Re: apt-get may accept inconsistent data

To: debian-security@lists.debian.org
Subject: Re: apt-get may accept inconsistent data
From: Bjørn Mork <bmork@dod.no>
Date: Mon, 05 May 2008 14:08:45 +0200
Message-id: <[🔎] 87tzhd54xe.fsf@obelix.mork.no>
References: <[🔎] 20080503160045.GA10480@phi.pq.pi4tel.de> <[🔎] 87k5ib2ldv.fsf@frosties.localdomain> <[🔎] 20080504124759.GB12273@phi.pq.pi4tel.de> <[🔎] 87ej8ihv38.fsf@frosties.localdomain> <[🔎] 20080504175821.GC12273@phi.pq.pi4tel.de> <[🔎] 87abj5k6yi.fsf@frosties.localdomain> <[🔎] 20080505104705.GB14114@phi.pq.pi4tel.de>

Stefan Tichy <dlist@pi4tel.de> writes:
> On Mon, May 05, 2008 at 01:03:33AM +0200, Goswin von Brederlow wrote:
>> I ment what Release file. Because the etch security one does have the
>> md5sums of Packages in it.
>
> This has been modified too and the md5sum listed for the packages
> file has changed.
>
>> > apt-get sends a http GET request for Packages.bz2. Part of this
>> > request is this information:
>> >
>> >   Cache-Control: max-age=0  If-Modified-Since: Sun, 27 Apr 2008 09:15:01 GMT
>
> Cache-Control: max-age=0
> If-Modified-Since: Sun, 27 Apr 2008 09:15:01 GMT
>
>
> If apt-get would send this instead, squid would work as expected:
>
> Cache-Control: must-revalidate

must-revalidate is only valid in a server response.  See RFC2612 section
14.9.  Using "Cache-Control: max-age=0" is the correct way for a client
to force cache revalidation.  This sounds like a squid bug.  You may
work around it, but let's just face it: If you accept a buggy proxy,
then there is no way to ensure valid content.



Bjørn
-- 
I mean, your narrow-mindedness is matched only by your
narrow-mindedness

Reply to:

References:
- apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>

Prev by Date: Re: apt-get may accept inconsistent data
Next by Date: Re: [SECURITY] [DSA 1550-1] New suphp packages fix local privilege escalation
Previous by thread: Re: apt-get may accept inconsistent data
Next by thread: Re: apt-get may accept inconsistent data
Index(es):
- Date
- Thread