[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt not supporting 301 responses?



On Fri, Oct 05, 2001 at 02:52:06PM -0500, Bryan Andersen wrote:

> Does apt give a sane error message that would help track down the 
> problem, or does it generically complain it can't find the files?  

Err http://ftp.kernel.org woody/main Packages
  301 Moved Permanently
Failed to fetch
http://ftp.kernel.org/debian/dists/woody/main/binary-powerpc/Packages
301 Moved Permanently

thats it.

> If it gave an error message with the reply from the server I'd say 

it does not.  i had to use a web browser to find out what the redirect
was to.

> leave it alone.  One NEEDS to get the urls updated in the 
> configuration file.  What happens after a while when the original 
> server with the redirects goes away?  Then the user has no idea 
> where the packages went.  I don't think it should follow the 
> redirects.  It should inform the user of the redirects and let the 
> user update the configuration file.  If you want it to follow the 
> redirects it should notify the user and ask permission to do so.  
> It should not blindly follow them.  

agreed.

> This issue also delves into security related issues quite quickly 
> as one could modify the config file on a server and have it 
> redirect to another server to distribute trojaned code.  I don't 
> feel the following of redirects can be silent even if it on the 
> same server.

well maybe, i tend to think if someone has the ability to add a
redirect to the server they probably have sufficient privilege to
start replacing packages with trojans anyway.  the proper solution to
this kind of security threat is gpg signed packages.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpVicBiDKp_q.pgp
Description: PGP signature


Reply to: