Control: tag -1 +confirmed Control: severity -1 serious Control: tag -1 -moreinfo
THanks. I can reproduce the problem. We need to add validation for contents mentioned in Release file. This would apply for the Packages files etc. Currently, our approach has a flaw. It completely misses to validate the Packages files. Instead, just after verifying the Release file, it assumes everything is clean and blindly copies the Packages files. We may not need this validation for .debs. On Fri, 2017-08-18 at 16:00 +0530, Ritesh Raj Sarraf wrote: > On Thu, 2017-08-10 at 23:17 +1000, Stuart Prescott wrote: > > apt-offline claims to do gpg validation of the contents of the zip > > file and > > claims that this is an important thing for it to do. > > > > --allow-unauthenticated > > Don't verify GPG signatures for the data to be installed > > to APT. > > Usage of this option is highly discouraged. > > > > However, it appears that apt-offline only verifies the GPG > signature > > on the > > Release file. If that check passes, then it is assumed that all > > referenced > > resources (Packages files) are OK and apt-offline does not check > that > > the > > hashes for the Packages files are indeed correct. > > > Yes. We only check the Release file, which contains the checksum > details for the Packages file, which in turn contains the checksum > details for all data (.debs). > > > > These Packages files are > > then fed directly to apt. Once apt has been fed a manipulated > > Packages file, > > it will then trust the .deb packages that it refers to. > > > > No. They aren't fed directly. We follow the same process that apt > does. > We sync them to the partial location and then apt do the > verification. -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System
signature.asc
Description: This is a digitally signed message part
