Merge lp:~mvo/aptdaemon/support-change-credentials-on-add-repo into lp:aptdaemon
Status: | Merged |
---|---|
Merged at revision: | 856 |
Proposed branch: | lp:~mvo/aptdaemon/support-change-credentials-on-add-repo |
Merge into: | lp:aptdaemon |
Diff against target: | 0 lines |
To merge this branch: | bzr merge lp:~mvo/aptdaemon/support-change-credentials-on-add-repo |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Martin Pitt (community) | Approve | ||
Michael Vogt | Needs Resubmitting | ||
Anthony Lenton (community) | Approve | ||
Review via email: mp+112098@code.launchpad.net |
Description of the change
This branch allows changing the credentials for a given machine without duplicating them.
When add_repository is called with a already existing repository that contains credentials this will
currently lead to /etc/apt/auth.conf to append the credentials to the file. This also means that if
the credentials change the first credentials will stay in the file and a duplicated "machine" token
is added.
This branch fixes the issue by cleaning the auth.conf from multiple duplicated machine tokens plus
it will allow updating credentials using the AddRepository call for already existing repositories.
If. e.g. auth.conf contains
machine example.com/foo
user bar
password baz
and AddRepository("deb http://
the credentials with this branch now.
<achuni> mvo_: netrc.netrc( auth_conf_ path).hosts returns a dict? /code.launchpad .net/~mvo/ aptdaemon/ support- change- credentials- on-add- repo/+merge/ 112098 ) auth.conf. tmp owned by some different user, and have you move it onto /etc/apt/auth.conf on their behalf? auth.conf. tmp doesn't exist before opening it?)
<achuni> mvo_: (looking at https:/
<achuni> yep
<achuni> ah, Eric S. Raymond, why did you think lowercase class names were a good idea?
<mvo_> achuni: hehe
<achuni> mvo_: will l. 51 create the new file owned by the right user?
<achuni> (by root?)
<mvo_> achuni: good catch, but yes, aptdaemon (the backend) runs as root
<achuni> also, could somebody else create a file at /etc/apt/
<mvo_> and the umask should be correct too to ensure its 0600, but let me double check that
<achuni> (ie, would it be necessary to check /etc/apt/
<mvo_> achuni: good point again, I think the risk is tiny as the dir is root owned, but I could use a tempfile instead here
<achuni> mvo_: not sure it's necessary, dir perms might be enough here
<achuni> mvo_: jic, creating a tempfile in /tmp could mean it's on a different filesystem, and make the call to os.rename() less atomic
<mvo_> achuni: exactly that was my main reasoning to do it in the same place (plus less risk for tmpdir based attacks as /etc/apt should be non-user writable)
<achuni> right
<achuni> mvo_: if you go for a tempfile, it could be right there in /etc/apt/ maybe?
<mvo_> achuni: aha, that is a good idea
<achuni> mvo_: so, if netrc.hosts is a dict, what happens atm if you have duplicate entries in /etc/apt/ for a ppa, one is just skipped entirely?
<mvo_> achuni: yes, apt will pick the first one
<mvo_> achuni: apt just reads the file sequentially iirc and stops on the first match
<achuni> mvo_: looking at the code it seems it currently keeps the last auth line for each machine (at least in 2.7) I hope that doesn't contradict the symptoms
<achuni> mvo_: I don't think it's an issue, but another side effect of your branch is that it strips out all comments from auth.conf, if there were any
<mvo_> achuni: yeah, the comments are a issue, we currently don't use any there, but users may have put some there :/
<mvo_> achuni: the last auth line is probably the best one currently, or do I miss anything? its a bit tricky to decide if there are multiple ones
<achuni> mvo_: yep, I think the last one is best, as it seems to be the last one that was written with the current code
<mvo_> achuni: yes, I think so too
<achuni> mvo_: I hope that doesn't mean that we need to start looking for a different issue, because this should be working as is :)
<achuni> mvo_: branch looks good in general, I'll give my +1 as is
<achuni> mvo_: I'll let you decide what you want to do about the comments :)