| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Closes: #805392
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This way it's a lot easier to test stuff without actually installing it
Use BASH_SOURCE, which contains the path of the current script being executed.
BASH_SOURCE is clearly a bashism, but it's cheaper than using dirname(1).
Thanks to Gianfranco Costamagna for noticing how this bit could have be improved.
Gbp-Dch: Short
|
| |
|
|
| |
Gbp-Dch: ignore
|
| |
|
|
|
|
|
|
| |
when cleaning up
So, no need to load&run&unload everywhere as it is now.
Gbp-Dch: Short
|
| |
|
|
| |
Gbp: Ignore
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
which are only in recommends
Those 2 are real deps, as debdelta-upgrade won't work without them, though the
maintainer thinks otherwise: https://bugs.debian.org/545831
Install them manually (since using --install-recommends would install way too
much stuff), and then mark them as automatically installed, so they will be
removed by the `apt-get autoremove` thing once debdelta's gone (but won't before
because debdelta references them someway).
Gbp-Dch: Ignore
|
| |
|
|
| |
the manpages
|
| |
|
|
|
|
| |
Closes: #602711
Signed-off-by: Ritesh Raj Sarraf <rrs@debian.org>
|
| |
|
|
|
|
|
| |
There are still quite some, this is a first chunk based on a given patch
applied where i felt confident enough.
Thanks: Herbert Parentes Fortes Neto <hpfn@ig.com.br> for the initial patch-set
|
| |
|
|
| |
This reverts commit eac13303c66da4e22447c1132b214593a3865130.
|
| | |
|
| |
|
|
| |
It's probably useful to see them in the logs.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Package: pbuilder
Version: 0.206
Tags: patch
Followup-For: Bug #579028
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The attached patch changes the defaults to always enforce signed
repositories and aborts if an untrusted/manipulated package is
installed. It adds the new option --keyring (APTKEYRINGS) to add
additional keyrings, which are then used to verify the (local)
signed repositories. This way no untrusted packages can be
installed.
To still allow untrusted/unsigned repositories - they are a very
bad idea and allow remote attackers performing a MITM to take
over the system, including all built packages - the new option
- --allow-untrusted (ALLOWUNTRUSTED) was added.
I tested it with the official Debian repository, signed and
unsigned local repositories and it works fine for me. But I'm
only a "normal" pbuilder user, so I might have missed something.
Please test the patch.
I haven't tested it with cdebootstrap, but it should work as
well.
The old PBUILDERSATISFYDEPENDSOPT --check-key option was
deprecated and is no longer used (it emits a warning now) as
validation is the default now.
The patch also contains documentation updates for the new
options/variables and updates for the NEWS file describing the
necessary changes to continue using untrusted packages (but
please don't do that - especially as a Debian developer).
Please have a look and include the patch as soon as possible to
fix this security issue.
Regards,
Simon
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pbuilder depends on:
ii cdebootstrap 0.5.8+b1
ii coreutils 8.13-3
ii debconf [debconf-2.0] 1.5.41
ii debianutils 4.2.1
ii debootstrap 1.0.38
ii dpkg-dev 1.16.1.2
ii wget 1.13.4-2
Versions of packages pbuilder recommends:
pn devscripts 2.11.4
pn fakeroot 1.18.2-1
pn sudo <none>
Versions of packages pbuilder suggests:
pn cowdancer <none>
pn gdebi-core <none>
pn pbuilder-uml <none>
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVWhvAAoJEJL+/bfkTDL5ivAP/iayE8NRQnyk2HW8R+NiRXU3
uavLilwwpmEZyuciu8GxMQIAhT9HYd/DlkhF9I+yBSd30TO3fl0xW7YV9SaIZ+bv
IPwnZbHri4KfeV9Zob/gd2jrT9A2QCoFRW0ny4XNCK3NvtWH5KuH+TG2Mq5CQqdN
j4VJ3+76oJcbQbU7AUYXfvKDAsEb7gX+VwTEFLS4GrPkni/FIQJ8HHJhlTscyuCD
gQANCoRFZHVSMaas3xqi9KYFKgVS4BZ5Z/9FZuLeY5kWBfcbnIhQloVOWTQZIMRI
PhnqP1g62XlPu71K3a/Y2RMAcy3Gs6sUbW4OianIr2iskCndejih/MCb+3LmBFCg
Ekxi/CcJGrc7a0pV57Qs8Iwkm1siRZZUxcp4xdD3mo9iayoOt4sfFyrvBCYryilQ
7JKpQc3iNoV3EQql6KBu5G+GmFFWHmokpLvVY27n8LgkV2YSb2wrgxqXPfxcYHj7
0j/y2MFw+HOX/d5YSESMLxn9aiZBi7CkMtlMemzqizxlNlL/+OOZiDsi4vdH8L/j
Y0c2i9efjNeooc0/B9wASu/Ck8SWV8wW1EcfTag0p9Rp0avy4hoQUmG+MtgQsV0l
MQuWWysyxeJFX4Z8ooau82L6sIGC0L073JH6Y/C7uTOz9gKt+e5tV3fnU+pkWpqH
oF3CcmlykKX4SYzhUI/e
=6EPj
-----END PGP SIGNATURE-----
>From cadc48fb599d436577a6efedc7f25e175652a3a1 Mon Sep 17 00:00:00 2001
Message-Id: <cadc48fb599d436577a6efedc7f25e175652a3a1.1330997290.git.simon@ruderich.org>
From: Simon Ruderich <simon@ruderich.org>
Date: Tue, 6 Mar 2012 02:00:48 +0100
Subject: [PATCH] Enforce valid signed repositories by default.
