Re: apt-get may accept inconsistent data
"Cameron Dale" <camrdale@gmail.com> writes:
> On 5/7/08, Goswin von Brederlow <goswin-v-b@web.de> wrote:
>> "Cameron Dale" <camrdale@gmail.com> writes:
>> > 3) getting an HTTP 304 response may be faster than hashing a 20 MB
>> > file, especially considering that a request may need to be sent after
>> > finding an out of date hash
>>
>> It may be faster but not authorative. Also on 99.9% of all systems the
>> time to checksum 20MB is neglible. And on others it is probably
>> insignificant compared to a following apt-get upgrade call.
>
> It should be authoritative, the only reason it's not would be a broken
> proxy, which isn't really apt's or the mirror's fault.
Or the timestamp on the mirror is wrong, on any mirror along the
mirror path. Or there is a man in the middle attack going on.
Security wise the http can not be trusted.
MfG
Goswin
Reply to: