Debian Bug report logs - #499897
preventing replay attacks against the security archive

version graph

Package: apt; Maintainer for apt is APT Development Team <deity@lists.debian.org>; Source for apt is src:apt.

Reported by: Peter Palfrader <weasel@debian.org>

Date: Tue, 23 Sep 2008 13:21:02 UTC

Severity: important

Fixed in version 0.7.21~exp1

Done: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian FTP Master <ftpmaster@ftp-master.debian.org>, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package ftp.debian.org, apt. (Tue, 23 Sep 2008 13:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
New Bug report received and forwarded. Copy sent to Debian FTP Master <ftpmaster@ftp-master.debian.org>, APT Development Team <deity@lists.debian.org>. (Tue, 23 Sep 2008 13:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Peter Palfrader <weasel@debian.org>
To: submit@bugs.debian.org
Subject: preventing replay attacks against the security archive
Date: Tue, 23 Sep 2008 15:15:08 +0200
Package: ftp.debian.org, apt

Hi,

In RT#744[1] an attack was brought up wherein an adversary causes the
vicitim to use an outdated copy of the security mirror, thereby
preventing the victim from getting security updates.

The attack is not new, but Debian still has very little to offer for
preventing this kind of attack, or at least making it harder.

One proposed solution is to optionally add a "Valid-Until" field to
Release files on at least the security archive, tho it might make sense
for unstable etc also.

Apt should then be changed to reject Release files that have expired,
and probably also Release files from the future.

Cheers,
weasel

1. https://rt.debian.org/Ticket/Display.html?id=744
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian FTP Master <ftpmaster@ftp-master.debian.org>, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package ftp.debian.org, apt. (Tue, 23 Sep 2008 16:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joerg Jaspert <joerg@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian FTP Master <ftpmaster@ftp-master.debian.org>, APT Development Team <deity@lists.debian.org>. (Tue, 23 Sep 2008 16:48:04 GMT) Full text and rfc822 format available.

Message #10 received at 499897@bugs.debian.org (full text, mbox):

From: Joerg Jaspert <joerg@debian.org>
To: Peter Palfrader <weasel@debian.org>
Cc: 499897@bugs.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Tue, 23 Sep 2008 18:41:52 +0200
[Message part 1 (text/plain, inline)]
On 11517 March 1977, Peter Palfrader wrote:

> One proposed solution is to optionally add a "Valid-Until" field to
> Release files on at least the security archive, tho it might make sense
> for unstable etc also.

Should be easy for us (ftp.d.o) to do, I think i add something like this
soon.


-- 
bye, Joerg
A BSP means that many DDs and other mere mortals get together to play
xroach. Sadly, that package was removed from Debian some time ago, so
they have to squash other bugs (preferably RC) instead.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian FTP Master <ftpmaster@ftp-master.debian.org>, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package ftp.debian.org, apt. (Tue, 23 Sep 2008 16:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joerg Jaspert <joerg@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian FTP Master <ftpmaster@ftp-master.debian.org>, APT Development Team <deity@lists.debian.org>. (Tue, 23 Sep 2008 16:48:05 GMT) Full text and rfc822 format available.

Message #15 received at 499897@bugs.debian.org (full text, mbox):

From: Joerg Jaspert <joerg@debian.org>
To: Peter Palfrader <weasel@debian.org>
Cc: 499897@bugs.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Tue, 23 Sep 2008 18:42:54 +0200
[Message part 1 (text/plain, inline)]
On 11517 March 1977, Peter Palfrader wrote:

> One proposed solution is to optionally add a "Valid-Until" field to
> Release files on at least the security archive, tho it might make sense
> for unstable etc also.

Should be easy for us (ftp.d.o) to do, I think i add something like this
soon.

also, such a "fixed" apt, might be a candidate for the security archive
itself. Ie. a patch to apt only enabling this in the stable
version. Might want to ask security team when we have this
functionality. (Assuming the apt maintainers want to backport this
function into the then-lenny-release).


-- 
bye, Joerg
A BSP means that many DDs and other mere mortals get together to play
xroach. Sadly, that package was removed from Debian some time ago, so
they have to squash other bugs (preferably RC) instead.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian FTP Master <ftpmaster@ftp-master.debian.org>, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package ftp.debian.org, apt. (Tue, 23 Sep 2008 19:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joerg Jaspert <joerg@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian FTP Master <ftpmaster@ftp-master.debian.org>, APT Development Team <deity@lists.debian.org>. (Tue, 23 Sep 2008 19:27:04 GMT) Full text and rfc822 format available.

Message #20 received at 499897@bugs.debian.org (full text, mbox):

From: Joerg Jaspert <joerg@debian.org>
To: 499897@bugs.debian.org
Cc: Peter Palfrader <weasel@debian.org>, control@bugs.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Tue, 23 Sep 2008 21:23:18 +0200
[Message part 1 (text/plain, inline)]
reassign 499897 apt
severity 499897 important
thanks

On 11517 March 1977, Joerg Jaspert wrote:

>> One proposed solution is to optionally add a "Valid-Until" field to
>> Release files on at least the security archive, tho it might make sense
>> for unstable etc also.
> Should be easy for us (ftp.d.o) to do, I think i add something like this
> soon.

Done. We now generate Release files having "Valid-Until:" headers. Same
format as the Date: one, just currently (for the main archive) 7 days in
future.

Would be nice if apt could get this implemented soon[1] and then the
release team asked how we could get this into lenny.
(If its *only* this change, maybe lenny proper. If that doesnt work,
maybe r1? Or possibly really a DSA for it).

