[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt not supporting 301 responses?

On Fri, Oct 05, 2001 at 02:52:06PM -0500, Bryan Andersen wrote:

> Does apt give a sane error message that would help track down the 
> problem, or does it generically complain it can't find the files?  

Err http://ftp.kernel.org woody/main Packages
  301 Moved Permanently
Failed to fetch
301 Moved Permanently

thats it.

> If it gave an error message with the reply from the server I'd say 

it does not.  i had to use a web browser to find out what the redirect
was to.

> leave it alone.  One NEEDS to get the urls updated in the 
> configuration file.  What happens after a while when the original 
> server with the redirects goes away?  Then the user has no idea 
> where the packages went.  I don't think it should follow the 
> redirects.  It should inform the user of the redirects and let the 
> user update the configuration file.  If you want it to follow the 
> redirects it should notify the user and ask permission to do so.  
> It should not blindly follow them.  


> This issue also delves into security related issues quite quickly 
> as one could modify the config file on a server and have it 
> redirect to another server to distribute trojaned code.  I don't 
> feel the following of redirects can be silent even if it on the 
> same server.

well maybe, i tend to think if someone has the ability to add a
redirect to the server they probably have sufficient privilege to
start replacing packages with trojans anyway.  the proper solution to
this kind of security threat is gpg signed packages.

Ethan Benson

Attachment: pgpVicBiDKp_q.pgp
Description: PGP signature

Reply to: