Bug#990381: sources.list(5): clarify whether file URI schema is secure or not

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#990381: sources.list(5): clarify whether file URI schema is secure or not
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Sun, 27 Jun 2021 23:16:39 +0200
Message-id: <[🔎] 162482859915.46341.14822106204321757701.reportbug@heisenberg.scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.net>, 990381@bugs.debian.org

Package: apt
Version: 2.2.4
Severity: wishlist


Hey.

It would be nice if the sources.list(5) manpage could clarify whether
file URI schema is secure (or not) when the archive is not under local
control by a trusted user.

>From the manpage:
>       copy
>           The copy scheme is identical to the file scheme except that packages
>           are copied into the cache directory instead of used directly at their
>           location. This is useful for people using removable media to copy
>           files around with APT.

So my understanding is that with file:
- at some point the file is verified (apt-secure)
- then read from the specified location directly (not from a cached copy)
  ... and installed

But wouldn't that also mean, that if the (local) user controlling that
location ... or e.g. the NFS owner, could replace the valid file with a
rogue version, right after it has been read the first time (for validation)?


Or is there another validation of the hashes, right when it's read in for
the actual installation?

Cheers,
Chris.

Reply to:

Prev by Date: Bug#910893: apt: Add apt install option to revert conffiles
Next by Date: Bug#990381: sources.list(5): clarify whether file URI schema is secure or not
Previous by thread: Bug#910893: apt: Add apt install option to revert conffiles
Next by thread: Bug#990381: sources.list(5): clarify whether file URI schema is secure or not
Index(es):
- Date
- Thread