[1] Luckily, apt just ignores unknown fields in release files, so no
    harm done having it there already.

-- 
bye, Joerg
Five exclamation marks, the sure sign of an insane mind.
			-- Terry Pratchett, Reaper Man
[Message part 2 (application/pgp-signature, inline)]

Bug reassigned from package `ftp.debian.org, apt' to `apt'. Request was from Joerg Jaspert <joerg@debian.org> to control@bugs.debian.org. (Tue, 23 Sep 2008 19:27:06 GMT) Full text and rfc822 format available.

Severity set to `important' from `normal' Request was from Joerg Jaspert <joerg@debian.org> to control@bugs.debian.org. (Tue, 23 Sep 2008 19:27:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Wed, 24 Sep 2008 06:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Wed, 24 Sep 2008 06:06:04 GMT) Full text and rfc822 format available.

Message #29 received at 499897@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 499897@bugs.debian.org
Cc: Joerg Jaspert <joerg@debian.org>, Peter Palfrader <weasel@debian.org>, team@security.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Wed, 24 Sep 2008 08:04:32 +0200
[Message part 1 (text/plain, inline)]
Hi Jörg,

> Done. We now generate Release files having "Valid-Until:" headers. Same
> format as the Date: one, just currently (for the main archive) 7 days in
> future.

Thanks for implementing this. When is this file regenerated, daily?

> Would be nice if apt could get this implemented soon[1] and then the
> release team asked how we could get this into lenny.
> (If its *only* this change, maybe lenny proper. If that doesnt work,
> maybe r1? Or possibly really a DSA for it).

I guess APT would need to reject Release files that do not contain any 
Valid-Until header (or you could still do the attack with the files we served 
until now). However, that could break a lot of private repositories and the 
software that runs them would need to be fixed aswell. So I'm not sure if we 
manage to do all that in time for lenny. In case this indeed turns out to be 
a problem we may get away with it being an optional feature for lenny that 
can be turned on by a cautious administrator, and that will be default on for 
squeeze?

I also believe that APT would need an override switch - it's an imporant tool 
for system maintenance, and there may be cases where your system time is 
seriously borked but you would still want to run an update.



cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Wed, 24 Sep 2008 14:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joerg Jaspert <joerg@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Wed, 24 Sep 2008 14:24:06 GMT) Full text and rfc822 format available.

Message #34 received at 499897@bugs.debian.org (full text, mbox):

From: Joerg Jaspert <joerg@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 499897@bugs.debian.org, Peter Palfrader <weasel@debian.org>, team@security.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Wed, 24 Sep 2008 13:01:54 +0200
[Message part 1 (text/plain, inline)]
On 11518 March 1977, Thijs Kinkhorst wrote:

>> Done. We now generate Release files having "Valid-Until:" headers. Same
>> format as the Date: one, just currently (for the main archive) 7 days in
>> future.
> Thanks for implementing this. When is this file regenerated, daily?

On klecker - not at all right now. Need to sync kleckers code first.
And possibly rework klecker setup, its insane atm with its filerights
and stuff. Both on my todo list for "soon" but requires work and
coordination and foo. :) Will happen definitely before Lenny.

Other than that - Release files are regenerated whenever something gets
added to the archive.

I also will need to add a cronjob regenerating the release files daily,
if they get older than a day (or two). Just in case there are no DSAs
(or archive updates) for that time, so we dont run into all apts
complaining just because there was no archive update. :)

>> Would be nice if apt could get this implemented soon[1] and then the
>> release team asked how we could get this into lenny.
>> (If its *only* this change, maybe lenny proper. If that doesnt work,
>> maybe r1? Or possibly really a DSA for it).
> I guess APT would need to reject Release files that do not contain any 
> Valid-Until header (or you could still do the attack with the files we served 
> until now). However, that could break a lot of private repositories and the 
> software that runs them would need to be fixed aswell. So I'm not sure if we 
> manage to do all that in time for lenny. In case this indeed turns out to be 
> a problem we may get away with it being an optional feature for lenny that 
> can be turned on by a cautious administrator, and that will be default on for 
> squeeze?

I think apt should accept Release files without this header. If it ever
sees such a header it should *no longer* accept new release files
without it. Ie. "old file does not have it - new file doesnt need
it". "Old file has it - new file needs it".
Combined with a warning "Can't find Valid-until header in Release file"
that should suffice. It allows you to run an archive without that
header, but forbids you to lose it (unless you do manual action and
remove old files), which should prevent the mitm playing with it.
(Assuming you have an initial good contact with the net, but if you dont
you are dead anyways).

-- 
bye, Joerg
If the autobuilder tells me that my package failed to build from source,
it's probably doing that on some obscure architecture I don't have
access to.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 25 Sep 2008 12:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Philipp Kern <pkern@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 25 Sep 2008 12:27:02 GMT) Full text and rfc822 format available.

Message #39 received at 499897@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Joerg Jaspert <joerg@debian.org>, 499897@bugs.debian.org
Cc: Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, team@security.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Thu, 25 Sep 2008 14:25:28 +0200
[Message part 1 (text/plain, inline)]
On Wed, Sep 24, 2008 at 01:01:54PM +0200, Joerg Jaspert wrote:
> I think apt should accept Release files without this header. If it ever
> sees such a header it should *no longer* accept new release files
> without it. Ie. "old file does not have it - new file doesnt need
> it". "Old file has it - new file needs it".

This would break on people using the codenames in their sources.list
(which we advise to do, I think).  So if Lenny propagates from testing
to stable (with the former having this header, the latter not) apt
will show warnings.

The release files for stable won't be regenerated every week.  But if
we could specify that it does not expire (which is IMHO true) that
would solve that issue.

Kind regards,
Philipp Kern
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 25 Sep 2008 16:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joerg Jaspert <joerg@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 25 Sep 2008 16:09:05 GMT) Full text and rfc822 format available.

Message #44 received at 499897@bugs.debian.org (full text, mbox):

From: Joerg Jaspert <joerg@debian.org>
To: Philipp Kern <pkern@debian.org>
Cc: 499897@bugs.debian.org, Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, team@security.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Thu, 25 Sep 2008 16:11:29 +0200
[Message part 1 (text/plain, inline)]
>> I think apt should accept Release files without this header. If it ever
>> sees such a header it should *no longer* accept new release files
>> without it. Ie. "old file does not have it - new file doesnt need
>> it". "Old file has it - new file needs it".
> This would break on people using the codenames in their sources.list
> (which we advise to do, I think).  So if Lenny propagates from testing
> to stable (with the former having this header, the latter not) apt
> will show warnings.

Currently stable doesnt have this header.

> The release files for stable won't be regenerated every week.

That wouldnt be a big problem, the problem is that the Stable RMs
currently refuse to give proper automated access to the stable key. So
its the SRMs fault that we cant have such automatisms there... :()

(It would be easy to regenerate it weekly, while having it expire after
30 or 60 days. Now, stable itself doesn't change so often, only for
point releases. And its also not security related, as those get in via
the security archive, which does have a proper setup for valid-until
(and will get em when the code is fully synced, so this weekend i
think.)

> But if we could specify that it does not expire (which is IMHO true)
> that would solve that issue.

No (archive side). While we could go and add the special string "Never",
this won't help us, as we are then back to the known problem, that a
MitM can go and do bad things to you (this time by *also* modifying the
release file, but hey, thats no bigger task then getting in between you
and $world first).

So if we want to support a user that tracks lenny and as such goes from
testing to stable at some point - that should be implemented in apt. An
option to ignore the "valid-until header goes away" for manual usage by
the admin. Users that track testing for some time, no matter how near to
the release, should be able to do this once. IMO. (Also, the option can
be a simple rm in apts list dir)

-- 
bye, Joerg
I'm convinced that the ftpmaster team are ninjas -- they do their stuff,
but they do it quietly and behind the scenes, so everybody thinks
they're asleep at the wheel...)
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 25 Sep 2008 16:51:03 GMT) Full text and rfc822 format available.

Message #47 received at 499897@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Joerg Jaspert <joerg@debian.org>
Cc: 499897@bugs.debian.org, Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, team@security.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Thu, 25 Sep 2008 18:48:20 +0200
[Message part 1 (text/plain, inline)]
On Thu, Sep 25, 2008 at 04:11:29PM +0200, Joerg Jaspert wrote:
> (It would be easy to regenerate it weekly, while having it expire after
> 30 or 60 days. Now, stable itself doesn't change so often, only for
> point releases. And its also not security related, as those get in via
> the security archive, which does have a proper setup for valid-until
> (and will get em when the code is fully synced, so this weekend i
> think.)

But releases do not expire.  Thus a valid-until does not make sense
semantically, too, IMHO.  Of course security must have it.

> > But if we could specify that it does not expire (which is IMHO true)
> > that would solve that issue.
> No (archive side). While we could go and add the special string "Never",
> this won't help us, as we are then back to the known problem, that a
> MitM can go and do bad things to you (this time by *also* modifying the
> release file, but hey, thats no bigger task then getting in between you
> and $world first).

Of course he could modify the release file, but it's GPG-signed, or I
don't get your point.

And no, all important security-relevant updates are still present
through security.d.o, which is protected.  All the user would not get
due to an outdated or bad mirror are the updates from proposed-updates
included into the latest point release.

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Release Assistant
`. `'   xmpp:phil@0x539.de                         Stable Release Manager
  `-    finger pkern/key@db.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 25 Sep 2008 18:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 25 Sep 2008 18:21:02 GMT) Full text and rfc822 format available.

Message #52 received at 499897@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: 499897@bugs.debian.org
Subject: illustration
Date: Thu, 25 Sep 2008 20:18:41 +0200
[Message part 1 (text/plain, inline)]
Hi,

the following is more an illustration of how things could work (or not).
In particular, the questions of defaults / "Valid-Until: eternity" are
not addressed.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/
[apt-valid-until-illustration.diff (text/x-patch, inline)]
diff -Nru apt-0.7.14/apt-pkg/acquire-item.cc apt-0.7.14+/apt-pkg/acquire-item.cc
--- apt-0.7.14/apt-pkg/acquire-item.cc	2008-05-28 15:22:13.000000000 +0200
+++ apt-0.7.14+/apt-pkg/acquire-item.cc	2008-12-01 00:09:21.000000000 +0100
@@ -32,6 +32,7 @@
 #include <string>
 #include <sstream>
 #include <stdio.h>
+#include <ctime>
 									/*}}}*/
 
