Bug#945283: users should check whether they get same packages as all other users get
Package: apt
Version: 1.8.2
it would be good, if users of linux distributions generally use to
check, at least time to time, whether they get same packages as all
users get. that would be a factor to distribution owners and admins to
be more afraid to serve malware only to some of users.
how it can be done? when "apt update" runs, i think, it downloads
"release" and "packages" files. "release" file has hashes of several
"packages" files of different cpu architectures, and each "packages"
has hashes of packages. when "apt upgrade" runs, it probably
calculates downloaded package's hash and checks it with hash in
"packages" file. so, in order to serve a package with malware to a
user, disrtribution/repository admins would have to also serve wrong
"packages" and "release" files to him. so, if user checks the
"release" file, that it is ok, enough, he can be sure that packages
are also ok. he should download "release" file from several
independent mirrors and compare them. if the version from mirror
differs from version from distribution's server, then, if signature of
the files is ok, it means that the distribution served him with wrong
file.
but debian's policy is not like this. see
https://www.debian.org/mirror/ftpmirror.en.html :
"The debian-security/ archives contain the security updates released
by the Debian security team. While it sounds interesting to everyone,
we do not recommend to our users to use mirrors to obtain security
updates and instead ask them to directly download them from our
distributed security.debian.org service. We recommend debian-security
not be mirrored."
why the policy is such? the problem this policy solves is that mirrors
can keep themselves not updated for long time, thus keeping users
vulnerable. i think there are alternative ways to solve this problem.
release files includes date. apt could get release file from mirror
and also from debian's own server, and check, whether there are new
updates in debian's own server version, and how old, actually, is
mirror version from new updates.
this policy of recommending to use only one central repository is not
very good. it looks like
"Grand-mamma, what great arms you have got!"
"That is the better to hug thee, my dear."
in Little Red Riding Hood fairy tale (
https://en.wikisource.org/wiki/Little_Red_Riding_Hood ). it is like
debian says "users, you must trust us". but debian is not as much
trusted as a grandma for users. from point of view of users, debian
may have to send malware to some users by government request. if to
say about all distributions, there may be malicious distributions.
all packages are published in source and binary forms, so, people can
check them later and find some bugs, and thus, malicious and bad
quality distribitions can be catched and thus trust to different
distros can be formed. but advantages of publicity in order to be
aware of spyware are lost, if all users generally do not check,
whether they get the same files as all other users do, in that case,
if admins only send malware to some users, while serving good packages
to other users, that malware has high chance of being not catched.
i think, package hashes should better be automatically checked with
different independent hash mirrors.
Reply to: