Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add lens to handle Deb822 formatted Apt sources: /etc/apt/sources.d/*.sources #297

Open
SunilMohanAdapa opened this issue Sep 13, 2015 · 3 comments · May be fixed by #801
Open

Add lens to handle Deb822 formatted Apt sources: /etc/apt/sources.d/*.sources #297

SunilMohanAdapa opened this issue Sep 13, 2015 · 3 comments · May be fixed by #801
Labels
feature request lens

Comments

@SunilMohanAdapa
Copy link

Apt supports a new format for describing its sources. This format is based on RFC822 and is know as Deb822. An example from the man page sources.list(5) is as follows:

Types: deb deb-src
URIs: http://example.com
Suites: stable testing
Sections: component1 component2
Description: short
 long long long
[option1]: [option1-value]

Types: deb
URIs: http://another.example.com
Suites: experimental
Sections: component1 component2
Enabled: no
Description: short
 long long long
[option1]: [option1-value]

Augeas should implement a new lens (perhaps sharing a common base with debctrl lens) that can parse this new format. Users, at their choice, are allowed to pick any of the old or new formats. This means that to be able to reliably modify sources list, programs must understand both the formats.

Motivation: Attackers may observe systems downloading a particular security update and realize that is vulnerable and attack it before the security update is applied. Jacob Applebaum's talk at Debconf discusses this. apt-transport-tor allows downloading packages anonymously via the Tor anonymity network. This makes this kind of attacks much more difficult. apt-transport-tor is available for Debian as a package. To enable it, one has to update all the URLs in sources.list to look like tor+http:// instead of http://. This can't be done reliably if Augeas can parse only one of the two known file formats.

Further notes on Deb822: The current version of Apt supports both formats in the same files. It interprets the file as one format or the other using a configuration setting. This is a bit of a problem for Augeas as it parses files based on path/name. The Apt developers have changed this behavior in Apt 1.1 which is available in Debian experimental. In Apt 1.1:

  • /etc/apt/sources.list will always be old style format.
  • /etc/apt/sources.list.d/*.list will always be old format.
  • /etc/apt/sources.list.d/*.sources will always be new format files.
@raphink
Copy link
Member

raphink commented Sep 14, 2015

Is Deb822 based on RFC822 proper? Should there be a RFC822 module, on which to base a Deb822 module, on which to base both DebCtrl and AptSources822 modules?

@SunilMohanAdapa
Copy link
Author

On 09/14/2015 03:09 PM, Raphaël Pinson wrote:

Is Deb822 based on RFC822 proper? Should there be a |RFC822| module, on
which to base a |Deb822| module, on which to base both |DebCtrl| and
|AptSources822| modules?

I think it makes sense to have a common base for Debctrl and
Aptsources822. However, it should perhaps not be called RFC822.

On the question of whether Deb822 is RFC822, I asked on #debian-apt@OTFC
and had the following discussion:

sunilmohan: Deb822 is like RFC-822 but spans multiple
sections. I also think multiple line fields are slightly different,
in that they cannot contain empty lines in deb822
RFC 822 specifies a format consisting of a set headers and
a body, whereas we use multiple RFC-822 header-style sections
In terms of parsing syntax, it is same as Debian control
file? (covered by the debctrl Augeas lens)
Yes, unless you have some field-name-specifc handling there
I'm not sure if you handle comments starting with #

Hope this helps.

Sunil

@raphink
Copy link
Member

raphink commented Sep 15, 2015

Thanks, that does help, as there doesn't seem to be any real specification for Deb822.

jvalleroy added a commit to jvalleroy/augeas that referenced this issue Jan 28, 2023
@jvalleroy
Add Aptsources822 lens for Deb822 style Apt sources
f4e2619 
We are using this lens in FreedomBox to add/remove "tor+" prefix to
Apt sources URIs. Original commit: https://salsa.debian.org/freedombox-team/freedombox/-/commit/cd21c7f247135828e63379cc6d32a8edcb53a582

Closes: hercules-team#297.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
@jvalleroy jvalleroy linked a pull request Jan 28, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request lens
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Aptsources822 lens for Deb822 style Apt sources jvalleroy/augeas
3 participants
@domcleal @raphink @SunilMohanAdapa