tags: patch
Followup-For: Bug #579028
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The attached patch changes the defaults to always enforce signed
repositories and aborts if an untrusted/manipulated package is
installed. It adds the new option --keyring (APTKEYRINGS) to add
additional keyrings, which are then used to verify the (local)
signed repositories. This way no untrusted packages can be
installed.
To still allow untrusted/unsigned repositories - they are a very
bad idea and allow remote attackers performing a MITM to take
over the system, including all built packages - the new option
- --allow-untrusted (ALLOWUNTRUSTED) was added.
I tested it with the official Debian repository, signed and
unsigned local repositories and it works fine for me. But I'm
only a "normal" pbuilder user, so I might have missed something.
Please test the patch.
I haven't tested it with cdebootstrap, but it should work as
well.
The old PBUILDERSATISFYDEPENDSOPT --check-key option was
deprecated and is no longer used (it emits a warning now) as
validation is the default now.
The patch also contains documentation updates for the new
options/variables and updates for the NEWS file describing the
necessary changes to continue using untrusted packages (but
please don't do that - especially as a Debian developer).
Please have a look and include the patch as soon as possible to
fix this security issue.
Regards,
Simon
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pbuilder depends on:
ii cdebootstrap 0.5.8+b1
ii coreutils 8.13-3
ii debconf [debconf-2.0] 1.5.41
ii debianutils 4.2.1
ii debootstrap 1.0.38
ii dpkg-dev 1.16.1.2
ii wget 1.13.4-2
Versions of packages pbuilder recommends:
pn devscripts 2.11.4
pn fakeroot 1.18.2-1
pn sudo <none>
Versions of packages pbuilder suggests:
pn cowdancer <none>
pn gdebi-core <none>
pn pbuilder-uml <none>
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVWhvAAoJEJL+/bfkTDL5ivAP/iayE8NRQnyk2HW8R+NiRXU3
uavLilwwpmEZyuciu8GxMQIAhT9HYd/DlkhF9I+yBSd30TO3fl0xW7YV9SaIZ+bv
IPwnZbHri4KfeV9Zob/gd2jrT9A2QCoFRW0ny4XNCK3NvtWH5KuH+TG2Mq5CQqdN
j4VJ3+76oJcbQbU7AUYXfvKDAsEb7gX+VwTEFLS4GrPkni/FIQJ8HHJhlTscyuCD
gQANCoRFZHVSMaas3xqi9KYFKgVS4BZ5Z/9FZuLeY5kWBfcbnIhQloVOWTQZIMRI
PhnqP1g62XlPu71K3a/Y2RMAcy3Gs6sUbW4OianIr2iskCndejih/MCb+3LmBFCg
Ekxi/CcJGrc7a0pV57Qs8Iwkm1siRZZUxcp4xdD3mo9iayoOt4sfFyrvBCYryilQ
7JKpQc3iNoV3EQql6KBu5G+GmFFWHmokpLvVY27n8LgkV2YSb2wrgxqXPfxcYHj7
0j/y2MFw+HOX/d5YSESMLxn9aiZBi7CkMtlMemzqizxlNlL/+OOZiDsi4vdH8L/j
Y0c2i9efjNeooc0/B9wASu/Ck8SWV8wW1EcfTag0p9Rp0avy4hoQUmG+MtgQsV0l
MQuWWysyxeJFX4Z8ooau82L6sIGC0L073JH6Y/C7uTOz9gKt+e5tV3fnU+pkWpqH
oF3CcmlykKX4SYzhUI/e
=6EPj
-----END PGP SIGNATURE-----
>From cadc48fb599d436577a6efedc7f25e175652a3a1 Mon Sep 17 00:00:00 2001
Message-Id: <cadc48fb599d436577a6efedc7f25e175652a3a1.1330997290.git.simon@ruderich.org>
From: Simon Ruderich <simon@ruderich.org>
Date: Tue, 6 Mar 2012 02:00:48 +0100
Subject: [PATCH] Enforce valid signed repositories by default.
| Simon Ruderich | 2012-03-09 |
| * | Add an option to verify key signatures. (closes: #579028)•••By unsetting APTGETOPT, and setting
PBUILDERSATISFYDEPENDSOPT=('--check-key'), the user now has an option
of verifying the key signature of each package against the installed
keyring.
| Junichi Uekawa | 2010-07-05 |
| * | Add builtin ccache support, enabled by default•••Add builtin support for using ccache in pbuilder and enable it by
default. Ship a new /var/cache/pbuilder/ccache dir and bind-mount and
chown it to BUILDUSERID at build time. Install/remove ccache
automatically on create/update if CCACHEDIR is set/unset. Update docs
and remove old ccache config example. Add a NEWS entry featuring the
change.
| Loïc Minier | 2010-01-02 |
| * | Remove aptitude with apt-get install aptitude-•••Remove aptitude with apt-get install aptitude- and note that we should
use apt-get to remove REMOVEPACKAGES in the future.
| Loïc Minier | 2010-01-02 |
| * | Only remove/install aptitude on create/update•••Only install aptitude in pbuilder-createbuildenv or
pbuilder-updatebuildenv, not in pbuilder-satisfydepends-aptitude, and
only when $PBUILDERSATISFYDEPENDSCMD uses aptitude. Remove aptitude in
pbuilder-createbuildenv and pbuilder-updatebuildenv otherwise;
closes: #539578.
| Loïc Minier | 2010-01-02 |
| * | Also drop apt from pbuilder-updatebuildenv | Loïc Minier | 2010-01-02 |
| * | pass apt-get '-q' option to remove the progress.•••It's probably not too useful when used non-interactively, and clutters output.
| Junichi Uekawa | 2009-08-15 |
| * | install aptitude via EXTRAPACKAGES, and not hard-code. (closes: #539578) | Junichi Uekawa | 2009-08-08 |
| * | Do not error out on etch apt for apt-get autoremove (closes: #531454)•••Just ignore the error for now.
