Re: apt-get may accept inconsistent data

To: "Cameron Dale" <camrdale@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: apt-get may accept inconsistent data
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Thu, 08 May 2008 21:30:13 +0200
Message-id: <[🔎] 87r6cczj96.fsf@frosties.localdomain>
In-reply-to: <[🔎] f4438a6a0805080809j63622ed5r53f86517e2715551@mail.gmail.com> (Cameron Dale's message of "Thu, 8 May 2008 08:09:42 -0700")
References: <[🔎] 20080503160045.GA10480@phi.pq.pi4tel.de> <[🔎] 87k5ib2ldv.fsf@frosties.localdomain> <[🔎] 20080504124759.GB12273@phi.pq.pi4tel.de> <[🔎] 87ej8ihv38.fsf@frosties.localdomain> <[🔎] 20080504175821.GC12273@phi.pq.pi4tel.de> <[🔎] 87abj5k6yi.fsf@frosties.localdomain> <[🔎] f4438a6a0805061020u431eb783kf88c2329a9ebaad5@mail.gmail.com> <[🔎] 871w4dibbv.fsf@frosties.localdomain> <[🔎] f4438a6a0805080809j63622ed5r53f86517e2715551@mail.gmail.com>

"Cameron Dale" <camrdale@gmail.com> writes:

> On 5/7/08, Goswin von Brederlow <goswin-v-b@web.de> wrote:
>> "Cameron Dale" <camrdale@gmail.com> writes:
>>  > 3) getting an HTTP 304 response may be faster than hashing a 20 MB
>>  > file, especially considering that a request may need to be sent after
>>  > finding an out of date hash
>>
>> It may be faster but not authorative. Also on 99.9% of all systems the
>>  time to checksum 20MB is neglible. And on others it is probably
>>  insignificant compared to a following apt-get upgrade call.
>
> It should be authoritative, the only reason it's not would be a broken
> proxy, which isn't really apt's or the mirror's fault.

Or the timestamp on the mirror is wrong, on any mirror along the
mirror path. Or there is a man in the middle attack going on.

Security wise the http can not be trusted.

MfG
        Goswin

Reply to:

References:
- apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: "Cameron Dale" <camrdale@gmail.com>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: "Cameron Dale" <camrdale@gmail.com>

Prev by Date: Re: apt-get may accept inconsistent data
Next by Date: Re: securing server
Previous by thread: Re: apt-get may accept inconsistent data
Next by thread: Re: apt-get may accept inconsistent data
Index(es):
- Date
- Thread