APT 1.1 released

November 30, 2015

After 1.5 years of work we released APT 1.1 this week! I’m very excited about this milestone.

The new 1.1 has some nice new features but it also improves a lot of stuff under the hood. With APT 1.0 we did add a lot of UI improvements, this time the focus is on the reliability of the acquire system and the library.

Some of the UI highlights include:

  • apt install local-file.deb works
  • apt build-dep foo.dsc works
  • apt supports most of the common apt-get/apt-cache commands so you safe some typing :)
  • apt update progress reporting much more accurate
  • apt-cache showsrc --only-source srcpkgname does the right thing
  • The --force-yes option is split into the more fine grained --allow-{downgrades, remove-essential, change-held} options
  • Documentation and help output improvements
  • apt-mark supports more states
  • Support for deb822 style sources.list.d files

Under the hood:

  • No more “guessing” when fetching files (we did this to support old repository formats) only download stuff that is listed in the {,In}release Kalnischkiesfile).
  • support for by-hash index downlods (once the servers support that no more hashsum-mismatch errors because of proxies or transparent proxies)
  • we support downloading additional files that are opaque for apt itself (like apt-file or appstream data)
  • the acquire system is more atomic and more robust, no more issues with captive portals
  • protection about a class of endless-data attacks from hostile MITM
  • disallow signed repositories from ever becoming unsigned
  • privilege dropping in the acquire methods
  • if {,In}Release did not change, do not bother checking the other indexes (lot less HITs on the mirrors on not-modified resources)
  • SRV record support
  • improved policy engine
  • key pinning for sources
  • deprecation of some library functions
  • support for IDN domains

Whats also very nice is that apt is now the exact same version on Ubuntu and Debian (no more delta between the packages)!

If you want to know more, there is nice video from David Kalnischkies Debconf 2015 talk about apt at https://summit.debconf.org/debconf15/meeting/216/this-apt-has-super-cow-powers/. Julian Andres Klode also wrote about the new apt some weeks ago here.

The (impressive) full changelog is available at http://metadata.ftp-master.debian.org/changelogs/main/a/apt/apt_1.1.3_changelog. And git has an even more detailed log if you are even more curious :)

Enjoy the new apt!

Passhash sha512crypt

November 28, 2015

I added sha512crypt support to the PassHash firefox extension a while ago to make attacking PassHash even more difficult. It uses the glibc 5000 rounds default. If you happen to use PassHash you should consider upgrading to this schema.

apt 1.0

April 4, 2014

APT 1.0 was released on the 1. April 2014 [0]! The first APT version was announced on the 1. April exactly 16 years ago [1].

The big news for this version is that we included a new “apt” binary that combines the most commonly used commands from apt-get and apt-cache. The commands are the same as their apt-get/apt-cache counterparts but with slightly different configuration options.

Currently the apt binary supports the following commands:

  • list: which is similar to dpkg list and can be used with flags like
    --installed or --upgradable.
  • search: works just like apt-cache search but sorted alphabetically.
  • show: works like apt-cache show but hide some details that people are less likely to care about (like the hashes). The full record is still available via apt-cache show of course.
  • update: just like the regular apt-get update with color output enabled.
  • install,remove: adds progress output during the dpkg run.
  • upgrade: the same as apt-get dist-upgrade –with-new-pkgs.
  • full-upgrade: a more meaningful name for dist-upgrade.
  • edit-sources: edit sources.list using $EDITOR.

Here is what the new progress looks like in 1.0:

You can enable/disable the install progress via:

# echo 'Dpkg::Progress-Fancy "1";' > /etc/apt/apt.conf.d/99progressbar

If you have further suggestions or bugreport about APT, get in touch and most importantly, have fun!

apt versions/release special modifiers

October 23, 2013

Recently the ansible apt module got fnmatch (shell) style wildcard support for installing packages. Aparently this broke the workflow for some users who passed a “*” via a variable to apt to get the candidate version installed.

A more descriptive way of achiving this is to use the one of the special words “candidate”, “installed”, “newest” in the version tag or in the release tag.

For example you can write:

# apt-get install ansible/newest
# apt-get install 2vcard=candidate

As in the ansible case, this can be a useful default for script that calcuclate a version and need to fallback to a default.

apt 0.9.12

October 12, 2013

The recently released apt 0.9.12 contains a bunch of good stuff, bugfixes and cleanups. But there are two new feature I particularly like.

The first is the new parameter “–with-new-pkgs” for the upgrade

# apt-get upgrade --with-new-pkgs

that will install new dependencies on the upgrade but never remove
packages. A typical use-case is a stable system that gets a kernel
with a new kernel ABI package.

The second is “–show-progress” for
install/remove/upgrade/dist-upgrade which will show inline progress
when dpkg is running to indicate the global progress.

# apt-get install --show-progress tea
Selecting previously unselected package tea-data.
(Reading database ... 380116 files and directories currently installed.)
Unpacking tea-data (from .../tea-data_33.1.0-1_all.deb) ...
Progress: [ 10%]
Progress: [ 20%]
Progress: [ 30%]
Selecting previously unselected package tea.
Unpacking tea (from .../tea_33.1.0-1_amd64.deb) ...
Progress: [ 40%]
Progress: [ 50%]
Progress: [ 60%]
Processing triggers for doc-base ...
Processing 2 added doc-base files...
Registering documents with scrollkeeper...
Processing triggers for man-db ...
Setting up tea-data (33.1.0-1) ...
Progress: [ 70%]
Progress: [ 80%]
Setting up tea (33.1.0-1) ...
Progress: [ 90%]
Progress: [100%]

For the install progress, there is also a new experimental option
“Dpkg::Progress-Fancy”. It will display a persistent progress status bar in the last terminal line. This works like this:

# apt-get -o Dpkg::Progress-Fancy=true install tea


This kind of information is obviously most useful on complex operations like big installs or (release) upgrades.

Interessting new project: App Grid

September 24, 2013

My friend Peter (Kiwinote) has a very interessting new project called AppGrid. Its a replacement for the ubuntu software center written from scratch. Peter contributed a lot to the original software-center so he knows the problem domain quite well. You should give it a try, it can be added via:

$ sudo add-apt-repository -y ppa:appgrid/stable
$ sudo apt-get update && sudo apt-get install -y appgrid

Then it can be found in the dash as “App Grid”. I hope you like it!

The django.test.client.Client

July 19, 2013

I like django and the more I work with it, the more I like it :)

For a unittest I needed to simulate requests coming from different remote addresses. And the django.test.client.Client makes this pretty easy:

class DistributedTestClient(Client):
    def request(self, **request):
        request["REMOTE_ADDR"] = "192.168.%i.%i" % (random.randint(1,254), random.randint(1,254))
        return super(DistributedTestClient, self).request(**request)

class DistributedClientkTestCase(TestCase):
    client_class = DistributedTestClient
    def test_distributed_meep(self):

Thanks django!

sha512crypt for node

July 7, 2013

I implemented sha512crypt in nodejs here.

$ ./demo.js pass salt

$ python -c 'import crypt; crypt.crypt("pass", "$6$salt")

With that, I plan to extend the PassHash firefox plugin to use that as the default algorithm for the password generation.

rapt (restricted apt wrapper)

June 26, 2013

One of the projects I created a while ago is called “rapt (restricted apt)“. As I was asked about it on irc about recently I thought I should mention it here as well :)

It is a python-apt app that will allow regular users to install/update software or install build-depends via sudo without giving them full root access. rapt will ensure that there is no interaction (like conffile prompts or debconf) that might allow the user to get a rootshell. It allows blacklisting and with a suiteable sources.list it is a easy way to give limited access to more trusted users. One use-case is to allow developers to install build dependencies on a staging machine.

You can install it via

$ bzr branch lp:rapt

and just run the binary via sudo (and a sudoers file that allows to run it). All it needs is python and python-apt (which is installed on most system anyway).

PassHash sha512 support

June 9, 2013

I added sha512 support to the PassHash firefox extension here (and added pull request to get it into the upstream branch). I felt its important to do this after reading this article.


Get every new post delivered to your Inbox.