Re: apt-get may accept inconsistent data

To: debian-security@lists.debian.org
Subject: Re: apt-get may accept inconsistent data
From: "Cameron Dale" <camrdale@gmail.com>
Date: Thu, 8 May 2008 08:09:42 -0700
Message-id: <[🔎] f4438a6a0805080809j63622ed5r53f86517e2715551@mail.gmail.com>
In-reply-to: <[🔎] 871w4dibbv.fsf@frosties.localdomain>
References: <[🔎] 20080503160045.GA10480@phi.pq.pi4tel.de> <[🔎] 87k5ib2ldv.fsf@frosties.localdomain> <[🔎] 20080504124759.GB12273@phi.pq.pi4tel.de> <[🔎] 87ej8ihv38.fsf@frosties.localdomain> <[🔎] 20080504175821.GC12273@phi.pq.pi4tel.de> <[🔎] 87abj5k6yi.fsf@frosties.localdomain> <[🔎] f4438a6a0805061020u431eb783kf88c2329a9ebaad5@mail.gmail.com> <[🔎] 871w4dibbv.fsf@frosties.localdomain>

On 5/7/08, Goswin von Brederlow <goswin-v-b@web.de> wrote:
> "Cameron Dale" <camrdale@gmail.com> writes:
>  > 3) getting an HTTP 304 response may be faster than hashing a 20 MB
>  > file, especially considering that a request may need to be sent after
>  > finding an out of date hash
>
> It may be faster but not authorative. Also on 99.9% of all systems the
>  time to checksum 20MB is neglible. And on others it is probably
>  insignificant compared to a following apt-get upgrade call.

It should be authoritative, the only reason it's not would be a broken
proxy, which isn't really apt's or the mirror's fault.

For the record, on a reasonably fast machine:

$ time sha1sum \
       ftp.us.debian.org_debian_dists_unstable_main_binary-amd64_Packages
cff59b58caf8b870f9514bf907a365b262b6a9bc
ftp.us.debian.org_debian_dists_unstable_main_binary-amd64_Packages

real    0m0.901s
user    0m0.288s
sys     0m0.076s

That's longer than a 304 request would take to come back, and if the
hash is old then a download request would have to be sent anyway,
whereas the original request would return the new file immediately.

Cameron

Reply to:

Follow-Ups:
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>

References:
- apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: Stefan Tichy <dlist@pi4tel.de>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: apt-get may accept inconsistent data
  - From: "Cameron Dale" <camrdale@gmail.com>
- Re: apt-get may accept inconsistent data
  - From: Goswin von Brederlow <goswin-v-b@web.de>

Prev by Date: Re: securing server
Next by Date: Re: apt-get may accept inconsistent data
Previous by thread: Re: apt-get may accept inconsistent data
Next by thread: Re: apt-get may accept inconsistent data
Index(es):
- Date
- Thread