 using namespace std;
@@ -1127,6 +1128,13 @@
       Transformed = "";
    }
 
+   if (_config->FindB("Acquire::Check-Valid-Until", true)) {
+      if (time(NULL) > MetaIndexParser->GetValidUntil()) {
+          _error->Warning(string("Release file expired, ignoring "+RealURI).c_str());
+         return false;
+      }
+   }
+
    if (_config->FindB("Debug::pkgAcquire::Auth", false)) 
    {
       std::cerr << "Got Codename: " << MetaIndexParser->GetDist() << std::endl;
diff -Nru apt-0.7.14/apt-pkg/indexrecords.cc apt-0.7.14+/apt-pkg/indexrecords.cc
--- apt-0.7.14/apt-pkg/indexrecords.cc	2008-05-28 15:22:14.000000000 +0200
+++ apt-0.7.14+/apt-pkg/indexrecords.cc	2008-12-01 00:06:36.000000000 +0100
@@ -9,6 +9,7 @@
 #include <apt-pkg/strutl.h>
 #include <apti18n.h>
 #include <sys/stat.h>
+#include <clocale>
 
 string indexRecords::GetDist() const
 {
@@ -26,6 +27,11 @@
    return this->ExpectedDist;
 }
 
+time_t indexRecords::GetValidUntil() const
+{
+   return this->ValidUntil;
+}
+
 const indexRecords::checkSum *indexRecords::Lookup(const string MetaKey)
 {
    return Entries[MetaKey];
@@ -83,6 +89,22 @@
    }  
 
    string Strdate = Section.FindS("Date"); // FIXME: verify this somehow?
+
+   string StrValidUntil = Section.FindS("Valid-Until");
+   ValidUntil = 1230764400;
+         // default 2009-01-01 should only be applied to debian.org?
+   
+   if (! StrValidUntil.empty()) {
+      struct tm atm;
+      string lctimesaved = setlocale(LC_TIME,NULL);
+      setlocale(LC_TIME,"C");
+      if (strptime(StrValidUntil.c_str(),"%a, %d %b %Y %H:%M:%S %Z",&atm) == NULL) {
+          ErrorText = _(("Invalid Valid-Until entry in Release file " + Filename).c_str());
+          return false;
+      }
+      setlocale(LC_TIME,lctimesaved.c_str());
+      ValidUntil = mktime(&atm);
+   }
    return true;
 }
 
diff -Nru apt-0.7.14/apt-pkg/indexrecords.h apt-0.7.14+/apt-pkg/indexrecords.h
--- apt-0.7.14/apt-pkg/indexrecords.h	2008-05-28 15:22:14.000000000 +0200
+++ apt-0.7.14+/apt-pkg/indexrecords.h	2008-09-25 18:17:13.000000000 +0200
@@ -12,6 +12,7 @@
 
 #include <map>
 #include <vector>
+#include <ctime>
 
 class indexRecords
 {
@@ -25,6 +26,8 @@
    string Dist;
    string Suite;
    string ExpectedDist;
+   time_t ValidUntil;
+
    std::map<string,checkSum *> Entries;
 
    public:
@@ -38,6 +41,7 @@
 
    virtual bool Load(string Filename);
    string GetDist() const;
+   time_t GetValidUntil() const;
    virtual bool CheckDist(const string MaybeDist) const;
    string GetExpectedDist() const;
    virtual ~indexRecords(){};

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 25 Sep 2008 20:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 25 Sep 2008 20:15:05 GMT) Full text and rfc822 format available.

Message #57 received at 499897@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Philipp Kern <pkern@debian.org>
Cc: Joerg Jaspert <joerg@debian.org>, 499897@bugs.debian.org, Peter Palfrader <weasel@debian.org>, team@security.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Thu, 25 Sep 2008 22:12:27 +0200
[Message part 1 (text/plain, inline)]
On Thursday 25 September 2008 18:48, Philipp Kern wrote:
> But releases do not expire.  Thus a valid-until does not make sense
> semantically, too, IMHO.  Of course security must have it.

Security updates also "do not expire", so the last remark is a non sequitur. 
However, I think it does make sense semantically but you're giving different 
semantics to it.

Valid-Until means not how long the release itself is valid, but how long the 
certification that "this is still the most current thing we've released" can 
be considered valid. So it's perfectly ok to just re-stamp and re-sign the 
file without any actual changes to the archive, if for some reason there was 
no other need to update the distribution in the meanwhile.

> And no, all important security-relevant updates are still present
> through security.d.o, which is protected.  All the user would not get
> due to an outdated or bad mirror are the updates from proposed-updates
> included into the latest point release.

I see a number of arguments why it would be good to implement this for all 
archives and not just security.

While the security archive is obviously the most important archive to protect, 
once we have the mechanism we may just as well use it to protect the other 
archives we carry. Point updates by definition carry important updates, 
including lesser priority security updates, we have the mechanism, so it 
makes sense to use it.

Also many important security fixes arrive through the regular archive for 
testing, so protection on the main archive needs to be implemented anyway.

From an implementation view, it would only make things more complex if we 
would have to special case 'stable' for not having this feature while the 
security and testing/unstable archives would need it.

To implement it in a way that it also works for stable, we could either:
- have it automatically re-signed daily/weekly, would need the release key 
available, but the security release key already is, so not sure if that's a 
problem; or
- have it expire in a period long enough so a new point release will have 
happened in the meantime, say half a year.


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 25 Sep 2008 21:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 25 Sep 2008 21:33:09 GMT) Full text and rfc822 format available.

Message #62 received at 499897@bugs.debian.org (full text, mbox):

From: Peter Palfrader <weasel@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: Philipp Kern <pkern@debian.org>, Joerg Jaspert <joerg@debian.org>, 499897@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Thu, 25 Sep 2008 23:31:50 +0200
On Thu, 25 Sep 2008, Thijs Kinkhorst wrote:

> - have it expire in a period long enough so a new point release will have 
> happened in the meantime, say half a year.

Probably still not acceptable for CD-Roms.

-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Fri, 26 Sep 2008 08:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Fri, 26 Sep 2008 08:03:03 GMT) Full text and rfc822 format available.

Message #67 received at 499897@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 499897@bugs.debian.org
Subject: Re: Bug#499897: illustration
Date: Fri, 26 Sep 2008 07:25:37 +0200
[Message part 1 (text/plain, inline)]
Quoting Thomas Viehmann (tv@beamnet.de):
> Hi,
> 
> the following is more an illustration of how things could work (or not).
> In particular, the questions of defaults / "Valid-Until: eternity" are
> not addressed.


Of course everybody will notice that this introduces more i18n'ed
messages, which need a translation round, etc.

And translating such important messages *is* to be done. I strongly
suggest that, would such a patch be adopted, we have to go for an l10n
update round (18 languages are complete for APT, that's not nothing,
and that's not something that can be done in 2 days).

As soon as a patch is "blessed" for this bug report, please (Michael?)
regenerate to PO files in po/ for the debian-sid branch...or,
alternatively, send me an updated set of PO files so that I can handle
that l10n update round.



[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Wed, 08 Oct 2008 14:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Wed, 08 Oct 2008 14:09:06 GMT) Full text and rfc822 format available.

Message #72 received at 499897@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Peter Palfrader" <weasel@debian.org>
Cc: "Philipp Kern" <pkern@debian.org>, "Joerg Jaspert" <joerg@debian.org>, 499897@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Wed, 8 Oct 2008 16:02:01 +0200 (CEST)
On Thu, September 25, 2008 23:31, Peter Palfrader wrote:
> On Thu, 25 Sep 2008, Thijs Kinkhorst wrote:
>
>
>> - have it expire in a period long enough so a new point release will
>> have happened in the meantime, say half a year.
>
> Probably still not acceptable for CD-Roms.

I don't think that should be a problem - I don't believe CD-Roms are the
target of this feature. APT already handles CD-Roms differently so it
could exclude them from this check.


Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Fri, 10 Oct 2008 03:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to jidanni@jidanni.org:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Fri, 10 Oct 2008 03:54:05 GMT) Full text and rfc822 format available.

Message #77 received at 499897@bugs.debian.org (full text, mbox):

From: jidanni@jidanni.org
To: 499897@bugs.debian.org
Subject: first add a basic Date: field
Date: Fri, 10 Oct 2008 11:51:56 +0800
All this is over my head, but I've always wished each package
description would contain a Date: field so one could tell how stale it
was. Likewise, the Release could just have a Date: field, and the
software reading it could choose how many days it should be valid for
with a default = 7 days or whatever. Anyway, do HTTP headers have
Expires: etc. fields before having a more basic Date: field? No. OK,
all over my head. Over and out.




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Sun, 23 Nov 2008 20:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joerg Jaspert <joerg@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sun, 23 Nov 2008 20:36:03 GMT) Full text and rfc822 format available.

Message #82 received at 499897@bugs.debian.org (full text, mbox):

From: Joerg Jaspert <joerg@debian.org>
To: "Thijs Kinkhorst" <thijs@debian.org>
Cc: "Peter Palfrader" <weasel@debian.org>, "Philipp Kern" <pkern@debian.org>, 499897@bugs.debian.org, team@security.debian.org, deity@lists.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Sun, 23 Nov 2008 21:34:58 +0100
[Message part 1 (text/plain, inline)]
>>> - have it expire in a period long enough so a new point release will
>>> have happened in the meantime, say half a year.
>> Probably still not acceptable for CD-Roms.
> I don't think that should be a problem - I don't believe CD-Roms are the
> target of this feature. APT already handles CD-Roms differently so it
> could exclude them from this check.

Hello apt team, anyone working on supporting this? :)
(It's used in both, the normal and the security archive).

-- 
bye, Joerg
> Or write yourself a DFSG-free replacement for that piece of software.
Using the copy and paste method from the old source, obscured by 
irrelevant changes.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Sun, 23 Nov 2008 21:27:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sun, 23 Nov 2008 21:27:17 GMT) Full text and rfc822 format available.

Message #87 received at 499897@bugs.debian.org (full text, mbox):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, Philipp Kern <pkern@debian.org>, 499897@bugs.debian.org, team@security.debian.org, deity@lists.debian.org
Cc: Michael Vogt <mvo@debian.org>
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Sun, 23 Nov 2008 23:24:14 +0200
[Message part 1 (text/plain, inline)]
Joerg Jaspert wrote:
>>>> - have it expire in a period long enough so a new point release will
>>>> have happened in the meantime, say half a year.
>>> Probably still not acceptable for CD-Roms.
>> I don't think that should be a problem - I don't believe CD-Roms are the
>> target of this feature. APT already handles CD-Roms differently so it
>> could exclude them from this check.
> 
> Hello apt team, anyone working on supporting this? :)
> (It's used in both, the normal and the security archive).
> 
No one at present, IIRC.

Should this be incorporated into apt in Lenny? It's not hard to apply the patch from
Thomas, but it doesn't address feature that apt should not accept Release files without
'Valid-Until' entry after seeing it once earlier. Moreover, current apt architecture IIRC
doesn't allow seeing previous Release files while deciding accept or decline just
downloaded one -> apt ABI bump may be needed. And this is also another pain for Christian,
we just done last (we hope) translation changes for apt.

Michael, your opinion?

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ developer, Debian APT contributor

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 24 Nov 2008 08:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 24 Nov 2008 08:12:03 GMT) Full text and rfc822 format available.

Message #92 received at 499897@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, Philipp Kern <pkern@debian.org>, 499897@bugs.debian.org, team@security.debian.org, deity@lists.debian.org, Michael Vogt <mvo@debian.org>
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Mon, 24 Nov 2008 06:44:33 +0100
[Message part 1 (text/plain, inline)]
Quoting Eugene V. Lyubimkin (jackyf.devel@gmail.com):

> doesn't allow seeing previous Release files while deciding accept or decline just
> downloaded one -> apt ABI bump may be needed. And this is also another pain for Christian,
> we just done last (we hope) translation changes for apt.


Well, between a potential security issue and pain for APT localizers,
I think the choice is clear.

In short, don't count APT localization as a blockr for this issue if
it is wished for lenny. I will of course appreciate to have the
opportunity to give translators a translation update window.

I propose that what we currently have in the debian-sid bzr branch is
uploaded for lenny, then, *if the "prevent replay attacks" patch is
chosen for lenny* to immediately apply it in that debian-sid bzr
branch and I launch a short translation update round for the 10 days
needed for the former version to reach testing.

(keeping the original CC list, which is probably overflated, sorry)

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 24 Nov 2008 08:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 24 Nov 2008 08:57:06 GMT) Full text and rfc822 format available.

Message #97 received at 499897@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Thomas Viehmann <tv@beamnet.de>, 499897@bugs.debian.org
Subject: Re: Bug#499897: illustration
Date: Mon, 24 Nov 2008 07:29:40 +0100
[Message part 1 (text/plain, inline)]
I came back on the proposed patch after Joerg revived the discussion
about this bug.

Quoting Thomas Viehmann (tv@beamnet.de):

> +   if (_config->FindB("Acquire::Check-Valid-Until", true)) {
> +      if (time(NULL) > MetaIndexParser->GetValidUntil()) {
> +          _error->Warning(string("Release file expired, ignoring "+RealURI).c_str());
> +         return false;
> +      }
> +   }
> +

WRT i18n, the patch is incorrect, imho. It assumes that the ignored
URL is to come after the "ignoring" word. Strings concatenation is
nearly always a bad idea as the sentence structure might be different
in other languages.

My programming skills are low enough to not allow me to produce the
right patch, but I think that something using "%s" in the localizable
string would make it. Hopefully, everybody reading this will
understand what I mean here..:-)

It would also be good to put a translators comment to explain
translators that "%s" is a URL.

> +   if (! StrValidUntil.empty()) {
> +      struct tm atm;
> +      string lctimesaved = setlocale(LC_TIME,NULL);
> +      setlocale(LC_TIME,"C");
> +      if (strptime(StrValidUntil.c_str(),"%a, %d %b %Y %H:%M:%S %Z",&atm) == NULL) {
> +          ErrorText = _(("Invalid Valid-Until entry in Release file " + Filename).c_str());

Same problem here.


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 24 Nov 2008 09:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 24 Nov 2008 09:03:04 GMT) Full text and rfc822 format available.

Message #102 received at 499897@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, Philipp Kern <pkern@debian.org>, 499897@bugs.debian.org, team@security.debian.org, deity@lists.debian.org, Michael Vogt <mvo@debian.org>
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Mon, 24 Nov 2008 10:00:00 +0100
* Eugene V. Lyubimkin:

> Should this be incorporated into apt in Lenny? It's not hard to
> apply the patch from Thomas, but it doesn't address feature that apt
> should not accept Release files without 'Valid-Until' entry after
> seeing it once earlier.

Does it use the real-time clock, or does it record Valid-Until
regressions in some other way?

If it uses the real-time clock, it doesn't fix the issue because our
users typically haven't got a secure time source.




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 24 Nov 2008 09:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 24 Nov 2008 09:36:04 GMT) Full text and rfc822 format available.

Message #107 received at 499897@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: Christian Perrier <bubulle@debian.org>
Cc: <499897@bugs.debian.org>
Subject: Re: Bug#499897: illustration
Date: Mon, 24 Nov 2008 10:35:21 +0100
On 2008-11-24 07:29:40.00 Christian Perrier <bubulle@debian.org> wrote:
> I came back on the proposed patch after Joerg revived the discussion
> about this bug.
> 
> Quoting Thomas Viehmann (tv@beamnet.de):
> 
> > +   if (_config->FindB("Acquire::Check-Valid-Until", true)) {
> > +      if (time(NULL) > MetaIndexParser->GetValidUntil()) {
> > +          _error->Warning(string("Release file expired, ignoring "+RealURI).c_str());
> > +         return false;
> > +      }
> > +   }
> > +
> 
> WRT i18n, the patch is incorrect, imho. It assumes that the ignored
> URL is to come after the "ignoring" word. Strings concatenation is
> nearly always a bad idea as the sentence structure might be different
> in other languages.
> 
> My programming skills are low enough to not allow me to produce the
> right patch, but I think that something using "%s" in the localizable
> string would make it. Hopefully, everybody reading this will
> understand what I mean here..:-)
> 
> It would also be good to put a translators comment to explain
> translators that "%s" is a URL.

The i18n-ability of my patch is fairly completely bogus.
Thanks, Christian for your advice, that should make it a lot more
likely to get right when redoing it.

Kind regards

T.




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 24 Nov 2008 11:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 24 Nov 2008 11:12:03 GMT) Full text and rfc822 format available.

Message #112 received at 499897@bugs.debian.org (full text, mbox):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, Philipp Kern <pkern@debian.org>, 499897@bugs.debian.org, team@security.debian.org, deity@lists.debian.org, Michael Vogt <mvo@debian.org>
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Mon, 24 Nov 2008 13:14:01 +0200
[Message part 1 (text/plain, inline)]
Florian Weimer wrote:
> * Eugene V. Lyubimkin:
> 
>> Should this be incorporated into apt in Lenny? It's not hard to
>> apply the patch from Thomas, but it doesn't address feature that apt
>> should not accept Release files without 'Valid-Until' entry after
>> seeing it once earlier.
> 
> Does it use the real-time clock, or does it record Valid-Until
> regressions in some other way?
> 
> If it uses the real-time clock, it doesn't fix the issue because our
> users typically haven't got a secure time source.
Yes, it does. I doubt that apt has something else that can be treated as more
secure (time?) source.
Suggestions?

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ Developer, Debian APT contributor

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 24 Nov 2008 11:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 24 Nov 2008 11:24:02 GMT) Full text and rfc822 format available.

Message #117 received at 499897@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, Philipp Kern <pkern@debian.org>, 499897@bugs.debian.org, team@security.debian.org, deity@lists.debian.org, Michael Vogt <mvo@debian.org>
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Mon, 24 Nov 2008 12:20:59 +0100
* Eugene V. Lyubimkin:

>> If it uses the real-time clock, it doesn't fix the issue because our
>> users typically haven't got a secure time source.

> Yes, it does. I doubt that apt has something else that can be
> treated as more secure (time?) source.

At the very least, apt could check that the signature (or the
Valid-Until field) does not go back in time.  However, this has
serious potential for shooting is in our collective feet (think what
happens if we accidentally publish something Valid-Until 2038), so I'm
not sure if it's acceptable.




Bug 499897 cloned as bug 506780. Request was from Joerg Jaspert <joerg@ganneff.de> to control@bugs.debian.org. (Mon, 24 Nov 2008 18:12:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Wed, 26 Nov 2008 16:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Wed, 26 Nov 2008 16:54:03 GMT) Full text and rfc822 format available.

Message #124 received at 499897@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: Thijs Kinkhorst <thijs@debian.org>, Peter Palfrader <weasel@debian.org>, Philipp Kern <pkern@debian.org>, 499897@bugs.debian.org, team@security.debian.org, deity@lists.debian.org
Subject: Re: Bug#499897: preventing replay attacks against the security archive
Date: Mon, 24 Nov 2008 22:24:12 +0100
On Sun, Nov 23, 2008 at 11:24:14PM +0200, Eugene V. Lyubimkin wrote:
> Joerg Jaspert wrote:
> >>>> - have it expire in a period long enough so a new point release will
> >>>> have happened in the meantime, say half a year.
> >>> Probably still not acceptable for CD-Roms.
> >> I don't think that should be a problem - I don't believe CD-Roms are the
> >> target of this feature. APT already handles CD-Roms differently so it
> >> could exclude them from this check.
> > 
> > Hello apt team, anyone working on supporting this? :)
> > (It's used in both, the normal and the security archive).
> > 
> No one at present, IIRC.
>
> Should this be incorporated into apt in Lenny? It's not hard to
> apply the patch from Thomas, but it doesn't address feature that apt
> should not accept Release files without 'Valid-Until' entry after
> seeing it once earlier.
[..]

I merge the patch (with some small modifications) into the
debian-experimental bzr branch to work on the issue. I added the
following configuration item:

Have a "max-age" client side option in addition to the "valid-until"
field on the server side. 

That makes it possible to have a (client side) apt configuration like:
apt::acquire::max-default-age::Debian-security "7";
(using the Label in the Release file for identification). This client
side configuration will only be used if no valid-until field is found
on the server.

It means that when the security archive that is presented does not
have it anymore there will still be a good default. So just presenting
a really old archive will not work (it protects against attacks when
there was never a valid security.debian.org, only a realy old one).



Thanks,
 Michael






Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Sun, 11 Jan 2009 17:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Adeodato Simó <dato@net.com.org.es>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sun, 11 Jan 2009 17:36:02 GMT) Full text and rfc822 format available.

Message #129 received at 499897@bugs.debian.org (full text, mbox):

From: Adeodato Simó <dato@net.com.org.es>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>, team@security.debian.org
Cc: Debian Release <debian-release@lists.debian.org>, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Sun, 11 Jan 2009 18:33:53 +0100
* Eugene V. Lyubimkin [Mon, 05 Jan 2009 23:42:46 +0200]:

> Hello release folks!

Hello, Eugene. (SecTeam please see "Change #1" below.)

> APT team has prepared two important changes in apt, please give us a
> decision(s) whether are they appropriate for Lenny or not.

We realize that apt has seen increased manpower only as of late, but we
feel that introducing sensitive code changes into apt this late in the
release cycle would not be very wise.

However:

> ---------------------------------------------------------
> Change #1 aka "Valid-Until for preventing replay attacks"
> ---------------------------------------------------------

> Motivation of this change is bug #499897, "preventing replay attacks against the security
> archive" [1]. Summary of change:

> 1. Add the support for the Valid-Until header in the Release file.
> 2. Add Acquire::Max-Default-Age configuration option that defaults to 7 days for
> Debian-Security.

