Bug#756022: ITP: apt-transport-s3 -- APT transport for privately held AWS S3 repositories
On Thu, Aug 07, 2014 at 12:44:16AM +0200, Jakub Wilk wrote: * David Kalnischkies da...@kalnischkies.de, 2014-07-26, 15:25: You don't need to write your credentials in a sources.list anymore (which should be world-readable) if your apt is recent enough (and with recent I mean at least oldstable). You can populate a netrc-like file at /etc/apt/auth.conf with them (create it if you must and set for it the permissions to your liking!). netrc was designed back when all the protocols were equally resistant to password sniffing (that is, not at all). But these days people most likely don't want to send their password in clear text, and the netrc-like password file doesn't really help with that. Well, FTP/HTTP and secrecy aren't exactly buddies. So, people want to otherwise they would use client-certificates with HTTPS. Or they could do SSH – this method is installed by default (but I have to say: I have never tried it so far). That was at least my naive response back in the days this netrc-like feature was requested/added… So yes, this really only solves the problem I advertised it for (world- readable sources.list). It doesn't stop MITM attacks and is also not a cure for cancer… (not implying that either is solved by HTTPS/SSH). I just don't understand where you got the idea apt could change that. APT is just a client here. If you want to change anything, you have to change the server… Best regards David Kalnischkies signature.asc Description: Digital signature
Bug#756022: ITP: apt-transport-s3 -- APT transport for privately held AWS S3 repositories
On 2014-07-26 15:25:32, David Kalnischkies wrote: Hi David, That is surprising to see. It seems to be a slightly modified 6 years old copy of apt's http method (with all its bugs of course) which just got 2 years ago GPLv3(+) headers. Taking above on board I decided to write whole S3 transport from scratch. I have the strong feeling that this could just as well be patched into apt directly. Some of the forks (really, 77 forks? for this? apt has a serious marketing problem…) suggest that a bunch of stuff could be added, which I guess are not that okayish for apt directly, but I would encourage you in any case to contact us at de...@lists.debian.org so we can work out how to avoid a massive code-copy as this is (as shown here) prune to get out of date and accumulate unfixed (security) bugs fast. We (me and my colleague) already have a proof of concept in python which just need some more polishing. Once it's done I'll drop follow up to de...@lists.debian.org with request to evaluate it from your point of view. deb s3://AWS_ACCESS_ID:[AWS_SECRET_KEY]@s3.amazonaws.com/BUCKETNAME wheezy main btw: You don't need to write your credentials in a sources.list anymore (which should be world-readable) if your apt is recent enough (and with recent I mean at least oldstable). You can populate a netrc-like file at /etc/apt/auth.conf with them (create it if you must and set for it the permissions to your liking!). Great to know, thx for the hint we'll use this option as a fallback in case that IAM role (AWS auth system) is not available. -- |_|0|_| | |_|_|0| Heghlu'Meh QaQ jajVam | |0|0|0| kuLa - | gpg --keyserver pgp.mit.edu --recv-keys 0x58C338B3 3DF1 A4DF C732 4688 38BC F121 6869 30DD 58C3 38B3 signature.asc Description: Digital signature
Bug#756022: ITP: apt-transport-s3 -- APT transport for privately held AWS S3 repositories
* David Kalnischkies da...@kalnischkies.de, 2014-07-26, 15:25: You don't need to write your credentials in a sources.list anymore (which should be world-readable) if your apt is recent enough (and with recent I mean at least oldstable). You can populate a netrc-like file at /etc/apt/auth.conf with them (create it if you must and set for it the permissions to your liking!). netrc was designed back when all the protocols were equally resistant to password sniffing (that is, not at all). But these days people most likely don't want to send their password in clear text, and the netrc-like password file doesn't really help with that. Consider the following /etc/apt/sources.lists: deb http://ftp.pl.debian.org/debian/ unstable main deb https://topsecretdebs.jwilk.net/ experimental main And the following /etc/apt/auth.conf: machine topsecretdebs.jwilk.net login jwilk password moo37 On the first glace, it looks all righty from the security perspective. But all a man-in-the-middle attacker has to do to steal the password, is to respond to a http://ftp.pl.debian.org/ request with a redirect to http://secretdebs.jwilk.net/, tricking APT into sending the credentials over unencrypted channel. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140806224416.ga6...@jwilk.net
Bug#756022: ITP: apt-transport-s3 -- APT transport for privately held AWS S3 repositories
On Fri, Jul 25, 2014 at 03:00:17PM +0100, Marcin Kulisz (kuLa) wrote: * Package name: apt-transport-s3 Note that this is only 'needed' for private S3, apt came to terms with public S3 desperate its problems (like pipelining and decoding of '+') – which this copy doesn't support, but see next section: Version : 20120426090326git Upstream Author : Kyle Shank kyle.sh...@gmail.com * URL : https://github.com/kyleshank/apt-s3 * License : GPLv3 That is surprising to see. It seems to be a slightly modified 6 years old copy of apt's http method (with all its bugs of course) which just got 2 years ago GPLv3(+) headers. APT itself (and the copied code, too) is GPL2+, which this copy avoids mentioning as it doesn't tell you anything about being a copy (looking at some of the forks and how they do the same to https, oh dear…) while the copyright is claimed by the upstream author alone. Slightly modified as the modification in s3.h is the addition of the license header, while s3.cc goes the extra-mile of including openssl (remember, I said GPL2+ – nothing about an OpenSSL exception) and curl (no idea why, as it isn't used) to get SHA1 and Base64 encoding (which is both already available in libapt anyway) to set a Date: and an Authorization: AWS header for AWS while removing our Authorization: Basic support. Oh, and it does change the user-agent from Debian APT to Ubuntu APT… (and yes, I diff'ed that against an apt checkout from that time as the history of upstream is non-existent). I have the strong feeling that this could just as well be patched into apt directly. Some of the forks (really, 77 forks? for this? apt has a serious marketing problem…) suggest that a bunch of stuff could be added, which I guess are not that okayish for apt directly, but I would encourage you in any case to contact us at de...@lists.debian.org so we can work out how to avoid a massive code-copy as this is (as shown here) prune to get out of date and accumulate unfixed (security) bugs fast. deb s3://AWS_ACCESS_ID:[AWS_SECRET_KEY]@s3.amazonaws.com/BUCKETNAME wheezy main btw: You don't need to write your credentials in a sources.list anymore (which should be world-readable) if your apt is recent enough (and with recent I mean at least oldstable). You can populate a netrc-like file at /etc/apt/auth.conf with them (create it if you must and set for it the permissions to your liking!). Best regards David Kalnischkies signature.asc Description: Digital signature
Bug#756022: ITP: apt-transport-s3 -- APT transport for privately held AWS S3 repositories
Package: wnpp Severity: wishlist Owner: Marcin Kulisz (kuLa) deb...@kulisz.net * Package name: apt-transport-s3 Version : 20120426090326git Upstream Author : Kyle Shank kyle.sh...@gmail.com * URL : https://github.com/kyleshank/apt-s3 * License : GPLv3 Programming Lang: C++ Description : APT transport for privately held AWS S3 repositories This package contains the APT AWS S3 transport. It makes possible to fetch files from repositories privately held on AWS S3. .. To start using S3 based repo it's enough to add line similar to the below to apt sources.list (more information in 'man apt-transport-s3'): deb s3://AWS_ACCESS_ID:[AWS_SECRET_KEY]@s3.amazonaws.com/BUCKETNAME wheezy main -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140725140017.22857.17925.report...@bashton004.kulisz.net