On Sun, Jun 27, 2021 at 11:16:39PM +0200, Christoph Anton Mitterer wrote: > Package: apt > Version: 2.2.4 > Severity: wishlist > > > Hey. > > It would be nice if the sources.list(5) manpage could clarify whether > file URI schema is secure (or not) when the archive is not under local > control by a trusted user. > > >From the manpage: > > copy > > The copy scheme is identical to the file scheme except that > > packages > > are copied into the cache directory instead of used directly at > > their > > location. This is useful for people using removable media to copy > > files around with APT. > > So my understanding is that with file: > - at some point the file is verified (apt-secure) > - then read from the specified location directly (not from a cached copy) > ... and installed > > But wouldn't that also mean, that if the (local) user controlling that > location ... or e.g. the NFS owner, could replace the valid file with a > rogue version, right after it has been read the first time (for validation)? > > > Or is there another validation of the hashes, right when it's read in for > the actual installation?
The file: method is not secure against third-party attacks. Neither metadata like Packages files nor debs are copied anywhere; so they can be replaced at any time and are not revalidated. This has been the subject of much discussion the past weeks and I'm leaning towards renaming it to `insecure-file` to make users explictly (aware of, and) acknowledge the risks. This means that file:/ URLs will create a warning saying that file is insecure and to read a manual page and switch to copy or insecure-file. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
