apt-cacher in main + apt-zeroconf

Sam Tygier samtygier at yahoo.co.uk
Thu Nov 15 22:08:00 UTC 2007

Fabian Rodriguez wrote:
> Hash: RIPEMD160
> Sam Tygier wrote:
>> it looks like they have got the security side covered.
>> "Now, one might think this could potentially pose a security threat
>>  as everyone can offer and distribute debs without any
>> authentication whatsoever. This is not the case as we are not yet
>> caching the package lists or pdiffs, which are PGP-signed and
>> contain MD5, SHA1 and SHA256 checksums of the packages. But due to
>> the trusted PGP signatures, caching package lists shouldn't be an
>> issue."
>> Is there any reason this would not be sufficient?
> I see many ways to trick someone into installing newer versions of
> existing common packages that include malicious files, using
> apt-zeroconf. You'd be surprised how many people will click through
> any amount of security warnings if approached with authority by a
> neighbor. An Internet cafe comes to mind, but many other public places
> would also serve this purpose. You'd guess I love being paranoid about
> this.

As I understand all the computers still get the package list from the ubuntu repo. it is only the packages that they get from local peers. there is no way the local peers can tamper with the package list.

the package list contains the MD5 sum of packages. so if a local peer claims to have a package, and gives you something that has been tampered, then apt will reject it.


More information about the Ubuntu-devel-discuss mailing list