Bug#338889: Overzealously prefers signed packages to identical unsigned ones

To: Santiago Vila <sanvila@unex.es>
Cc: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>, Michael Vogt <mvogt@acm.org>, 338889@bugs.debian.org, Andras Korn <korn-debbugs@chardonnay.math.bme.hu>
Subject: Bug#338889: Overzealously prefers signed packages to identical unsigned ones
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Wed, 13 Dec 2006 01:29:28 +0100
Message-id: <[🔎] 87y7pcpriv.fsf@informatik.uni-tuebingen.de>
Reply-to: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>, 338889@bugs.debian.org
In-reply-to: <[🔎] None.LNX.4.64.0612121816320.22817@cantor.unex.es> (Santiago Vila's message of "Tue, 12 Dec 2006 18:40:37 +0100 (CET)")
References: <20051113153715.GA5146@chardonnay.math.bme.hu> <20051123154702.GB32577@top.ping.de> <874q63glbr.fsf@informatik.uni-tuebingen.de> <[🔎] None.LNX.4.64.0612121816320.22817@cantor.unex.es>

Santiago Vila <sanvila@unex.es> writes:

> On Wed, 23 Nov 2005, Goswin von Brederlow wrote:
>
>> But in the general case it would be nice if apt-get would get the
>> file/size/md5sum from a trusted Packages file and then fetch the deb
>> from an untrusted source if it matches.
>
> On Wed, 23 Nov 2005, Andras Korn wrote:
>
>> [...] if two packages have the same size and md5sum, they can IMO be
>> assumed to have the same signatures too.
>
> Hi.
>
> I agree with Goswin and Andras here. If sources.list is like this:
>
> deb file:/local-repository
> deb http://official-mirror
>
> and package "foo" is in both repositories, and it has the same md5sum,
> the fact that it's authenticated in http://official-mirror should be
> enough to consider it authenticated in file:/local-repository as well.
>
> In other words, apt's internal logic should be changed: It should be
> the md5sum of a package (i.e. "the package itself") what is to be considered
> authenticated or not, not the pair "package foo from repository bar".
>
> Or at least there should be an option for apt to behave in this way.
>
> It does not make much sense that the user has to fiddle with gpg, keys,
> signatures, etc. when everything he wants to do is to have a local
> repository which serves as a cache for packages which are already
> authenticated by other means.
>
> Thanks.

Even more so the same logic should apply to Packages and Sources
files. My sources.list often looks like this:

deb file:/local-mirror sid main contrib non-free
deb-src copy:/local-mirror sid main contrib non-free
deb http://near-official-mirror sid main contrib non-free
deb-src http://near-official-mirror sid main contrib non-free
deb http://ftp.debian.org/debian sid main contrib non-free
deb-src http://ftp.debian.org/debian sid main contrib non-free

It would be real nice if apt-get would only fetch the local
Packages/Sources files and see that the near official mirror and
ftp.debian.org both have the same metafiles.

With pdiff files that would save downloading 24 pdiffs a day and we
all know how long they take. With normal files 12 meta files could be
skipped on a good day (when local is in sync).

MfG
        Goswin

Reply to:

References:
- Bug#338889: Overzealously prefers signed packages to identical unsigned ones
  - From: Santiago Vila <sanvila@unex.es>

Prev by Date: Bug#338889: Overzealously prefers signed packages to identical unsigned ones
Next by Date: Bug#402400: More examples
Previous by thread: Bug#338889: Overzealously prefers signed packages to identical unsigned ones
Next by thread: Bug#402400: MD5sum mismatches and GPG errors
Index(es):
- Date
- Thread