← Back to team overview

touch-packages team mailing list archive

[Bug 879943] Re: Synaptic messes sources.list and sources.list.d

 

Thanks for the information!

I am a bit surprised by this approach, which looks weird to me. It's a
service basically deciding it "owns" the content of some files without
telling anyone.

In fact, I've always believed that the configuration is in text files
and not in some private database format precisely to let it be modified
by file editing. Furthermore there are tons of site including
distribution official ones that instruct one to actively edit those text
files to achieve some goals or to solve some problem and this gets
simply broken by the approach taken by the software-properties service.

Shouldn't the service at least place a watch on the files to reread them
and update its vision of the configuration when the files are edited?

Incidentally, where can I find info on this service, the interfaces it
exposes and how to stop it from running?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to software-properties in
Ubuntu.
https://bugs.launchpad.net/bugs/879943

Title:
  Synaptic messes sources.list and sources.list.d

Status in software-properties package in Ubuntu:
  Confirmed

Bug description:
  Consider the following situation

  1) I carefully edit by hand the /etc/sources.list file or the files in /etc/sources.list.d files
  (this is something I do to have them aligned between different machines. In fact it is not a real edit, but a copy from another machine)

  2) Try the lists with apt-get update. Everything is fine.

  3) Start synaptic. Go to the settings window to edit the repos. Go to
  the other software tab.

  4) Do any possible little action. For instance activate and
  disactivate the source repo for ubuntu partners. Assure that your
  action has nothing to do with the changes you made in 1)

  5) See how synaptic has horribly restored the repo list as it was
  before your hand edit.

  6) Exit synaptic and go to the /etc/apt dir. Verify how everything has
  gone back exactly as it was before your hand edit. Repos that you
  erased are there again. Repos you edited have their changes reverted.

  IMHO this is not just wrong, but also very dangerous.
  Suppose that I had added a repo from a third party source.
  Suppose that I then find out that this repo is dangerous. For instance because it replaces some package with a bugged package or a package with a back door.
  Suppose that I consciously restore the package to the original version and I hand erase the crappled repo from my list of repos by removing the corresponding file from the /etc/apt/sources.list.d dir
  Now I feel safe. However, any time I use synaptic I risk having that repo back.

  To me this is a security vulnerability. Anyone can convince me to add
  a test repo to see what is in it. At the time I test that repo can be
  perfectly fine. I test, I remove the repo, I feel safe, the repo gets
  automatically added back by synaptic, the repo owner adds in a package
  that looks like an update to a package that I have in my system and
  without even realizing it I can have my system infected by a malicious
  package.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: synaptic 0.75.2ubuntu8
  ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
  Uname: Linux 3.0.0-12-generic x86_64
  ApportVersion: 1.23-0ubuntu3
  Architecture: amd64
  Date: Sat Oct 22 16:45:31 2011
  InstallationMedia: Kubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
  SourcePackage: synaptic
  UpgradeStatus: Upgraded to oneiric on 2011-10-16 (6 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/879943/+subscriptions