apt-zeroconf team mailing list archive

Thread
Date

Re: Updates on AZC

To: apt-zeroconf@xxxxxxxxxxxxxxxxxxx
From: Jordan Mantha <laserjock@xxxxxxxxxx>
Date: Sat, 27 Jun 2009 18:56:32 -0700
In-reply-to: <1246151921.7498.1548.camel@major-me>
Sender: laserjock.ubuntu@xxxxxxxxx

On Sat, Jun 27, 2009 at 6:18 PM, jeremy austin-bardo<ausimage@xxxxxxxxxx> wrote:
> Jordan...
>> Doesn't apt/dpkg already check? I don't think, but could be wrong,
>> that apt-zeroconf proxies the sources.list so the Packages and Sources
>> files should contain the checksum for the .debs . All apt-zeroconf is
>> doing is serving files as I understand it, if the file is bad apt
>> should complain.
> call me thinking to deeply...
>
>
> Currently AZC checks to see the path ends with deb and passes only file
> name for comparisons with what is in the caches.
>
> SITUATIONS:
> Jack is downloads a file from an alternate repository top try...
> unbeknown to him the package name is exactly the same as on an official
> repository. Now if Jill uses his AZC cache to download the official
> package is she going to receive the official package or his unofficial?

I think Jill will receive his unofficial package, but I don't think it
should install.

> John on decides to have fun with Mary. He places a broken or incorrect
> package in his apt-cache with the same package name as Mary is going to
> pull. Now is she going to receive the official package or his bad
> package?

OK, so I just played around with this. I took a .deb and modified it
both by switching it with a different .deb and by actually
unpacking/modifying/repacking the .deb . dpkg -i installed the "bad"
.debs just fine but apt/synaptic checked the checksum and/or filesize
and re-downloaded the correct .deb . So I guess dpkg is pretty
insecure (not too surprised) but apt has some safe-guards.

> Or is the a weakness with the apt-cache all around?

I would think it would be a general weakness yes, but not
unsurmountable. Here are some thoughts of things that might be nice:

1) server-side: before delivering a .deb apt-zeroconf could check the
checksum against it's own Packages files. This would ensure that it's
at least delivering a .deb it knows about.
2) client-side: apt-zeroconf could check the checksum against it's
Packages files. This would ensure that the client machine is getting
what it expects.
3) as sort of an added feature, I wonder if apt-zeroconf should share
sources.list info? One could imagine sharing repo information in
addition to just .deb files. Especially in the age of PPA and many ISV
3rd party repos I could see the usefulness of share repo info. The
problem in your first scenario is that sharing .debs is only half of
the package management info, the .deb sources is the other half.

-Jordan

References

Updates on AZC
From: jeremy austin-bardo, 2009-06-28
Re: Updates on AZC
From: Jordan Mantha, 2009-06-28