[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes

* Eugene V. Lyubimkin [Mon, 05 Jan 2009 23:42:46 +0200]:

> Hello release folks!

Hello, Eugene. (SecTeam please see "Change #1" below.)

> APT team has prepared two important changes in apt, please give us a
> decision(s) whether are they appropriate for Lenny or not.

We realize that apt has seen increased manpower only as of late, but we
feel that introducing sensitive code changes into apt this late in the
release cycle would not be very wise.


> ---------------------------------------------------------
> Change #1 aka "Valid-Until for preventing replay attacks"
> ---------------------------------------------------------

> Motivation of this change is bug #499897, "preventing replay attacks against the security
> archive" [1]. Summary of change:

> 1. Add the support for the Valid-Until header in the Release file.
> 2. Add Acquire::Max-Default-Age configuration option that defaults to 7 days for
> Debian-Security.

> The result of change: APT will refuse to use too outdated Release file at the earliest
> 'update' action after Release expiry. The possible attacker will not allowed to ship the
> same outdated Release (so outdated Packages too) after the date in 'Valid-Until' entry in
> Release file, preventing the attack. In case of absence of this field in Release file,
> option "Acquire::Max-Default-Age::Debian-security" will be used. The default number of
> days for this option, "7", is discussible, of course.

We'd like to hear from the Security Team what they think of this feature
as a candidate for Lenny. If they believe it's extremely important that
we have it in place for Lenny, and they (or somebody delegated by them)
could do a review of the code and test it, we'd be okay with including it.

The final debian-installer upload is going to be soon, though, so we'd
have to seek input from the Debian Installer team as well.

And there is also the option of including it in the first point release,
after a month or two of testing in unstable.

> --------------------------------------------------------
> Change #2 aka "Stop the mess with proxy settings in APT"
> --------------------------------------------------------

> Motivation: set of bug reports [2][3][4][5][6] saying that proxy settings in apt is quite
> a mess and counter-intuitive. Main fault was treating http_proxy and ftp_proxy environment
> variables as more priority ones than APT's Acquire::{ftp,http}::Proxy[::host] settings.
> Moreover, https proxy setting had a strange bug regarding http_proxy is set or not, and
> some proxy info was discarded at all.

> The change unifies proxy settings behavior, removes a mess, and tries to document new
> behavior clearly.

> debian/NEWS file contains following entry regarding this change:

> -8<-
> apt (0.7.21) unstable; urgency=low

>   * Code that determines which proxy to use was changed. Now
>     'Acquire::{http,ftp}::Proxy[::<host>]' options have the highest priority,
>     and '{http,ftp}_proxy' environment variables are used only if options
>     mentioned above are not specified.
> ->8-

> , that describes change and its consequences. Appropriate documentation updates for
> apt.conf(5) included too.

I'd rather not have this change of behavior this late. It is a nice fix,
but apt is too much of a central package, that not touching it sounds
more desirable. Hope that makes sense to you.

And thanks a lot for your work on apt, it was muchly needed. Here's to
more of it!

Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
                                   Listening to: David Bowie - Soul love

Reply to: