This is actually a security issue and it's surprising it's gone unfixed
for 9 years. It's inconsistent for apt to check the hash on deb files
that it downloads, but then neglect to do so on user-supplied deb files.
The status quo is a recipe for disaster. To exacerbate the problem, the
man page does not document the inconsistency or the fact that . There
are a variety of ways to fix this:
1) apt could refuse to accept local .deb files
2) apt could require local .deb files to be supplied with a hash string (which
would need a new CLI arg)
3) apt could print the hash to the string and instruct the user to confirm
whether the hash matches
4) apt could check the repos it's aware of to see if the hash matches anything
served by a trusted repo. If not, follow option 1 or 3 above.
It's also important to note that users don't generally know how deb
files are structured or how deb files are structured. Should they be
responsible for knowing whether a hash is embedded within the deb file
or not? Particularly when the man page makes no mention of it?
Generally, the user might know that hashes are checked by the apt-*
tools one way or another. The apt suite of tools (and docs for it) keep
the user in the dark, and yet the user is responsible knowing how it
works. The user is not served well in this case.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/978587
Title:
apt should ensure .deb are not corrupted before handing them to dpkg
Status in apt package in Ubuntu:
Confirmed
Bug description:
Upon upgrading to libreoffice-core 3.5.2 version, I stumbled upon what
seems to be a bad download issue:
Preparing to replace libreoffice-core 1:3.5.1-1ubuntu5 (using
.../libreoffice-core_1%3a3.5.2-2ubuntu1_amd64.deb) ...
rmdir: failed to remove `/var/lib/libreoffice/basis3.4/program/': No such
file or directory
rmdir: failed to remove `/var/lib/libreoffice/basis3.4': No such file or
directory
Unpacking replacement libreoffice-core ...
dpkg-deb (subprocess): data: internal bzip2 read error: 'DATA_ERROR'
dpkg-deb: error: subprocess returned error exit status 2
dpkg: error processing
/var/cache/apt/archives/libreoffice-core_1%3a3.5.2-2ubuntu1_amd64.deb
(--unpack):
subprocess dpkg-deb --fsys-tarfile returned error exit status 2
I was asked to file a bug about it, as it might be possible for dpkg
to recover from that more gracefully.
Further information upon requests.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/978587/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
