Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude

To: 690183@bugs.debian.org
Cc: David Kalnischkies <kalnischkies@gmail.com>
Subject: Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude
From: Dominique Lasserre <lasserre.d@googlemail.com>
Date: Thu, 11 Oct 2012 22:51:46 +0200
Message-id: <[🔎] 50773162.6080901@gmail.com>
Reply-to: Dominique Lasserre <lasserre.d@googlemail.com>, 690183@bugs.debian.org
In-reply-to: <[🔎] CAAZ6_fDWv8JXZWO_BYFfzaSKOdyQgrxPj1-JfDHsD5wpZUjoMw@mail.gmail.com>
References: <[🔎] 20121010215331.7523.77516.reportbug@localhost> <[🔎] CAAZ6_fDWv8JXZWO_BYFfzaSKOdyQgrxPj1-JfDHsD5wpZUjoMw@mail.gmail.com>

Hi

On 11/10/12 16:52, David Kalnischkies wrote:
> On Wed, Oct 10, 2012 at 11:53 PM, Dominique Lasserre
> <lasserre.d@gmail.com> wrote:
>> It uses aria2 oder axel as download managers and apt-get --print-uris to get
>> download URLs.
> 
> What it omits is using the checksums included in that output and therefore
> falling victim to MITM attacks as it downloads directly to the archives dir
> which APT considers a safe harbor and so doesn't validate its content again.
> 
> (APT checks the filesize as it is basically a free check, but the time-
>  consuming calculation of checksums is omitted as this was already checked
>  at download time with the move from ./partial/ to its final storage space
>  and wouldn't improve security anyway as you would still have the time
>  between the check and dpkg calling for a local attack …)
Thank you to mention that! Checksums get now verified.

> 
> If there is really a need for a different methodology of downloading I would
> suggest to write a new apt-transport-* rather than a wrapper around the
> complete package manager. If people managed to bring bittorrent to APT this
> way, I am sure you can work out how to use your beloved $DOWNLOADMANAGER, too,
> if needed at all (yes, I have my doubts).
> 
> I presume it will be even shorter in size of code, secure and more robust -
> even if you write it in bash, which you can btw: It is a text interface.
> Oh, and try dir::cache::archives="/tmp" and you will know why apt-config has
> flags for these dir options instead of forcing people to build paths by hand.
Those config options are used. apt-fast downloads into
Dir::Cache::archives + "apt-fast" (but yes you can change it (still) in
config file).

> 
> In the meantime feel free to use services like http.debian.net or experiment
> with the mirror apt-transport which both don't depend on you being the only
> "lets add more own 'cars' to the traffic jam to get more through" person
> and the placebo effect.
> 
> 
> Best regards
> 
> David Kalnischkies ~ an "apt-slow" contributor
> 
Hehe (you like to rename apt?), thank you very much for your detailed
explanations!


Regards
Dominique

Attachment: 0xB2E4F4F3.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude
  - From: David Kalnischkies <kalnischkies@gmail.com>

References:
- Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude
  - From: Dominique Lasserre <lasserre.d@gmail.com>
- Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude
  - From: David Kalnischkies <kalnischkies@gmail.com>

Prev by Date: Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude
Next by Date: Bug#690274: ITP: jampal -- mp3 song library management system and player
Previous by thread: Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude
Next by thread: Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude
Index(es):
- Date
- Thread