|
| |
|
|
|
|
|
| |
By unsetting APTGETOPT, and setting
PBUILDERSATISFYDEPENDSOPT=('--check-key'), the user now has an option
of verifying the key signature of each package against the installed
keyring.
|
| |
|
|
|
|
|
|
|
| |
Add builtin support for using ccache in pbuilder and enable it by
default. Ship a new /var/cache/pbuilder/ccache dir and bind-mount and
chown it to BUILDUSERID at build time. Install/remove ccache
automatically on create/update if CCACHEDIR is set/unset. Update docs
and remove old ccache config example. Add a NEWS entry featuring the
change.
|
| |
|
|
|
| |
Remove aptitude with apt-get install aptitude- and note that we should
use apt-get to remove REMOVEPACKAGES in the future.
|
| |
|
|
|
|
|
|
| |
Only install aptitude in pbuilder-createbuildenv or
pbuilder-updatebuildenv, not in pbuilder-satisfydepends-aptitude, and
only when $PBUILDERSATISFYDEPENDSCMD uses aptitude. Remove aptitude in
pbuilder-createbuildenv and pbuilder-updatebuildenv otherwise;
closes: #539578.
|
| | |
|
| |
|
|
| |
It's probably not too useful when used non-interactively, and clutters output.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Just ignore the error for now.
'|| true' should be removed after etch is no longer supported.
There are other solutions like checking for versions, but I don't like
the complexity required just to support an old version.
|
| |
|
|
| |
Drop useless -o "APT::Get::AutomaticRemove=true" from dist-upgrade.
|
| |
|
|
|
|
| |
Call "apt-get autoremove" explicitely on upgrades as
APT::GET::AutomaticRemove=true doesn't work with "apt-get dist-upgrade";
closes: ##322649.
|
| |
|
|
| |
First cut into doing this, hopefully we're not breaking anything.
|
| |
|
|
|
|
|
| |
Instead of running "apt-get autoremove", run apt-get dist-upgrade with -o
APT::Get::AutomaticRemove=true; this avoids solutions based on checking for
the version of APT or outputting an error on older APT, or masking all
errors. Also, autoremove happens after the upgrade instead of before.
|
| |
|
|
|
|
|
|
|
|
|
| |
--override-config is not specified (closes: #459432)
when no --override-config option is given, options like --distribution,
.... (or their .pbuilderrc counterparts DISTRIBUTION, ...) are not taken
into account for setting up the chroot, they also shouldn't be used for
outputting diagnostics.
Thanks to Andreas Beckmann <debian@abeckmann.de>
|
| | |
|
| |
|
|
|
|
| |
install pbuilder-satisfydepends-aptitude as the deafault
pbuilder-satisfydepends
* install aptitude per default in chroot.
|
| | |
|
| | |
|
| |
|
|
| |
they will exit pbuilder after receiving a trap.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* pbuilderrc.5: undocument the restriction that --buildresult
option needs to be specified for pdebuild, and BUILDRESULT cannot
be used.
I should probably warn that the directory should be absolute.
* pdebuild.1: fix man a bit to make --buildresult option doc
unambiguous.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
sarge
* Bug fix: "/usr/share/doc/pbuilder/examples/B90linda missing
--force-yes option", thanks to qfunk (Closes: #340715).
Note: --allow-unauthenticated is probably a better option here, but
apt-get in sarge does not support it, we will revisit it after etch.
|
| |
|
|
|
|
| |
--allow-unauthenticated option", thanks to qfunk (Closes: #340715).
- fixed other scripts to use --allow-unauthenticated option rather than --force-yes.
* debconf compatibility level 4
|
| |
|
|
|
|
|
|
| |
* suppress warnings from find; it wants -maxdepth before any other
argument. (closes: #330848)
* Documentation update patch from Osamu Aoki to clarify about
configuration file priorities and issues associated with it.
(closes: #325318)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
+
+ * pbuilder-updatebuildenv:
+ * pbuilder-checkparams (AUTOCLEANAPTCACHE): support auto-clean of aptcache
+ (IGNORE_UMOUNT): add --autocleanaptcache
+
|
| |
|
|
| |
and apply patch; and apply my own patch.
|
| |
|
|
|
|
| |
+ apt cache when pbuilder update fails.
+ 252777, 252793
+
|