Re: apt-get issue(s)

To: debian-security@lists.debian.org
Subject: Re: apt-get issue(s)
From: Malcolm Herbert <mjch@mail.com>
Date: Mon, 13 Aug 2001 14:44:27 +1000
Message-id: <[🔎] 20010813144424.A1079@spyda.net>
In-reply-to: <[🔎] Pine.LNX.4.21.0108122132070.30382-100000@www.skyjammer.com>; from pronovic@skyjammer.com on Sun, Aug 12, 2001 at 09:49:50PM -0500
References: <[🔎] Pine.LNX.4.21.0108122132070.30382-100000@www.skyjammer.com>

I had a similar question in regard to where partidcular packages which
have security patches should be downloaded from - the obvious question
is the security server, however it doesn't seem to work that way all the
time ...

I don't have my sources.list at hand, unfortunately, but I have noticed
that from where I am in the network, the security site often will
time out during a download of a particular .deb file which has been
updated ...

that's not really the problem - the problem is that apt appears to then
continue fetching the file from the normal archive rather than from the
secure one. The fetched .deb appears to have exactly the same version
and revision details as the secure version, and unpacks and installs
fine ... but I would have thought that for security's sake that apt
should only have attempted to fetch the package from the secure URL
rather than the (possibly less secure) main site ... unless the user
intervened of course ...

Presumably if someone were able to poison the main site with a carefully
constructed .deb I could be in trouble if the download from the secure
site failed part-way through ...

Just a thought ...

-- 
Malcolm Herbert                                This brain intentionally
mjch@mail.com                                                left blank

Reply to:

References:
- apt-get issue(s)
  - From: Kenneth Pronovici <pronovic@skyjammer.com>

Prev by Date: apt-get issue(s)
Next by Date: Re: apt-get issue(s)
Previous by thread: apt-get issue(s)
Next by thread: Re: apt-get issue(s)
Index(es):
- Date
- Thread