Re: apt-get may accept inconsistent data

To: debian-security@lists.debian.org
Subject: Re: apt-get may accept inconsistent data
From: "Cameron Dale" <camrdale@gmail.com>
Date: Tue, 6 May 2008 10:20:55 -0700
Message-id: <[🔎] f4438a6a0805061020u431eb783kf88c2329a9ebaad5@mail.gmail.com>
In-reply-to: <[🔎] 87abj5k6yi.fsf@frosties.localdomain>
References: <[🔎] 20080503160045.GA10480@phi.pq.pi4tel.de> <[🔎] 87k5ib2ldv.fsf@frosties.localdomain> <[🔎] 20080504124759.GB12273@phi.pq.pi4tel.de> <[🔎] 87ej8ihv38.fsf@frosties.localdomain> <[🔎] 20080504175821.GC12273@phi.pq.pi4tel.de> <[🔎] 87abj5k6yi.fsf@frosties.localdomain>

On 5/4/08, Goswin von Brederlow <goswin-v-b@web.de> wrote:
>  But you are right. There is something wrong here that is not squids
>  fault:
>
>  Apt-get should not even send an "If-Modified" query imho. After
>  fetching the Release file is already knows with near certainty if the
>  local file is current or not. It should check the Checksums of the
>  local file and then either keep it or fetch it. Asking
>  If-Modified-Since can only lead to triggering a bug like the squid
>  one.

Having just implemented something like this in my apt-p2p program, I
can tell you that this is definitely possible. But, in doing it I
learned why I think apt does not use this method, which may be some
combination of these issues:

1) apt doesn't store much state between runs, including not storing
the hashes of downloaded files

2) there's no guarantee that a file is unchanged when apt is run again

3) getting an HTTP 304 response may be faster than hashing a 20 MB
file, especially considering that a request may need to be sent after
finding an out of date hash

4) apt downloads compressed Packages files, but only stores the
uncompressed ones

None of these issues are insurmountable of course, but the issue is
more complicated than it at first seems.

Cameron

Reply to:

Follow-Ups:
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>

References:
- apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>

Prev by Date: Re: [SECURITY] [DSA 1569-1] New cacti packages fix multiple vulnerabilities
Next by Date: Re: [SECURITY] [DSA 1570-1] New kazehakase packages fix execution of arbitrarycode
Previous by thread: Re: apt-get may accept inconsistent data
Next by thread: Re: apt-get may accept inconsistent data
Index(es):
- Date
- Thread