On Sun, Dec 21, 2008 at 10:45:13PM +1000, Anthony Towns wrote: > Attached is a patch against apt 0.7.19 (current in lenny/sid) > including just the Redirect support from Jeff Licquia's patch in > Bug#212732.
Thanks a lot for this, I merged it into my bzr tree and it will be part of the next merge into debian (experimental initially). > As far as the issues described in Bug#66434 with bad redirection and > mod_speling, that seems mostly unlikely to be a problem these days thanks > to the md5 validation and signature support. The only way you could get > unexpected data is if your original Release and Release.gpg files were > redirected to the wrong place, but were completely consistent and had > corresponding Packages files and debs. One possible issue I can see is that consistency may become a issue. If the server that redirects does that to mirrors that are not in sync and the Release file comes from A but the Packages file from B users may run into hashsum failures. We have the same problem with users behind proxies and round-robin DNS servers sometimes. The same for debs when some mirrors may return 404 or fimilar. That is not a argument against the patch of course, just a observation. I can not think of any security concerns about the patch, the signature and hashsum code should protect us here to the extend possible. > In the event that is a concern, the patch lets the user set the > Acquire::http::AllowRedirect config option to false to block that behaviour. > It'd be possible to have an option to verify the filename part of the URL > is unchanged as well without much difficulty. Excellent, thanks. > I bumped the library version, mostly so I could be sure I was testing the > right thing, but I presume this requires a libapt-pkg ABI bump anyway > (there's an Acquire::Redirect() callback added), so I left it in the > patch. We will make it part of a update that breaks the abi for other items too. Thanks, Michael -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
