apt-cacher in main + apt-zeroconf

Sam Tygier samtygier at yahoo.co.uk
Thu Nov 15 16:36:07 UTC 2007

Fabian Rodriguez wrote:
> apt-zeroconf is actually a replacement for apt-cacher, not a
> complement to it, according to its site. I think we already know the
> answer to "enabled by default" autodiscovery / other networking
> services. I would have some trust issues using apt-zeroconf, but
> that's just me :)
> F.

it looks like they have got the security side covered.

"Now, one might think this could potentially pose a security threat as everyone can offer and distribute debs without any authentication whatsoever. This is not the case as we are not yet caching the package lists or pdiffs, which are PGP-signed and contain MD5, SHA1 and SHA256 checksums of the packages. But due to the trusted PGP signatures, caching package lists shouldn't be an issue."

Is there any reason this would not be sufficient?

The only thing I can imagine is some sort of DOS attack by sending a large number of requests to one machine. Maybe checking for shared packages on the network could be enabled by default, but sharing disabled. The option to enable sharing could be in System -> Administration -> Software Sources


More information about the Ubuntu-devel-discuss mailing list