[Aptitude-devel] Bug#895217: aptitude: Uses hostname of repo to determine what is a security update instead of repo metadata
Axel Beckert
abe at debian.org
Sun Apr 8 13:00:57 UTC 2018
Package: aptitude
Version: 0.8.10-6
Severity: normal
Tags: confirmed upstream
aptitude uses the hostname of APT repository (e.g. "security.debian.org"
to determine what is a security update and what isn't instead of using
the repository metadata provided by apt's libraries.
>From src/generic/apt/apt.cc:
bool is_security(const pkgCache::VerIterator &ver)
{
static std::regex site_regex { "^security\\.(.+\\.)?debian.org$" };
std::smatch site_match;
for (pkgCache::VerFileIterator F = ver.FileList(); !F.end(); ++F)
{
pkgCache::PkgFileIterator fileit = F.File();
if (!fileit.end())
{
string site = fileit.Site() ? fileit.Site() : "";
string label = fileit.Label() ? fileit.Label() : "";
std::regex_search(site, site_match, site_regex);
if (!site_match.empty() && label == "Debian-Security")
return true;
}
}
return false;
}
This should rather look at metadata (especially the label) like this:
$ apt-cache policy | fgrep -i security
990 http://security.debian.org stretch/updates/non-free i386 Packages
release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=non-free,b=i386
origin security.debian.org
990 http://security.debian.org stretch/updates/contrib i386 Packages
release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=contrib,b=i386
origin security.debian.org
990 http://security.debian.org stretch/updates/main i386 Packages
release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=main,b=i386
origin security.debian.org
990 https://security.debian.ethz.ch stretch/updates/non-free i386 Packages
release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=non-free,b=i386
origin security.debian.ethz.ch
990 https://security.debian.ethz.ch stretch/updates/contrib i386 Packages
release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=contrib,b=i386
origin security.debian.ethz.ch
990 https://security.debian.ethz.ch stretch/updates/main i386 Packages
release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=main,b=i386
origin security.debian.ethz.ch
-- Package-specific info:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.alioth.debian.org/pipermail/aptitude-devel/attachments/20180408/30b15f48/attachment.ksh>
-------------- next part --------------
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages aptitude depends on:
ii aptitude-common 0.8.10-6
ii libapt-pkg5.0 1.6~beta1
ii libboost-filesystem1.62.0 1.62.0+dfsg-5
ii libboost-iostreams1.62.0 1.62.0+dfsg-5
ii libboost-system1.62.0 1.62.0+dfsg-5
ii libc6 2.27-3
ii libcwidget3v5 0.5.17-7
ii libgcc1 1:8-20180402-1
ii libncursesw5 6.1-1
ii libsigc++-2.0-0v5 2.10.0-2
ii libsqlite3-0 3.23.0-1
ii libstdc++6 8-20180402-1
ii libtinfo5 6.1-1
ii libxapian30 1.4.5-1
Versions of packages aptitude recommends:
ii libparse-debianchangelog-perl 1.2.0-12
ii sensible-utils 0.0.12
Versions of packages aptitude suggests:
ii apt-xapian-index 0.49
ii aptitude-doc-en [aptitude-doc] 0.8.10-6
ii debtags 2.1.5
pn tasksel <none>
-- no debconf information
More information about the Aptitude-devel
mailing list