Re: an idea for next generation APT archive caching
On Fri, 2004-10-22 at 03:36 +0200, Tobias Hertkorn wrote:
> a request for http://yourserver/testing/..../apache....deb will not create a
> hit if requested as http://yourserver/sid/..../apache...deb . Furthermore
> requests to similar mirrors will not create cache hits. So everybody has to
> use the same sources list, down to the same requests by symlinks.
Yep, that's annoying and it's one of the reasons for the flat cache
design in apt-cacher: if clients fetch the same package from different
mirrors it will cause a cache hit since the package names are the same.
However, something that was raised at Debian Miniconf2 (IIRC) was that
this allows cache poisoning: by creating a compromised package and
sticking it on any random web server, a cracker can then fetch the
package themselves through the cache and any user who subsequently
fetches it (even using a genuine mirror in the sources.list) will get
the poisoned package.
Good argument for package signatures.
Cheers :-)
Jonathan Oxer
--
The Debian Universe: Installing, managing and using Debian GNU/Linux
http://www.debianuniverse.com/
Reply to: