Hi, (Input from apt devs was requested on IRC, so here you go – please CC me if there is something you think I could help with. Note that I am not an apt-offline user nor do I know how it works; I have just read the package description)
On Fri, Aug 18, 2017 at 04:33:01PM +0530, Ritesh Raj Sarraf wrote: > Currently, our approach has a flaw. It completely misses to validate > the Packages files. Instead, just after verifying the Release file, it > assumes everything is clean and blindly copies the Packages files. You are hardly the only one with this problem – and even if you would do it 100% secure we as apt developers would probably not be 100% happy about it as it means that /var/lib/apt/lists must be handled like a public interface as in no changes to the filenaming or even bigger changes to the storage (like e.g. compressing the files). Perhaps from the apt side we should implement something like "apt-helper import-lists-directory" to provide a way out of this mess in the longterm. Interesting might be to implement a local (http) proxy as you can make that work with every apt version, but that of course gives the user the wrong impression that files are downloaded from "somewhere" while in reality the proxy would just serve files from the bundle on request. [I am thinking about implementing both more or less for a while, but haven't made any actual progress and somehow doubt I will in a reasonable timeframe on my own. If someone wanted to pick it up I could probably help with reviews through] > We may not need this validation for .debs. You need to do this for debs as well. The quick test just works as expected because the deb file has a different filesize than what is expected and apt checks the filesize as apt can do it for free while checking for file existance and so deletes "obviously" bad files silently. As a workaround for this part, I think (= haven't tried) you can place the deb files in partial/ – the download methods should pick up the partial file and notice that it is already completely downloaded without doing online requests. The files will then take there usual way through the verifcation of checksums and end up in archives/ if everything is fine. That doesn't work for lists/ as Release files are always requested from an online source (as apt can't know if its complete or outdated already) and the other files tend to be no longer compressed & you can't be sure that if you compress it again, that you would get the same hash (as e.g. different versions of a compressor can generate different compatible files). Best regards David Kalnischkies
signature.asc
Description: PGP signature
