From eea6312729b11f6c80c6cec027bbc475a34bb2d1 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 25 Jul 2008 19:45:46 +0200 Subject: * add doc/examples/apt-https-method-example.cof (thanks to Arnaud Ebalard, closes: #485964) --- doc/examples/apt-https-method-example.conf | 165 +++++++++++++++++++++++++++++ 1 file changed, 165 insertions(+) create mode 100644 doc/examples/apt-https-method-example.conf (limited to 'doc') diff --git a/doc/examples/apt-https-method-example.conf b/doc/examples/apt-https-method-example.conf new file mode 100644 index 00000000..0067171b --- /dev/null +++ b/doc/examples/apt-https-method-example.conf @@ -0,0 +1,165 @@ +/* This file is a sample configuration for apt https method. Configuration + parameters found in this example file are expected to be used in main + apt.conf file, just like other configuration parameters for different + methods (ftp, file, ...). + + This example file starts with a common setup that voluntarily exhibits + all available configurations knobs with simple comments. Extended + comments on the behavior of the option is provided at the end for + better readibility. As a matter of fact, a common configuration file + will certainly contain far less elements and benefit of default values + for many parameters. + + Because some configuration parameters for apt https method in following + examples apply to specific (fictional) repositories, the associated + sources.list file is provided here: + + ... + + deb https://secure.dom1.tld/debian unstable main contrib non-free + deb-src https://secure.dom1.tld/debian unstable main contrib non-free + + deb https://secure.dom2.tld/debian unstable main contrib non-free + deb-src https://secure.dom2.tld/debian unstable main contrib non-free + + ... + + + Some notes on the servers: + + - secure.dom1.tld is freely accessible using https (no client + authentication is required). + - secure.dom1.tld certificate is part of a multi level PKI, and we + want to specifically check the issuer of its certificate. We do + not have the constraint for secure.dom2.tld + - secure.dom2.tld requires client authentication by certificate + to access its content. + - The certificate presented by both server have (as expected) a CN that + matches their respective DNS names. + - It somtimes happens that we had other more generic https available + repository to our list. We want the checks to be performed against + a common list of anchors (like the one provided by ca-certificates + package for instance) + + The sample configuration below basically covers those simpe needs. +*/ + + +// Verify peer certificate and also matching between certificate name +// and server name as provided in sources.list (default values) +Acquire::https::Verify-Peer "true"; +Acquire::https::Verify-Host "true"; + +// Except otherwise specified, use that list of anchors +Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem"; + +// Use a specific anchor and associated CRL. Enforce issuer of +// server certificate using its cert. +Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem"; + +// Like previous for anchor and CRL, but also provide our +// certificate and keys for client authentication. +Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem"; +Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem"; +Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem"; + +// No need to downgrade, TLS will be proposed by default. Uncomment +// to have SSLv3 proposed. +// Acquire::https::mirror.ipv6.ssi.corp::SslForceVersion "SSLv3"; + +// No need for more debug if every is fine (default). Uncomment +// me to get additional information. +// Debug::Acquire::https "true"; + + +/* + Options with extended comments: + + Acquire::https[::repo.domain.tld]::CaInfo "/path/to/ca/certs.pem"; + + A string providing the path of a file containing the list of trusted + CA certificates used to verify the server certificate. The pointed + file is made of the concatenation of the CA certificates (in + PEM format) creating the chain used for the verification of the path + from the root (self signed one). If the remote server provides the + whole chain during the exchange, the file need only contain the root + certificate. Otherwise, the whole chain is required. + + If you need to support multiple authorities, the only way is to + concatenate everything. + + If None is provided, the default CA bundle used by GnuTLS (apt https + method is linked against libcurl-gnutls) is used. At the time of + writing, /etc/ssl/certs/ca-certificates.crt. + + If no specific hostname is provided, the file is used by default + for all https targets. If a specific mirror is provided, it is + used for the https entries in the sources.list file that use that + repository (with the same name). + + Acquire::https[::repo.domain.tld]::Verify-Peer "true"; + + When authenticating the server, if the certificate verification fails + for some reason (expired, revoked, man in the middle, lack of anchor, + ...), the connection fails. This is obviously what you want in all + cases and what the default value (true) of this option provides. + + If you know EXACTLY what you are doing, setting this option to "false" + allow you to skip peer certificate verification and make the exchange + succeed. Again, this option is for debugging or testing purpose only. + It removes ALL the security provided by the use of SSL.TLS to secure + the HTTP exchanges. + + Acquire::https[::repo.domain.tld]::Verify-Host "true"; + + The certificate provided by the server during the TLS/SSL exchange + provides the identity of the server which should match the DNS name + used to access it. By default, as requested by RFC 2818, the name + of the mirror is checked against the identity found in the + certificate. This default behavior is safe and should not be + changed. If you know that the server you are using has a DNS name + which does not match the identity in its certificate, you can + [report that issue to its administrator or] set the option to + "false", which will prevent the comparison to be done. + + The options can be set globally or on a per-mirror basis. If set + globally, the DNS name used is the one found in the sources.list + file in the https URI. + + Acquire::https[::repo.domain.tld]::SslCert "/path/to/client/cert.pem"; + Acquire::https[::repo.domain.tld]::SslKey "/path/to/client/key.pem"; + + These two options provides support for client authentication using + certificates. They respectively accept the X.509 client certificate + in PEM format and the associated client key in PEM format (non + encrypted form). + + The options can be set globally (which rarely makes sense) or on a + per-mirror basis. + + Acquire::https[::repo.domain.tld]::SslForceVersion "TLSv1"; + + This option can be use to select the version which will be proposed + to the server. "SSLv3" and "TLSv1" are supported. SSLv2, which is + considered insecure anyway is not supported (by gnutls, which is + used by libcurl against which apt https method is linked). + + When the option is set to "SSLv3" to have apt propose SSLv3 (and + associated sets of ciphersuites) instead of TLSv1 (the default) + when performing the exchange. This prevents the server to select + TLSv1 and use associated cipheruites. You should probably not use + this option except if you know exactly what you are doing. + + Note that the default setting does not guarantee that the server + will not select SSLv3 (for ciphersuites and SSL/TLS version as + selectio is always done by the server, in the end). It only means + that apt will not advertise TLS support. + + Debug::Acquire::https "true"; + + This option can be used to show debug information. Because it is + quite verbose, it is mainly useful to debug problems in case of + failure to connect to a server for some reason. The default value + is "false". + +*/ -- cgit v1.2.3 From 06d79436542ccf3e9664306da05ba4c34fba4882 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 31 Jul 2008 14:34:50 +0200 Subject: (thanks to Joey Hess) * document --install-recommends and --no-install-recommends (thanks to Dereck Wonnacott, LP: #126180) --- debian/changelog | 4 +++- doc/apt-get.8.xml | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/debian/changelog b/debian/changelog index f040d6cd..0f78f6d5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -23,7 +23,9 @@ apt (0.7.15) UNRELEASED; urgency=low (thanks to Arnaud Ebalard, closes: #485964) * add DPkg::NoTriggers option so that applications that call apt/aptitude (like the installer) defer trigger processing - (thanks to Joey Hess) + (thanks to Joey Hess) + * document --install-recommends and --no-install-recommends + (thanks to Dereck Wonnacott, LP: #126180) -- diff --git a/doc/apt-get.8.xml b/doc/apt-get.8.xml index 329a46c5..edb74270 100644 --- a/doc/apt-get.8.xml +++ b/doc/apt-get.8.xml @@ -313,6 +313,14 @@ Configuration Item: APT::Get::Compile. + + Also install recommended packages. + + + + Do not install recommended packages. + + Ignore package Holds; This causes apt-get to ignore a hold placed on a package. This may be useful in conjunction with -- cgit v1.2.3 From 5aa95c863d9bc5b0de7dd1279d3ad672193cc3a6 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 31 Jul 2008 14:57:38 +0200 Subject: * Apply --important option to apt-cache depends (LP: #16947) --- cmdline/apt-cache.cc | 8 +++++++- debian/changelog | 2 +- doc/apt-cache.8.xml | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/cmdline/apt-cache.cc b/cmdline/apt-cache.cc index d73111b6..a73e35a5 100644 --- a/cmdline/apt-cache.cc +++ b/cmdline/apt-cache.cc @@ -555,6 +555,7 @@ bool Depends(CommandLine &CmdL) bool Recurse = _config->FindB("APT::Cache::RecurseDepends",false); bool Installed = _config->FindB("APT::Cache::Installed",false); + bool Important = _config->FindB("APT::Cache::Important",false); bool DidSomething; do { @@ -577,7 +578,12 @@ bool Depends(CommandLine &CmdL) for (pkgCache::DepIterator D = Ver.DependsList(); D.end() == false; D++) { - + // Important deps only + if (Important == true) + if (D->Type != pkgCache::Dep::PreDepends && + D->Type != pkgCache::Dep::Depends) + continue; + pkgCache::PkgIterator Trg = D.TargetPkg(); if((Installed && Trg->CurrentVer != 0) || !Installed) diff --git a/debian/changelog b/debian/changelog index c788c1d7..24f876e4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -29,7 +29,7 @@ apt (0.7.15) UNRELEASED; urgency=low [ Dereck Wonnacott ] * apt-ftparchive might write corrupt Release files (LP: #46439) - + * Apply --important option to apt-cache depends (LP: #16947) -- diff --git a/doc/apt-cache.8.xml b/doc/apt-cache.8.xml index c1e65332..c359ac3d 100644 --- a/doc/apt-cache.8.xml +++ b/doc/apt-cache.8.xml @@ -289,7 +289,7 @@ Reverse Provides: - Print only important dependencies; for use with unmet. Causes only Depends and + Print only important dependencies; for use with unmet and depends. Causes only Depends and Pre-Depends relations to be printed. Configuration Item: APT::Cache::Important. -- cgit v1.2.3 From 496a05c628d39c981a8f472f16629043d8508808 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 6 Aug 2008 13:58:44 +0200 Subject: make "apt-get build-dep" installed packages marked automatic by default. This can be changed by setting the value of APT::Get::Build-Dep-Automatic to false (thanks to Aaron Haviland, closes: #44874, LP: #248268) --- cmdline/apt-get.cc | 2 ++ debian/changelog | 6 +++++- doc/examples/configure-index | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 104baba8..eda37a31 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -2513,6 +2513,8 @@ bool DoBuildDep(CommandLine &CmdL) { // We successfully installed something; skip remaining alternatives skipAlternatives = hasAlternatives; + if(_config->FindB("APT::Get::Build-Dep-Automatic", true) == true) + Cache->MarkAuto(Pkg, true); continue; } else if (hasAlternatives) diff --git a/debian/changelog b/debian/changelog index cd433ac2..e034dc73 100644 --- a/debian/changelog +++ b/debian/changelog @@ -27,7 +27,11 @@ apt (0.7.15) UNRELEASED; urgency=low * document --install-recommends and --no-install-recommends (thanks to Dereck Wonnacott, LP: #126180) * fix various -Wall warnings - + * make "apt-get build-dep" installed packages marked automatic + by default. This can be changed by setting the value of + APT::Get::Build-Dep-Automatic to false (thanks to Aaron + Haviland, closes: #44874, LP: #248268) + [ Dereck Wonnacott ] * apt-ftparchive might write corrupt Release files (LP: #46439) * Apply --important option to apt-cache depends (LP: #16947) diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 9c53154d..0bab8e0f 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -54,6 +54,7 @@ APT Only-Source ""; Diff-Only "false"; Tar-Only "false"; + Build-Dep-Automatic "true"; }; Cache -- cgit v1.2.3 From 7948d3b25d8190c6d2529efa5983199bd22b6440 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 12 Sep 2008 11:42:34 +0200 Subject: * doc/makefile: - add examples/apt-https-method-example.conf --- configure.in | 2 +- debian/changelog | 4 +++- doc/makefile | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/configure.in b/configure.in index c0c73e1c..4d3f557d 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_CONFIG_AUX_DIR(buildlib) AC_CONFIG_HEADER(include/config.h:buildlib/config.h.in include/apti18n.h:buildlib/apti18n.h.in) dnl -- SET THIS TO THE RELEASE VERSION -- -AC_DEFINE_UNQUOTED(VERSION,"0.7.13") +AC_DEFINE_UNQUOTED(VERSION,"0.7.15") PACKAGE="apt" AC_DEFINE_UNQUOTED(PACKAGE,"$PACKAGE") AC_SUBST(PACKAGE) diff --git a/debian/changelog b/debian/changelog index 1e23129b..cc3dc794 100644 --- a/debian/changelog +++ b/debian/changelog @@ -38,12 +38,14 @@ apt (0.7.15) UNRELEASED; urgency=low * cmdline/apt-cache.cc: - remove the gettext from a string that consists entirely of variables (LP: #56792) + * doc/makefile: + - add examples/apt-https-method-example.conf [ Dereck Wonnacott ] * apt-ftparchive might write corrupt Release files (LP: #46439) * Apply --important option to apt-cache depends (LP: #16947) - -- + -- Michael Vogt Fri, 12 Sep 2008 11:34:24 +0200 apt (0.7.14) unstable; urgency=low diff --git a/doc/makefile b/doc/makefile index 8a8a04c0..6ea1c134 100644 --- a/doc/makefile +++ b/doc/makefile @@ -20,7 +20,7 @@ INCLUDES = apt.ent include $(XML_MANPAGE_H) # Examples -SOURCE = examples/apt.conf examples/sources.list examples/configure-index +SOURCE = examples/apt.conf examples/sources.list examples/configure-index examples/apt-https-method-example.conf TO = $(DOC) TARGET = binary include $(COPY_H) -- cgit v1.2.3 From 668ce84da00041c65cae3957d2b49786efa34276 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 3 Feb 2009 14:10:36 +0100 Subject: * methods/https.cc: - add Acquire::https::AllowRedirect support --- debian/changelog | 2 ++ doc/examples/configure-index | 6 ++++-- methods/https.cc | 5 +++++ 3 files changed, 11 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/debian/changelog b/debian/changelog index 6dea85f2..c0da6697 100644 --- a/debian/changelog +++ b/debian/changelog @@ -41,6 +41,8 @@ apt (0.7.21) UNRELEASED; urgency=low * apt-pkg/pkgcache.cc: - do not run "dpkg --configure pkg" if pkg is in trigger-awaited state (LP: #322955) + * methods/https.cc: + - add Acquire::https::AllowRedirect support [ Dereck Wonnacott ] * apt-ftparchive might write corrupt Release files (LP: #46439) diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 84b1d882..a4167085 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -183,7 +183,8 @@ Acquire Proxy::http.us.debian.org "DIRECT"; // Specific per-host setting Timeout "120"; Pipeline-Depth "5"; - + AllowRedirect "true"; + // Cache Control. Note these do not work with Squid 2.0.2 No-Cache "false"; Max-Age "86400"; // 1 Day age on index files @@ -200,7 +201,8 @@ Acquire Verify-Peer "false"; SslCert "/etc/apt/some.pem"; CaPath "/etc/ssl/certs"; - Verify-Host" "2"; + Verify-Host" "true"; + AllowRedirect "true"; }; ftp diff --git a/methods/https.cc b/methods/https.cc index 7c743a42..8bf44b52 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -208,6 +208,11 @@ bool HttpsMethod::Fetch(FetchItem *Itm) curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout); + // set redirect options and default to 10 redirects + bool AllowRedirect = _config->FindI("Acquire::https::AllowRedirect", true); + curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, AllowRedirect); + curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 10); + // debug if(_config->FindB("Debug::Acquire::https", false)) curl_easy_setopt(curl, CURLOPT_VERBOSE, true); -- cgit v1.2.3