Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude
On Wed, Oct 10, 2012 at 11:53 PM, Dominique Lasserre
<lasserre.d@gmail.com> wrote:
> It uses aria2 oder axel as download managers and apt-get --print-uris to get
> download URLs.
What it omits is using the checksums included in that output and therefore
falling victim to MITM attacks as it downloads directly to the archives dir
which APT considers a safe harbor and so doesn't validate its content again.
(APT checks the filesize as it is basically a free check, but the time-
consuming calculation of checksums is omitted as this was already checked
at download time with the move from ./partial/ to its final storage space
and wouldn't improve security anyway as you would still have the time
between the check and dpkg calling for a local attack …)
If there is really a need for a different methodology of downloading I would
suggest to write a new apt-transport-* rather than a wrapper around the
complete package manager. If people managed to bring bittorrent to APT this
way, I am sure you can work out how to use your beloved $DOWNLOADMANAGER, too,
if needed at all (yes, I have my doubts).
I presume it will be even shorter in size of code, secure and more robust -
even if you write it in bash, which you can btw: It is a text interface.
Oh, and try dir::cache::archives="/tmp" and you will know why apt-config has
flags for these dir options instead of forcing people to build paths by hand.
In the meantime feel free to use services like http.debian.net or experiment
with the mirror apt-transport which both don't depend on you being the only
"lets add more own 'cars' to the traffic jam to get more through" person
and the placebo effect.
Best regards
David Kalnischkies ~ an "apt-slow" contributor
Reply to: