Release 1.8.5

If a transaction is doomed we want to gracefully shutdown our zoo of
worker processes. As explained in the referenced commit we do this by
stopping the main process from handing out new work and ignoring the
replies it gets from the workers, so that they eventually run out of
work.

We tested this previously by checking if a rred worker was given work
items at all, but depending on how lucky the stars of the machine
working on this are the worker would have already gotten work before the
transaction was aborted – so we tried this 25 times a row (f35601e5d2).
No machine can be this lucky, right?

Turns out the autopkgtest armhf machine is very lucky.

I feel a bit sorry for feeding grep such a long "line" to work with, but
it seems to work out. Porterbox amdahl (who is considerably less lucky;
had to turn down to 1 try to get it to fail sometimes) is now happily
running the test in an endless loop.

Of course, I could have broken the test now, but its still a rather
generic grep (in some ways more generic even) and the main part of the
testcase – the update process finishes and fails – is untouched.

References: 38f8704e41
Closes: #984966
(cherry picked from commit 0d25ce3d46)
(cherry picked from commit c091472587)
LP: #1918920
(cherry picked from commit bb5842ca5c)

.gitlab-ci.yml

@@ -1,4 +1,4 @@
-image: debian:testing
+image: debian:buster
 variables:
   DEBIAN_FRONTEND: noninteractive
 

CMakeLists.txt

@@ -69,6 +69,7 @@ add_optional_compile_options(Wnoexcept)
 add_optional_compile_options(Wsign-promo)
 add_optional_compile_options(Wundef)
 add_optional_compile_options(Wdouble-promotion)
+add_optional_compile_options(Werror=return-type)
 
 # apt-ftparchive dependencies
 find_package(BerkeleyDB REQUIRED)
@@ -193,7 +194,7 @@ check_cxx_target(HAVE_FMV_SSE42_AND_CRC32DI "sse4.2" "__builtin_ia32_crc32di(0,
 # Configure some variables like package, version and architecture.
 set(PACKAGE ${PROJECT_NAME})
 set(PACKAGE_MAIL "APT Development Team <deity@lists.debian.org>")
-set(PACKAGE_VERSION "1.8.2")
+set(PACKAGE_VERSION "1.8.5")
 
 if (NOT DEFINED DPKG_DATADIR)
   execute_process(COMMAND ${PERL_EXECUTABLE} -MDpkg -e "print $Dpkg::DATADIR;"

apt-inst/contrib/arfile.cc

@@ -92,9 +92,14 @@ bool ARArchive::LoadHeaders()
 	  StrToNum(Head.Size,Memb->Size,sizeof(Head.Size)) == false)
       {
 	 delete Memb;
-	 return _error->Error(_("Invalid archive member header %s"), Head.Name);
+	 return _error->Error(_("Invalid archive member header"));
+      }
+
+      if (Left < 0 || Memb->Size > static_cast<unsigned long long>(Left))
+      {
+	 delete Memb;
+	 return _error->Error(_("Invalid archive member header"));
       }
-	 
       // Check for an extra long name string
       if (memcmp(Head.Name,"#1/",3) == 0)
       {
@@ -106,6 +111,13 @@ bool ARArchive::LoadHeaders()
 	    delete Memb;
 	    return _error->Error(_("Invalid archive member header"));
 	 }
+
+	 if (Len > Memb->Size)
+	 {
+	    delete Memb;
+	    return _error->Error(_("Invalid archive member header"));
+	 }
+
 	 if (File.Read(S,Len) == false)
 	 {
 	    delete Memb;
@@ -119,7 +131,14 @@ bool ARArchive::LoadHeaders()
       else
       {
 	 unsigned int I = sizeof(Head.Name) - 1;
-	 for (; Head.Name[I] == ' ' || Head.Name[I] == '/'; I--);
+	 for (; Head.Name[I] == ' ' || Head.Name[I] == '/'; I--)
+	 {
+	    if (I == 0)
+	    {
+	       delete Memb;
+	       return _error->Error(_("Invalid archive member header"));
+	    }
+	 }
 	 Memb->Name = std::string(Head.Name,I+1);
       }
 

apt-inst/contrib/extracttar.cc

@@ -55,7 +55,17 @@ struct ExtractTar::TarHeader
    char Major[8];
    char Minor[8];      
 };
-   
+
+// We need to read long names (names and link targets) into memory, so let's
+// have a limit (shamelessly stolen from libarchive) to avoid people OOMing
+// us with large streams.
+static const unsigned long long APT_LONGNAME_LIMIT = 1048576llu;
+
+// A file size limit that we allow extracting. Currently, that's 128 GB.
+// We also should leave some wiggle room for code adding files to it, and
+// possibly conversion for signed, so this should not be larger than like 2**62.
+static const unsigned long long APT_FILESIZE_LIMIT = 1llu << 37;
+
 // ExtractTar::ExtractTar - Constructor					/*{{{*/
 // ---------------------------------------------------------------------
 /* */
@@ -170,6 +180,11 @@ bool ExtractTar::Go(pkgDirStream &Stream)
 	  StrToNum(Tar->Minor,Itm.Minor,sizeof(Tar->Minor),8) == false)
 	 return _error->Error(_("Corrupted archive"));
 
+      // Security check. Prevents overflows below the code when rounding up in skip/copy code,
+      // and provides modest protection against decompression bombs.
+      if (Itm.Size > APT_FILESIZE_LIMIT)
+	 return _error->Error("Tar member too large: %llu > %llu bytes", Itm.Size, APT_FILESIZE_LIMIT);
+
       // Grab the filename and link target: use last long name if one was
       // set, otherwise use the header value as-is, but remember that it may
       // fill the entire 100-byte block and needs to be zero-terminated.
@@ -222,6 +237,8 @@ bool ExtractTar::Go(pkgDirStream &Stream)
 	 {
 	    unsigned long long Length = Itm.Size;
 	    unsigned char Block[512];
+	    if (Length > APT_LONGNAME_LIMIT)
+	       return _error->Error("Long name to large: %llu bytes > %llu bytes", Length, APT_LONGNAME_LIMIT);
 	    while (Length > 0)
 	    {
 	       if (InFd.Read(Block,sizeof(Block),true) == false)
@@ -241,6 +258,8 @@ bool ExtractTar::Go(pkgDirStream &Stream)
 	 {
 	    unsigned long long Length = Itm.Size;
 	    unsigned char Block[512];
+	    if (Length > APT_LONGNAME_LIMIT)
+	       return _error->Error("Long name to large: %llu bytes > %llu bytes", Length, APT_LONGNAME_LIMIT);
 	    while (Length > 0)
 	    {
 	       if (InFd.Read(Block,sizeof(Block),true) == false)
@@ -258,7 +277,7 @@ bool ExtractTar::Go(pkgDirStream &Stream)
 	 
 	 default:
 	 BadRecord = true;
-	 _error->Warning(_("Unknown TAR header type %u, member %s"),(unsigned)Tar->LinkFlag,Tar->Name);
+	 _error->Warning(_("Unknown TAR header type %u"), (unsigned)Tar->LinkFlag);
 	 break;
       }
       

apt-inst/deb/debfile.cc

@@ -184,11 +184,23 @@ bool debDebFile::ControlExtract::DoItem(Item &Itm,int &Fd)
 // ---------------------------------------------------------------------
 /* This sets up to extract the control block member file into a memory 
    block of just the right size. All other files go into the bit bucket. */
+
+// Upper size limit for control files. Two reasons for having a limit here:
+//
+// 1. We read those files into memory and want to avoid being killed by OOM
+//
+// 2. We allocate (Itm.Size+2)-large arrays, so this can overflow if Itm.Size
+// becomes 2**64-2 or larger. This is obviously
+//
+// 64 MiB seems like a terribly large size that everyone should be happy with.
+static const unsigned long long DEB_CONTROL_SIZE_LIMIT = 64 * 1024 * 1024;
 bool debDebFile::MemControlExtract::DoItem(Item &Itm,int &Fd)
 {
    // At the control file, allocate buffer memory.
    if (Member == Itm.Name)
    {
+      if (Itm.Size > DEB_CONTROL_SIZE_LIMIT)
+	 return _error->Error("Control file too large: %llu > %llu bytes", Itm.Size, DEB_CONTROL_SIZE_LIMIT);
       delete [] Control;
       Control = new char[Itm.Size+2];
       IsControl = true;
@@ -237,6 +249,9 @@ bool debDebFile::MemControlExtract::Read(debDebFile &Deb)
    record. */
 bool debDebFile::MemControlExtract::TakeControl(const void *Data,unsigned long long Size)
 {
+   if (Size > DEB_CONTROL_SIZE_LIMIT)
+      return _error->Error("Control file too large: %llu > %llu bytes", Size, DEB_CONTROL_SIZE_LIMIT);
+
    delete [] Control;
    Control = new char[Size+2];
    Length = Size;

apt-pkg/acquire-item.cc

@@ -1828,7 +1828,7 @@ bool pkgAcqMetaBase::VerifyVendor(string const &)			/*{{{*/
 	 { "Origin", AllowInfoChange, &metaIndex::GetOrigin },
 	 { "Label", AllowInfoChange, &metaIndex::GetLabel },
 	 { "Version", true, &metaIndex::GetVersion }, // numbers change all the time, that is okay
-	 { "Suite", AllowInfoChange, &metaIndex::GetSuite },
+	 { "Suite", true, &metaIndex::GetSuite },
 	 { "Codename", AllowInfoChange, &metaIndex::GetCodename },
 	 { nullptr, false, nullptr }
       };

apt-pkg/contrib/fileutl.cc

@@ -144,10 +144,6 @@ bool RunScripts(const char *Cnf)
       return _error->Errno("waitpid","Couldn't wait for subprocess");
    }
 
-   // Restore sig int/quit
-   signal(SIGQUIT,SIG_DFL);
-   signal(SIGINT,SIG_DFL);   
-
    // Check for an error code.
    if (WIFEXITED(Status) == 0 || WEXITSTATUS(Status) != 0)
    {

apt-pkg/contrib/strutl.cc

@@ -546,7 +546,7 @@ string Base64Encode(const string &S)
       base64.  */
    for (string::const_iterator I = S.begin(); I < S.end(); I += 3)
    {
-      char Bits[3] = {0,0,0};
+      uint8_t Bits[3] = {0,0,0};
       Bits[0] = I[0];
       if (I + 1 < S.end())
 	 Bits[1] = I[1];

apt-pkg/deb/deblistparser.cc

@@ -261,7 +261,7 @@ bool debListParser::NewVersion(pkgCache::VerIterator &Ver)
 // ListParser::AvailableDescriptionLanguages				/*{{{*/
 std::vector<std::string> debListParser::AvailableDescriptionLanguages()
 {
-   std::vector<std::string> const understood = APT::Configuration::getLanguages();
+   std::vector<std::string> const understood = APT::Configuration::getLanguages(true);
    std::vector<std::string> avail;
    static constexpr int prefixLen = 12;
    char buf[32] = "Description-";
@@ -326,6 +326,8 @@ bool debListParser::UsePackage(pkgCache::PkgIterator &Pkg,
 	 return false;
    if (Section.FindFlag(pkgTagSection::Key::Important,Pkg->Flags,pkgCache::Flag::Important) == false)
       return false;
+   if (Section.FindFlag(pkgTagSection::Key::Protected, Pkg->Flags, pkgCache::Flag::Important) == false)
+      return false;
 
    if (std::find(forceEssential.begin(), forceEssential.end(), Pkg.Name()) != forceEssential.end())
    {

apt-pkg/deb/debsystem.cc

@@ -420,9 +420,14 @@ pid_t debSystem::ExecDpkg(std::vector<std::string> const &sArgs, int * const inp
 }
 									/*}}}*/
 bool debSystem::SupportsMultiArch()					/*{{{*/
+{
+   return AssertFeature("multi-arch");
+}
+									/*}}}*/
+bool debSystem::AssertFeature(std::string const &feature) /*{{{*/
 {
    std::vector<std::string> Args = GetDpkgBaseCommand();
-   Args.push_back("--assert-multi-arch");
+   Args.push_back("--assert-" + feature);
    pid_t const dpkgAssertMultiArch = ExecDpkg(Args, nullptr, nullptr, true);
    if (dpkgAssertMultiArch > 0)
    {

apt-pkg/deb/debsystem.h

@@ -50,7 +50,7 @@ class debSystem : public pkgSystem
    APT_HIDDEN static pid_t ExecDpkg(std::vector<std::string> const &sArgs, int * const inputFd, int * const outputFd, bool const DiscardOutput);
    APT_HIDDEN static bool SupportsMultiArch();
    APT_HIDDEN static std::vector<std::string> SupportedArchitectures();
-
+   APT_HIDDEN static bool AssertFeature(std::string const &Feature);
    APT_HIDDEN bool LockInner();
    APT_HIDDEN bool UnLockInner(bool NoErrors=false);
    APT_HIDDEN bool IsLocked();

apt-pkg/deb/dpkgpm.cc

@@ -1431,6 +1431,15 @@ static bool ItemIsEssential(pkgDPkgPM::Item const &I)
       return true;
    return (I.Pkg->Flags & pkgCache::Flag::Essential) != 0;
 }
+static bool ItemIsProtected(pkgDPkgPM::Item const &I)
+{
+   static auto const cachegen = _config->Find("pkgCacheGen::Protected");
+   if (cachegen == "none" || cachegen == "native")
+      return true;
+   if (unlikely(I.Pkg.end()))
+      return true;
+   return (I.Pkg->Flags & pkgCache::Flag::Important) != 0;
+}
 bool pkgDPkgPM::ExpandPendingCalls(std::vector<Item> &List, pkgDepCache &Cache)
 {
    {
@@ -1727,6 +1736,7 @@ bool pkgDPkgPM::Go(APT::Progress::PackageManager *progress)
    OpenLog();
 
    bool dpkgMultiArch = debSystem::SupportsMultiArch();
+   bool dpkgProtectedField = debSystem::AssertFeature("protected-field");
 
    // start pty magic before the loop
    StartPtyMagic();
@@ -1770,8 +1780,8 @@ bool pkgDPkgPM::Go(APT::Progress::PackageManager *progress)
       if (pipe(fd) != 0)
 	 return _error->Errno("pipe","Failed to create IPC pipe to dpkg");
 
-#define ADDARG(X) Args.push_back(X); Size += strlen(X)
-#define ADDARGC(X) Args.push_back(X); Size += sizeof(X) - 1
+#define ADDARG(X) do { const char *arg = (X); Args.push_back(arg); Size += strlen(arg); } while (0)
+#define ADDARGC(X) ADDARG(X)
 
       ADDARGC("--status-fd");
       char status_fd_buf[20];
@@ -1790,10 +1800,15 @@ bool pkgDPkgPM::Go(APT::Progress::PackageManager *progress)
 	 case Item::Remove:
 	 case Item::Purge:
 	 ADDARGC("--force-depends");
+	 ADDARGC("--abort-after=1");
 	 if (std::any_of(I, J, ItemIsEssential))
 	 {
 	    ADDARGC("--force-remove-essential");
 	 }
+	 if (dpkgProtectedField && std::any_of(I, J, ItemIsProtected))
+	 {
+	    ADDARGC("--force-remove-protected");
+	 }
 	 ADDARGC("--remove");
 	 break;
 
@@ -1824,6 +1839,9 @@ bool pkgDPkgPM::Go(APT::Progress::PackageManager *progress)
 	 case Item::Install:
 	 ADDARGC("--unpack");
 	 ADDARGC("--auto-deconfigure");
+	 // dpkg < 1.20.8 needs --force-remove-protected to deconfigure protected packages
+	 if (dpkgProtectedField)
+	    ADDARGC("--force-remove-protected");
 	 break;
       }
 
@@ -2475,7 +2493,7 @@ void pkgDPkgPM::WriteApportReport(const char *pkgpath, const char *errormsg)
    {
 
       fprintf(report, "Df:\n");
-      FILE *log = popen("/bin/df -l","r");
+      FILE *log = popen("/bin/df -l -x squashfs","r");
       if(log != NULL)
       {
 	 char buf[1024];

apt-pkg/depcache.cc

@@ -11,6 +11,7 @@
 
 #include <apt-pkg/aptconfiguration.h>
 #include <apt-pkg/cachefile.h>
+#include <apt-pkg/cachefilter.h>
 #include <apt-pkg/cacheset.h>
 #include <apt-pkg/configuration.h>
 #include <apt-pkg/depcache.h>
@@ -36,6 +37,7 @@
 #include <string.h>
 
 #include <sys/stat.h>
+#include <sys/utsname.h>
 
 #include <apti18n.h>
 									/*}}}*/
@@ -1808,9 +1810,42 @@ APT_PURE signed short pkgDepCache::Policy::GetPriority(pkgCache::VerIterator con
 APT_PURE signed short pkgDepCache::Policy::GetPriority(pkgCache::PkgFileIterator const &/*File*/)
 { return 0; }
 									/*}}}*/
+
+class APT_HIDDEN DefaultRootSetFunc2 : public pkgDepCache::InRootSetFunc, public Configuration::MatchAgainstConfig
+{
+   std::unique_ptr<APT::CacheFilter::PackageNameMatchesRegEx> unameMatcher;
+
+   public:
+   DefaultRootSetFunc2() : Configuration::MatchAgainstConfig("APT::NeverAutoRemove")
+   {
+      bool Debug = _config->FindB("Debug::pkgAutoRemove", false);
+      struct utsname u;
+      if (not _config->FindB("APT::Protect-Kernels", true) || uname(&u) != 0)
+	 return;
+
+      // Escape . and + in the the uname
+      std::string uname = u.release;
+      for (size_t pos = 0; (pos = uname.find_first_of(".+", pos)) != uname.npos; pos += 2)
+	 uname.insert(pos, 1, '\\');
+
+      std::string pattern;
+      for (auto const &kernelPackage : _config->FindVector("APT::VersionedKernelPackages"))
+	 pattern += "|^" + kernelPackage + "-" + uname + "$";
+
+      if (pattern.empty())
+	 return;
+
+      if (Debug)
+	 std::clog << "Kernel protection regex: " << pattern.substr(1) << std::endl;
+      unameMatcher.reset(new APT::CacheFilter::PackageNameMatchesRegEx(pattern.substr(1)));
+   };
+
+   bool InRootSet(const pkgCache::PkgIterator &pkg) APT_OVERRIDE { return pkg.end() == false && ((unameMatcher && (*unameMatcher)(pkg)) || Match(pkg.Name())); };
+};
+
 pkgDepCache::InRootSetFunc *pkgDepCache::GetRootSetFunc()		/*{{{*/
 {
-  DefaultRootSetFunc *f = new DefaultRootSetFunc;
+  DefaultRootSetFunc2 *f = new DefaultRootSetFunc2;
   if(f->wasConstructedSuccessfully())
     return f;
   else

apt-pkg/packagemanager.cc

@@ -609,7 +609,8 @@ bool pkgPackageManager::SmartConfigure(PkgIterator Pkg, int const Depth)
 
    List->Flag(Pkg,pkgOrderList::Configured,pkgOrderList::States);
 
-   if ((Cache[Pkg].InstVerIter(Cache)->MultiArch & pkgCache::Version::Same) == pkgCache::Version::Same)
+   if ((Cache[Pkg].InstVerIter(Cache)->MultiArch & pkgCache::Version::Same) == pkgCache::Version::Same &&
+       not List->IsFlag(Pkg, pkgOrderList::Immediate))
       for (PkgIterator P = Pkg.Group().PackageList();
 	   P.end() == false; P = Pkg.Group().NextPkg(P))
       {
@@ -655,9 +656,11 @@ bool pkgPackageManager::EarlyRemove(PkgIterator Pkg, DepIterator const * const D
 
    // Essential packages get special treatment
    bool IsEssential = false;
-   if ((Pkg->Flags & pkgCache::Flag::Essential) != 0 ||
-       (Pkg->Flags & pkgCache::Flag::Important) != 0)
+   if ((Pkg->Flags & pkgCache::Flag::Essential) != 0)
       IsEssential = true;
+   bool IsProtected = false;
+   if ((Pkg->Flags & pkgCache::Flag::Important) != 0)
+      IsProtected = true;
 
    /* Check for packages that are the dependents of essential packages and
       promote them too */
@@ -665,14 +668,17 @@ bool pkgPackageManager::EarlyRemove(PkgIterator Pkg, DepIterator const * const D
    {
       for (pkgCache::DepIterator D = Pkg.RevDependsList(); D.end() == false &&
 	   IsEssential == false; ++D)
-	 if (D->Type == pkgCache::Dep::Depends || D->Type == pkgCache::Dep::PreDepends)
-	    if ((D.ParentPkg()->Flags & pkgCache::Flag::Essential) != 0 ||
-	        (D.ParentPkg()->Flags & pkgCache::Flag::Important) != 0)
+	 if (D->Type == pkgCache::Dep::Depends || D->Type == pkgCache::Dep::PreDepends) {
+	    if ((D.ParentPkg()->Flags & pkgCache::Flag::Essential) != 0)
 	       IsEssential = true;
+	    if ((D.ParentPkg()->Flags & pkgCache::Flag::Important) != 0)
+	       IsProtected = true;
+	 }
    }
 
    if (IsEssential == true)
    {
+      // FIXME: Unify messaging with Protected below.
       if (_config->FindB("APT::Force-LoopBreak",false) == false)
 	 return _error->Error(_("This installation run will require temporarily "
 				"removing the essential package %s due to a "
@@ -683,6 +689,16 @@ bool pkgPackageManager::EarlyRemove(PkgIterator Pkg, DepIterator const * const D
    // dpkg will auto-deconfigure it, no need for the big remove hammer
    else if (Dep != NULL && (*Dep)->Type == pkgCache::Dep::DpkgBreaks)
       return true;
+   else if (IsProtected == true)
+   {
+      // FIXME: Message should talk about Protected, not Essential, and unified.
+      if (_config->FindB("APT::Force-LoopBreak",false) == false)
+	 return _error->Error(_("This installation run will require temporarily "
+				"removing the essential package %s due to a "
+				"Conflicts/Pre-Depends loop. This is often bad, "
+				"but if you really want to do it, activate the "
+				"APT::Force-LoopBreak option."),Pkg.FullName().c_str());
+   }
 
    bool Res = SmartRemove(Pkg);
    if (Cache[Pkg].Delete() == false)
@@ -1013,10 +1029,18 @@ bool pkgPackageManager::SmartUnPack(PkgIterator Pkg, bool const Immediate, int c
       return false;
 
    if (Immediate == true) {
-      // Perform immediate configuration of the package. 
-         if (SmartConfigure(Pkg, Depth + 1) == false)
-            _error->Error(_("Could not perform immediate configuration on '%s'. "
-               "Please see man 5 apt.conf under APT::Immediate-Configure for details. (%d)"),Pkg.FullName().c_str(),2);
+      // Perform immediate configuration of the package.
+      _error->PushToStack();
+      bool configured = SmartConfigure(Pkg, Depth + 1);
+      _error->RevertToStack();
+
+      if (not configured && Debug) {
+	 clog << OutputInDepth(Depth);
+	 ioprintf(clog, _("Could not perform immediate configuration on '%s'. "
+			   "Please see man 5 apt.conf under APT::Immediate-Configure for details. (%d)"),
+			 Pkg.FullName().c_str(), 2);
+	 clog << endl;
+      }
    }
    
    return true;

apt-pkg/tagfile-keys.list

@@ -48,6 +48,7 @@ Package-Revision
 Package-Type
 Pre-Depends
 Priority
+Protected
 Provides
 Recommended
 Recommends

apt-pkg/tagfile-order.c

@@ -11,7 +11,7 @@ static const char *iTFRewritePackageOrder[] = {
    "Architecture",
    "Subarchitecture", // Used only by d-i
    "Version",
-   "Revision",	 // Obsolete (warning in dpkg)
+   "Revision",	       // Obsolete (warning in dpkg)
    "Package-Revision", // Obsolete (warning in dpkg)
    "Package_Revision", // Obsolete (warning in dpkg)
    "Kernel-Version",   // Used only by d-i
@@ -23,6 +23,7 @@ static const char *iTFRewritePackageOrder[] = {
    "Priority",
    "Class", // dpkg nickname for Priority
    "Build-Essential",
+   "Protected",
    "Essential",
    "Installer-Menu-Item", // Used only by d-i
    "Section",

apt-pkg/update.cc

@@ -46,6 +46,20 @@ bool ListUpdate(pkgAcquireStatus &Stat,
 bool AcquireUpdate(pkgAcquire &Fetcher, int const PulseInterval,
 		   bool const RunUpdateScripts, bool const ListCleanup)
 {
+   enum class ErrorMode
+   {
+      Persistent,
+      Any
+   };
+   std::string errorModeS = _config->Find("APT::Update::Error-Mode", "persistent");
+   ErrorMode errorMode = ErrorMode::Persistent;
+   if (errorModeS == "persistent")
+      errorMode = ErrorMode::Persistent;
+   else if (errorModeS == "any")
+      errorMode = ErrorMode::Any;
+   else
+      return _error->Error("Unknown update error mode %s", errorModeS.c_str());
+
    // Run scripts
    if (RunUpdateScripts == true)
       RunScripts("APT::Update::Pre-Invoke");
@@ -69,7 +83,10 @@ bool AcquireUpdate(pkgAcquire &Fetcher, int const PulseInterval,
 	    AllFailed = false;
 	    continue;
 	 case pkgAcquire::Item::StatTransientNetworkError:
-	    TransientNetworkFailure = true;
+	    if (errorMode == ErrorMode::Any)
+	       Failed = true;
+	    else
+	       TransientNetworkFailure = true;
 	    break;
 	 case pkgAcquire::Item::StatIdle:
 	 case pkgAcquire::Item::StatFetching:
@@ -89,7 +106,7 @@ bool AcquireUpdate(pkgAcquire &Fetcher, int const PulseInterval,
       uri.Password.clear();
       std::string const descUri = std::string(uri);
       // Show an error for non-transient failures, otherwise only warn
-      if ((*I)->Status == pkgAcquire::Item::StatTransientNetworkError)
+      if ((*I)->Status == pkgAcquire::Item::StatTransientNetworkError && errorMode != ErrorMode::Any)
 	 _error->Warning(_("Failed to fetch %s  %s"), descUri.c_str(),
 			(*I)->ErrorText.c_str());
       else

apt-private/private-cmndline.cc

@@ -205,6 +205,7 @@ static bool addArgumentsAPTGet(std::vector<CommandLine::Args> &Args, char const
       addArg(0, "allow-releaseinfo-change-codename", "Acquire::AllowReleaseInfoChange::Codename", 0);
       addArg(0, "allow-releaseinfo-change-suite", "Acquire::AllowReleaseInfoChange::Suite", 0);
       addArg(0, "allow-releaseinfo-change-defaultpin", "Acquire::AllowReleaseInfoChange::DefaultPin", 0);
+      addArg('e', "error-on", "APT::Update::Error-Mode", CommandLine::HasArg);
    }
    else if (CmdMatches("source"))
    {

debian/apt.systemd.daily

@@ -84,7 +84,7 @@ check_stamp()
         return 0
     fi
 
-    if [ "$interval" -eq 0 ]; then
+    if [ "$interval" = 0 ]; then
 	debug_echo "check_stamp: interval=0"
 	# treat as no time has passed
         return 1
@@ -237,7 +237,7 @@ do_cache_backup()
     BackupArchiveInterval="$1"
     if [ "$BackupArchiveInterval" = always ]; then
         :
-    elif [ "$BackupArchiveInterval" -eq 0 ]; then
+    elif [ "$BackupArchiveInterval" = 0 ]; then
         return
     fi
 
@@ -415,12 +415,12 @@ if [ $UpdateInterval = always ] ||
    [ $AutocleanInterval = always ] ||
    [ $CleanInterval = always ] ; then
     :
-elif [ $UpdateInterval -eq 0 ] &&
-     [ $DownloadUpgradeableInterval -eq 0 ] &&
-     [ $UnattendedUpgradeInterval -eq 0 ] &&
-     [ $BackupArchiveInterval -eq 0 ] &&
-     [ $AutocleanInterval -eq 0 ] &&
-     [ $CleanInterval -eq 0 ] ; then
+elif [ $UpdateInterval = 0 ] &&
+     [ $DownloadUpgradeableInterval = 0 ] &&
+     [ $UnattendedUpgradeInterval = 0 ] &&
+     [ $BackupArchiveInterval = 0 ] &&
+     [ $AutocleanInterval = 0 ] &&
+     [ $CleanInterval = 0 ] ; then
 
     # check cache size
     check_size_constraints

debian/changelog

@@ -1,3 +1,80 @@
+apt (1.8.5) buster; urgency=medium
+
+  * Merge 1.8.2.z security uploads back into 1.8.y branch; bringing
+    the changes from 1.8.3, 1.8.4 and this upload to buster.
+
+  [ David Kalnischkies ]
+  * Fix incorrect base64 encoding due to int promotion (LP: #1916050)
+  * Harden test for no new acquires after transaction abort (Closes: #984966)
+    (LP: #1918920)
+
+
+  [ Julian Andres Klode ]
+  * Implement update --error-on=any (Closes: #594813) (LP: #1693900)
+  * Include all translations when building the cache (LP: #1907850)
+  * Add basic support for the Protected field, and do not require force-loopbreak
+    on Protected/Important packages (Closes: #983014) (LP: #1916725)
+  * Protect currently running kernel at run-time (LP: #1615381)
+  * Make ADDARG{,C}() macros expand to single statements
+  * Default Acquire::AllowReleaseInfoChange::Suite to "true" (Closes: #931566)
+  * Improve immediate configuration handling (LP: #1871268)
+    - Do not immediately configure m-a: same packages in lockstep
+    - Ignore failures from immediate configuration. This does not change the
+      actual installation ordering - we never passed the return code to the
+      caller and installation went underway anyway if it could be ordered at a
+      later stage, this just removes spurious after-the-fact errors.
+      (Closes: #973305, #188161, #211075, #649588)
+
+ -- Julian Andres Klode <jak@debian.org>  Fri, 12 Mar 2021 12:57:44 +0100
+
+apt (1.8.4) unstable; urgency=medium
+
+  * CMake: Pass -Werror=return-type to gcc
+  * apt.systemd.daily: Do not numerically check if intervals equal 0
+    (LP: #1840995)
+  * Pass --abort-after=1 to dpkg when using --force-depends (Closes: #935910)
+    (LP: #1844634)
+  * Fix use of GTest to adjust for GTest 1.9
+
+ -- Julian Andres Klode <jak@debian.org>  Thu, 19 Sep 2019 22:06:45 +0200
+
+apt (1.8.3) unstable; urgency=medium
+
+  [ Simon Körner ]
+  * http: Fix Host header in proxied https connections (LP: #1838771)
+
+  [ Brian Murray ]
+  * Do not include squashfs file systems in df output. (LP: #1756595)
+
+ -- Julian Andres Klode <jak@debian.org>  Fri, 09 Aug 2019 11:16:15 +0200
+
+apt (1.8.2.2) buster-security; urgency=high
+
+  * SECURITY UPDATE: Integer overflow in parsing (LP: #1899193)
+    - apt-pkg/contrib/arfile.cc: add extra checks.
+    - apt-pkg/contrib/tarfile.cc: limit tar item sizes to 128 GiB
+    - apt-pkg/deb/debfile.cc: limit control file sizes to 64 MiB
+    - test/*: add tests.
+    - CVE-2020-27350
+  * Additional hardening:
+    - apt-pkg/contrib/tarfile.cc: Limit size of long names and links to 1 MiB
+  * Fix autopkgtest regression in 1.8.2.1 security update
+
+ -- Julian Andres Klode <jak@debian.org>  Mon, 07 Dec 2020 12:31:04 +0100
+
+apt (1.8.2.1) buster-security; urgency=high
+
+  * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177)
+    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name
+    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated
+      member names in error path
+    - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated
+      member names in error path
+    - CVE-2020-3810
+  * .gitlab.ci.yml: Point to debian:buster
+
+ -- Julian Andres Klode <jak@debian.org>  Tue, 12 May 2020 11:57:30 +0200
+
 apt (1.8.2) unstable; urgency=medium
 
   [ Alwin Henseler ]

doc/apt-get.8.xml

@@ -14,7 +14,7 @@
    &apt-email;
    &apt-product;
    <!-- The last update date -->
-   <date>2019-01-27T00:00:00Z</date>
+   <date>2021-01-08T00:00:00Z</date>
  </refentryinfo>
  
  <refmeta>
@@ -620,6 +620,10 @@
      </para></listitem>
      </varlistentry>
 
+     <varlistentry><term><option>-e<replaceable>any</replaceable></option></term><term><option>--error-on=<replaceable>any</replaceable></option></term>
+     <listitem><para>Fail the update command if any error occured, even a transient one.</para></listitem>
+     </varlistentry>
+
      &apt-commonoptions;
      
    </variablelist>

doc/apt-verbatim.ent

@@ -268,7 +268,7 @@
 ">
 
 <!-- this will be updated by 'prepare-release' -->
-<!ENTITY apt-product-version "1.8.2">
+<!ENTITY apt-product-version "1.8.5">
 
 <!-- (Code)names for various things used all over the place -->
 <!ENTITY debian-oldstable-codename "stretch">

doc/examples/configure-index

@@ -54,6 +54,9 @@ APT
   Build-Profiles "<STRING_OR_LIST>";
 
   NeverAutoRemove "<LIST>";  // list of package name regexes
+  LastInstalledKernel "<STRING>"; // last installed kernel version
+  VersionedKernelPackages "<LIST>"; // regular expressions to be protected from autoremoval (kernel uname will be appended)
+  Protect-Kernels "<BOOL>"; // whether to protect installed kernels against autoremoval (default: true)
 
   // Options for apt-get
   Get
@@ -157,6 +160,7 @@ APT
   {
      Pre-Invoke {"touch /var/lib/apt/pre-update-stamp"; };
      Post-Invoke {"touch /var/lib/apt/post-update-stamp"; };
+     Error-Mode "<STRING>";
   };
 
   /* define a new supported compressor on the fly
@@ -555,6 +559,7 @@ Debug
 pkgCacheGen
 {
   Essential "<STRING>"; // native,all, none, installed
+  Protected "<STRING>"; // native,all, none, installed
   ForceEssential "<STRING_OR_LIST>"; // package names
   ForceImportant "<LIST>"; // package names
 };

doc/po/apt-doc.pot

@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: apt-doc 1.8.2\n"
+"Project-Id-Version: apt-doc 1.8.5\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-05-28 16:41+0200\n"
+"POT-Creation-Date: 2021-03-12 11:57+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1480,6 +1480,16 @@ msgid ""
 "&apt-cache; for further details."
 msgstr ""
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml
 #: apt_preferences.5.xml apt_auth.conf.5.xml

doc/po/de.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: apt 1.6\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-02-04 15:34+0100\n"
+"POT-Creation-Date: 2021-03-10 13:40+0000\n"
 "PO-Revision-Date: 2018-10-21 12:58+0200\n"
 "Last-Translator: Chris Leick <c.leick@vollbio.de>\n"
 "Language-Team: German <debian-l10n-german@lists.debian.org>\n"
@@ -2072,6 +2072,16 @@ msgstr ""
 "verwendet werden, um mehrere Dateien hinzuzufügen. Weitere Einzelheiten der "
 "<option>--with-source</option>-Beschreibung finden Sie unter &apt-cache;."
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml
 #: apt_preferences.5.xml apt_auth.conf.5.xml

doc/po/es.po

@@ -38,7 +38,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: apt-doc 1.0.5\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-02-04 15:34+0100\n"
+"POT-Creation-Date: 2021-03-10 13:40+0000\n"
 "PO-Revision-Date: 2014-07-04 01:31+0200\n"
 "Last-Translator: Omar Campagne <ocampagne@gmail.com>\n"
 "Language-Team: Debian l10n Spanish <debian-l10n-spanish@lists.debian.org>\n"
@@ -2119,6 +2119,16 @@ msgid ""
 "cache; for further details."
 msgstr ""
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml
 #: apt_preferences.5.xml apt_auth.conf.5.xml
@@ -9991,8 +10001,8 @@ msgid ""
 "from polluting its cache with (big) .deb files."
 msgstr ""
 "Se proporcionan tres opciones de configuración para el control de la caché "
-"con proxy cachés conformes an HTTP/1.1. <literal>No-Cache</literal> indica al "
-"proxy que nunca utilice la respuesta cacheada. <literal>Max-Age</literal> "
+"con proxy cachés conformes an HTTP/1.1. <literal>No-Cache</literal> indica "
+"al proxy que nunca utilice la respuesta cacheada. <literal>Max-Age</literal> "
 "define la máxima antigüedad permitida (en segundos) de un fichero de índice "
 "en la caché de un proxy. <literal>No-Store</literal> define que el proxy no "
 "debe almacenar ficheros del archivo en su caché, que se puede utilizar para "

doc/po/fr.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: apt-doc 1.8.0\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-05-21 14:38+0200\n"
+"POT-Creation-Date: 2021-03-10 13:40+0000\n"
 "PO-Revision-Date: 2019-05-01 17:00+0100\n"
 "Last-Translator: Jean-Pierre Giraud <jean-pierregiraud@neuf.fr>\n"
 "Language-Team: French <debian-l10n-french@lists.debian.org>\n"
@@ -2070,6 +2070,16 @@ msgstr ""
 "répétée pour ajouter de multiples fichiers. Voir la description de l'option "
 "<option>--with-source</option> dans &apt-cache; pour plus de détails."
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml
 #: apt_preferences.5.xml apt_auth.conf.5.xml

doc/po/it.po

@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: apt-doc 1.0.5\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-02-04 15:34+0100\n"
+"POT-Creation-Date: 2021-03-10 13:40+0000\n"
 "PO-Revision-Date: 2017-03-27 19:05+0200\n"
 "Last-Translator: Beatrice Torracca <beatricet@libero.it>\n"
 "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
@@ -2101,6 +2101,16 @@ msgstr ""
 "per aggiungere più file. Vedere la descrizione di <option>--with-source</"
 "option> in &apt-cache; per ulteriori dettagli."
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml
 #: apt_preferences.5.xml apt_auth.conf.5.xml

doc/po/ja.po

@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: apt-doc 1.4\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-02-04 15:34+0100\n"
+"POT-Creation-Date: 2021-03-10 13:40+0000\n"
 "PO-Revision-Date: 2017-01-06 04:50+0900\n"
 "Last-Translator: Takuma Yamada <tyamada@takumayamada.com>\n"
 "Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
@@ -2031,6 +2031,16 @@ msgstr ""
 "ファイルを追加できます。さらなる詳細については &apt-cache; の <option>--with-"
 "source</option> の説明を見てください。"
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml
 #: apt_preferences.5.xml apt_auth.conf.5.xml

doc/po/nl.po

@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: apt-doc 1.8.0~rc3\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-03-08 09:41+0100\n"
+"POT-Creation-Date: 2021-03-10 13:40+0000\n"
 "PO-Revision-Date: 2019-02-16 20:46+0100\n"
 "Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n"
 "Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n"
@@ -2140,6 +2140,16 @@ msgstr ""
 "meerdere bestanden toe te voegen. Zie voor verdere details de beschrijving "
 "van de optie <option>--with-source</option> in &apt-cache;."
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml
 #: apt_preferences.5.xml apt_auth.conf.5.xml

doc/po/pl.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: apt-doc 1.0.5\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-02-04 15:34+0100\n"
+"POT-Creation-Date: 2021-03-10 13:40+0000\n"
 "PO-Revision-Date: 2014-07-04 02:13+0200\n"
 "Last-Translator: Robert Luberda <robert@debian.org>\n"
 "Language-Team: Polish <manpages-pl-list@lists.sourceforge.net>\n"
@@ -2128,6 +2128,16 @@ msgid ""
 "cache; for further details."
 msgstr ""
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml
 #: apt_preferences.5.xml apt_auth.conf.5.xml

doc/po/pt.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: apt 1.8.0\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-05-21 14:35+0200\n"
+"POT-Creation-Date: 2021-03-10 13:40+0000\n"
 "PO-Revision-Date: 2019-04-07 22:02+0000\n"
 "Last-Translator: Américo Monteiro <a_monteiro@gmx.com>\n"
 "Language-Team: Portuguese <>\n"
@@ -2083,6 +2083,16 @@ msgstr ""
 "repetido para adicionar vários ficheiros. Veja a descrição de <option>--with-"
 "source</option> em &apt-cache; para mais detalhes."
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml
 #: apt_preferences.5.xml apt_auth.conf.5.xml

doc/po/pt_BR.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: apt-doc 1.0.5\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-02-04 15:34+0100\n"
+"POT-Creation-Date: 2021-03-10 13:40+0000\n"
 "PO-Revision-Date: 2004-09-20 17:02+0000\n"
 "Last-Translator: André Luís Lopes <andrelop@debian.org>\n"
 "Language-Team: <debian-l10n-portuguese@lists.debian.org>\n"
@@ -1452,6 +1452,16 @@ msgid ""
 "cache; for further details."
 msgstr ""
 
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><term><option><replaceable>
+#: apt-get.8.xml
+msgid "any"
+msgstr ""
+
+#. type: Content of: <refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: apt-get.8.xml
+msgid "Fail the update command if any error occured, even a transient one."
+msgstr ""
+
 #. type: Content of: <refentry><refsect1><title>
 #: apt-get.8.xml apt-cache.8.xml apt-key.8.xml apt-mark.8.xml apt.conf.5.xml