'|| true' should be removed after etch is no longer supported.
There are other solutions like checking for versions, but I don't like
the complexity required just to support an old version.
| Junichi Uekawa | 2009-06-19 |
| * | Drop useless -o APT::Get::AutomaticRemove=true•••Drop useless -o "APT::Get::AutomaticRemove=true" from dist-upgrade.
| Loïc Minier | 2009-05-10 |
| * | Call apt-get autoremove on upgrades; #322649•••Call "apt-get autoremove" explicitely on upgrades as
APT::GET::AutomaticRemove=true doesn't work with "apt-get dist-upgrade";
closes: ##322649.
| Loïc Minier | 2009-05-10 |
| * | refactor to use 'log' function rather than using 'echo' directly.•••First cut into doing this, hopefully we're not breaking anything.
| Junichi Uekawa | 2009-02-26 |
| * | Set APT::Get::AutomaticRemove=true in upgrade instead of calling autoremove•••Instead of running "apt-get autoremove", run apt-get dist-upgrade with -o
APT::Get::AutomaticRemove=true; this avoids solutions based on checking for
the version of APT or outputting an error on older APT, or masking all
errors. Also, autoremove happens after the upgrade instead of before.
| Loïc Minier | 2008-01-12 |
| * | Do not show "Upgrading for distribution xyz" message on update when --overrid...•••when no --override-config option is given, options like --distribution,
.... (or their .pbuilderrc counterparts DISTRIBUTION, ...) are not taken
into account for setting up the chroot, they also shouldn't be used for
outputting diagnostics.
Thanks to Andreas Beckmann <debian@abeckmann.de>
| Junichi Uekawa | 2008-01-11 |
| * | * Run apt-get autoremove after upgrade. | Loïc Minier | 2007-12-18 |
| * | * rename pbuilder-satisfydepends to pbuilder-satisfydepends-classic, and••• install pbuilder-satisfydepends-aptitude as the deafault
pbuilder-satisfydepends
* install aptitude per default in chroot.
| Junichi Uekawa | 2007-08-28 |
| * | fix always ending with "Aborting with error" | Junichi Uekawa | 2007-05-27 |
| * | fix thinko: trap exit -> trap - exit | Junichi Uekawa | 2007-05-27 |
| * | change "trap" handling so that all trap function calls are called _trap, and ... | Junichi Uekawa | 2007-05-27 |
| * | trap sighup as well as exit: create/update | Junichi Uekawa | 2007-05-27 |
| * | trap SIGHUP as well as EXIT. | Junichi Uekawa | 2007-05-27 |
| * | copyright year 2007, and changelog about it, and changelog warning/error to >&2 | Junichi Uekawa | 2007-03-27 |
| * | update copyright info. | dancer | 2006-05-30 |
| * | * fix pdebuild --help output (closes: #367133)••• * pbuilderrc.5: undocument the restriction that --buildresult
option needs to be specified for pdebuild, and BUILDRESULT cannot
be used.
I should probably warn that the directory should be absolute.
* pdebuild.1: fix man a bit to make --buildresult option doc
unambiguous.
| dancer | 2006-05-14 |
| * | preliminary support for bind-mounted apt cache directory. | dancer | 2006-02-12 |
| * | Revert to using --force-yes, since --allow-unauthenticated doesn't work with ...••• * Bug fix: "/usr/share/doc/pbuilder/examples/B90linda missing
--force-yes option", thanks to qfunk (Closes: #340715).
Note: --allow-unauthenticated is probably a better option here, but
apt-get in sarge does not support it, we will revisit it after etch.
| dancer | 2005-12-04 |
| * | * Bug fix: "/usr/share/doc/pbuilder/examples/B90linda missing••• --allow-unauthenticated option", thanks to qfunk (Closes: #340715).
- fixed other scripts to use --allow-unauthenticated option rather than --force-yes.
* debconf compatibility level 4
| dancer | 2005-12-04 |
| * | update documentation and manual pages••• * suppress warnings from find; it wants -maxdepth before any other
argument. (closes: #330848)
* Documentation update patch from Osamu Aoki to clarify about
configuration file priorities and issues associated with it.
(closes: #325318)
| dancer | 2005-09-30 |
| * | testsuite is ran again. | dancer | 2005-06-04 |
| * | autoclean option. | dancer | 2005-06-03 |
| * | + * pbuilder.8: document --autocleanaptcache•••+
+ * pbuilder-updatebuildenv:
+ * pbuilder-checkparams (AUTOCLEANAPTCACHE): support auto-clean of aptcache
+ (IGNORE_UMOUNT): add --autocleanaptcache
+
| dancer | 2005-06-03 |
| * | change to use experimental,•••and apply patch; and apply my own patch.
| dancer | 2005-06-03 |
| * | + * pbuilder-updatebuildenv: Patch from matt kraai to save•••+ apt cache when pbuilder update fails.
+ 252777, 252793
+
| dancer | 2004-06-17 |