Hello David, On Sun, 2017-08-20 at 17:51 +0200, David Kalnischkies wrote: > On Fri, Aug 18, 2017 at 04:33:01PM +0530, Ritesh Raj Sarraf wrote: > > Currently, our approach has a flaw. It completely misses to > > validate > > the Packages files. Instead, just after verifying the Release file, > > it > > assumes everything is clean and blindly copies the Packages files. > > You are hardly the only one with this problem – and even if you would > do > it 100% secure we as apt developers would probably not be 100% happy > about it as it means that /var/lib/apt/lists must be handled like > a public interface as in no changes to the filenaming or even bigger > changes to the storage (like e.g. compressing the files). Perhaps > from > the apt side we should implement something like "apt-helper > import-lists-directory" to provide a way out of this mess in the > longterm. >
Yes. A helper tool like this would be really useful. > > > > We may not need this validation for .debs. > > You need to do this for debs as well. The quick test just works as > expected because the deb file has a different filesize than what is > expected and apt checks the filesize as apt can do it for free while > checking for file existance and so deletes "obviously" bad files > silently. > > > As a workaround for this part, I think (= haven't tried) you can > place > the deb files in partial/ – the download methods should pick up the > partial file and notice that it is already completely downloaded > without > doing online requests. The files will then take there usual way > through > the verifcation of checksums and end up in archives/ if everything is > fine. > Thanks for this information. I'll try this out. This delegation will help a lot. > That doesn't work for lists/ as Release files are always requested > from > an online source (as apt can't know if its complete or outdated > already) > and the other files tend to be no longer compressed & you can't be > sure > that if you compress it again, that you would get the same hash (as > e.g. > different versions of a compressor can generate different compatible > files). > Let me check on it. We download Packages file in a compressed format. The Release file does list the checksums for all these files. So my plan right now is to validate the downloaded file's checksum against the details mentioned in the Release file. -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System
signature.asc
Description: This is a digitally signed message part
