Am Thu, Dec 04, 2025 at 06:33:08PM +1100, schrieb Trent W. Buck: > I thought/hoped apt could validate the sha512 + length of Packages.zst > *before* decompression, and It does, to e.g. protect against an attacker sending you a decompression bomb or exploiting the decompression in some other fancy way. > therefore wouldn't need to also validate the sha512 + length of Packages > *after* decompression. As a way of checking that the decompression worked it does this, too. (*mumbling something about 'Defense in depth'*). It is also a handy way of keeping the checksum around for later. A future apt run will skip downloading unchanged Packages files, but it can only know that with the uncompressed hashes as the compressed hashes are not stable. If the repository offers pdiffs as a way of updating the indexes the hash is also used to find the patch(es) we have to apply. Both could be done by calculating the hash on the fly of course. APT doesn't do it currently, but if we wanted to verify that what we have on disk is really what we should have and not somehow modified/corrupted we need a hash again (and stored there it can not be tempered with easily) and the compressed hashes will produce false positives if client and server use e.g. different (versions of) (compression level options of) compressors. > So I think the existing behaviour (always checking the uncompressed > sum+length) is reasonable. Making this a feature request for apt-ftparchive to depose of the uncompressed file (or not writing it to disc to begin with) seems also reasonable – which Julian made of this now. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature