Hi On 11/10/12 16:52, David Kalnischkies wrote: > On Wed, Oct 10, 2012 at 11:53 PM, Dominique Lasserre > <lasserr...@gmail.com> wrote: >> It uses aria2 oder axel as download managers and apt-get --print-uris to get >> download URLs. > > What it omits is using the checksums included in that output and therefore > falling victim to MITM attacks as it downloads directly to the archives dir > which APT considers a safe harbor and so doesn't validate its content again. > > (APT checks the filesize as it is basically a free check, but the time- > consuming calculation of checksums is omitted as this was already checked > at download time with the move from ./partial/ to its final storage space > and wouldn't improve security anyway as you would still have the time > between the check and dpkg calling for a local attack …) Thank you to mention that! Checksums get now verified.
> > If there is really a need for a different methodology of downloading I would > suggest to write a new apt-transport-* rather than a wrapper around the > complete package manager. If people managed to bring bittorrent to APT this > way, I am sure you can work out how to use your beloved $DOWNLOADMANAGER, too, > if needed at all (yes, I have my doubts). > > I presume it will be even shorter in size of code, secure and more robust - > even if you write it in bash, which you can btw: It is a text interface. > Oh, and try dir::cache::archives="/tmp" and you will know why apt-config has > flags for these dir options instead of forcing people to build paths by hand. Those config options are used. apt-fast downloads into Dir::Cache::archives + "apt-fast" (but yes you can change it (still) in config file). > > In the meantime feel free to use services like http.debian.net or experiment > with the mirror apt-transport which both don't depend on you being the only > "lets add more own 'cars' to the traffic jam to get more through" person > and the placebo effect. > > > Best regards > > David Kalnischkies ~ an "apt-slow" contributor > Hehe (you like to rename apt?), thank you very much for your detailed explanations! Regards Dominique
0xB2E4F4F3.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature