Re: apt-get may accept inconsistent data

To: "Cameron Dale" <camrdale@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: apt-get may accept inconsistent data
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Thu, 08 May 2008 08:01:08 +0200
Message-id: <[🔎] 871w4dibbv.fsf@frosties.localdomain>
In-reply-to: <[🔎] f4438a6a0805061020u431eb783kf88c2329a9ebaad5@mail.gmail.com> (Cameron Dale's message of "Tue, 6 May 2008 10:20:55 -0700")
References: <[🔎] 20080503160045.GA10480@phi.pq.pi4tel.de> <[🔎] 87k5ib2ldv.fsf@frosties.localdomain> <[🔎] 20080504124759.GB12273@phi.pq.pi4tel.de> <[🔎] 87ej8ihv38.fsf@frosties.localdomain> <[🔎] 20080504175821.GC12273@phi.pq.pi4tel.de> <[🔎] 87abj5k6yi.fsf@frosties.localdomain> <[🔎] f4438a6a0805061020u431eb783kf88c2329a9ebaad5@mail.gmail.com>

"Cameron Dale" <camrdale@gmail.com> writes:

> On 5/4/08, Goswin von Brederlow <goswin-v-b@web.de> wrote:
>>  But you are right. There is something wrong here that is not squids
>>  fault:
>>
>>  Apt-get should not even send an "If-Modified" query imho. After
>>  fetching the Release file is already knows with near certainty if the
>>  local file is current or not. It should check the Checksums of the
>>  local file and then either keep it or fetch it. Asking
>>  If-Modified-Since can only lead to triggering a bug like the squid
>>  one.
>
> Having just implemented something like this in my apt-p2p program, I
> can tell you that this is definitely possible. But, in doing it I
> learned why I think apt does not use this method, which may be some
> combination of these issues:
>
> 1) apt doesn't store much state between runs, including not storing
> the hashes of downloaded files

We don't even talk between runs here but lets keep that in mind.

If apt get fetches a new Release file maybe it should flag the
existing files as "old". It could compare the old and new Release file
to see if any files remained the same and keep them or recheck their
checksums. But it should at least once validate the Packages/Sources
files against the Release file if it fetches a new one. Due to the
squid bug it never does.

> 2) there's no guarantee that a file is unchanged when apt is run again

So maybe it should always be checked on update? If the time for this
is really that valuable make it an option defaulting to on.

> 3) getting an HTTP 304 response may be faster than hashing a 20 MB
> file, especially considering that a request may need to be sent after
> finding an out of date hash

It may be faster but not authorative. Also on 99.9% of all systems the
time to checksum 20MB is neglible. And on others it is probably
insignificant compared to a following apt-get upgrade call.

> 4) apt downloads compressed Packages files, but only stores the
> uncompressed ones

It also downloads diff files nowadays.

I wonder if the user had diff files deactivated. Or does apt-get check
via HTPP if the Packages file needs updating before fetching the diffs?

> None of these issues are insurmountable of course, but the issue is
> more complicated than it at first seems.
>
> Cameron

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: apt-get may accept inconsistent data
  - From: "Cameron Dale" <camrdale@gmail.com>

References:
- apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: "Cameron Dale" <camrdale@gmail.com>

Prev by Date: Re: securing server
Next by Date: Re: securing server
Previous by thread: Re: apt-get may accept inconsistent data
Next by thread: Re: apt-get may accept inconsistent data
Index(es):
- Date
- Thread