Archive for November, 2015

APT 1.1 released

November 30, 2015

After 1.5 years of work we released APT 1.1 this week! I’m very excited about this milestone.

The new 1.1 has some nice new features but it also improves a lot of stuff under the hood. With APT 1.0 we did add a lot of UI improvements, this time the focus is on the reliability of the acquire system and the library.

Some of the UI highlights include:

  • apt install local-file.deb works
  • apt build-dep foo.dsc works
  • apt supports most of the common apt-get/apt-cache commands so you save some typing 🙂
  • apt update progress reporting much more accurate
  • apt-cache showsrc --only-source srcpkgname does the right thing
  • The --force-yes option is split into the more fine grained --allow-{downgrades, remove-essential, change-held} options
  • Documentation and help output improvements
  • apt-mark supports more states
  • Support for deb822 style sources.list.d files

Under the hood:

  • No more “guessing” when fetching files (we did this to support old repository formats) only download stuff that is listed in the {,In}release file).
  • support for by-hash index downloads (once the servers support that no more hashsum-mismatch errors because of proxies or transparent proxies)
  • we support downloading additional files that are opaque for apt itself (like apt-file or appstream data)
  • the acquire system is more atomic and more robust, no more issues with captive portals
  • protection about a class of endless-data attacks from hostile MITM
  • disallow signed repositories from ever becoming unsigned
  • privilege dropping in the acquire methods
  • if {,In}Release did not change, do not bother checking the other indexes (lot less HITs on the mirrors on not-modified resources)
  • SRV record support
  • improved policy engine
  • key pinning for sources
  • deprecation of some library functions
  • support for IDN domains

Whats also very nice is that apt is now the exact same version on Ubuntu and Debian (no more delta between the packages)!

If you want to know more, there is nice video from David Kalnischkies Debconf 2015 talk about apt at https://summit.debconf.org/debconf15/meeting/216/this-apt-has-super-cow-powers/. Julian Andres Klode also wrote about the new apt some weeks ago here.

The (impressive) full changelog is available at http://metadata.ftp-master.debian.org/changelogs/main/a/apt/apt_1.1.3_changelog. And git has an even more detailed log if you are even more curious 🙂

Enjoy the new apt!

Passhash sha512crypt

November 28, 2015

I added sha512crypt support to the PassHash firefox extension a while ago to make attacking PassHash even more difficult. It uses the glibc 5000 rounds default. If you happen to use PassHash you should consider upgrading to this schema.