> The result of change: APT will refuse to use too outdated Release file at the earliest
> 'update' action after Release expiry. The possible attacker will not allowed to ship the
> same outdated Release (so outdated Packages too) after the date in 'Valid-Until' entry in
> Release file, preventing the attack. In case of absence of this field in Release file,
> option "Acquire::Max-Default-Age::Debian-security" will be used. The default number of
> days for this option, "7", is discussible, of course.

We'd like to hear from the Security Team what they think of this feature
as a candidate for Lenny. If they believe it's extremely important that
we have it in place for Lenny, and they (or somebody delegated by them)
could do a review of the code and test it, we'd be okay with including it.

The final debian-installer upload is going to be soon, though, so we'd
have to seek input from the Debian Installer team as well.

And there is also the option of including it in the first point release,
after a month or two of testing in unstable.

> --------------------------------------------------------
> Change #2 aka "Stop the mess with proxy settings in APT"
> --------------------------------------------------------

> Motivation: set of bug reports [2][3][4][5][6] saying that proxy settings in apt is quite
> a mess and counter-intuitive. Main fault was treating http_proxy and ftp_proxy environment
> variables as more priority ones than APT's Acquire::{ftp,http}::Proxy[::host] settings.
> Moreover, https proxy setting had a strange bug regarding http_proxy is set or not, and
> some proxy info was discarded at all.

> The change unifies proxy settings behavior, removes a mess, and tries to document new
> behavior clearly.

> debian/NEWS file contains following entry regarding this change:

> -8<-
> apt (0.7.21) unstable; urgency=low

>   * Code that determines which proxy to use was changed. Now
>     'Acquire::{http,ftp}::Proxy[::<host>]' options have the highest priority,
>     and '{http,ftp}_proxy' environment variables are used only if options
>     mentioned above are not specified.
> ->8-

> , that describes change and its consequences. Appropriate documentation updates for
> apt.conf(5) included too.

I'd rather not have this change of behavior this late. It is a nice fix,
but apt is too much of a central package, that not touching it sounds
more desirable. Hope that makes sense to you.

And thanks a lot for your work on apt, it was muchly needed. Here's to
more of it!

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
                                   Listening to: David Bowie - Soul love





Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Sun, 11 Jan 2009 18:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sun, 11 Jan 2009 18:51:02 GMT) Full text and rfc822 format available.

Message #134 received at 499897@bugs.debian.org (full text, mbox):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: team@security.debian.org, Debian Release <debian-release@lists.debian.org>, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Cc: Michael Vogt <mvo@debian.org>
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Sun, 11 Jan 2009 20:45:13 +0200
[Message part 1 (text/plain, inline)]
Adeodato Simó wrote:
> * Eugene V. Lyubimkin [Mon, 05 Jan 2009 23:42:46 +0200]:

Hello Adeodato,
> 
>> ---------------------------------------------------------
>> Change #1 aka "Valid-Until for preventing replay attacks"
>> ---------------------------------------------------------
[change details snipped]
> We'd like to hear from the Security Team what they think of this feature
> as a candidate for Lenny. If they believe it's extremely important that
> we have it in place for Lenny, and they (or somebody delegated by them)
> could do a review of the code and test it, we'd be okay with including it.
> 
> The final debian-installer upload is going to be soon, though, so we'd
> have to seek input from the Debian Installer team as well.
> 
> And there is also the option of including it in the first point release,
> after a month or two of testing in unstable.
Understood.

>> --------------------------------------------------------
>> Change #2 aka "Stop the mess with proxy settings in APT"
>> --------------------------------------------------------
[change details snipped]
> I'd rather not have this change of behavior this late. It is a nice fix,
> but apt is too much of a central package, that not touching it sounds
> more desirable. Hope that makes sense to you.
Yes, indeed. That's why we asked.

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ developer, Debian Maintainer, APT contributor

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 15 Jan 2009 21:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 15 Jan 2009 21:09:02 GMT) Full text and rfc822 format available.

Message #139 received at 499897@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Thu, 15 Jan 2009 22:05:31 +0100
On Sun, Jan 11, 2009 at 06:33:53PM +0100, Adeodato Simó wrote:
> * Eugene V. Lyubimkin [Mon, 05 Jan 2009 23:42:46 +0200]:
> 
> > Hello release folks!
> 
> Hello, Eugene. (SecTeam please see "Change #1" below.)
> 
> > APT team has prepared two important changes in apt, please give us a
> > decision(s) whether are they appropriate for Lenny or not.
> 
> We realize that apt has seen increased manpower only as of late, but we
> feel that introducing sensitive code changes into apt this late in the
> release cycle would not be very wise.
> 
> However:
> 
> > ---------------------------------------------------------
> > Change #1 aka "Valid-Until for preventing replay attacks"
> > ---------------------------------------------------------
> 
> > Motivation of this change is bug #499897, "preventing replay attacks against the security
> > archive" [1]. Summary of change:
> 
> > 1. Add the support for the Valid-Until header in the Release file.
> > 2. Add Acquire::Max-Default-Age configuration option that defaults to 7 days for
> > Debian-Security.
> 
> > The result of change: APT will refuse to use too outdated Release file at the earliest
> > 'update' action after Release expiry. The possible attacker will not allowed to ship the
> > same outdated Release (so outdated Packages too) after the date in 'Valid-Until' entry in
> > Release file, preventing the attack. In case of absence of this field in Release file,
> > option "Acquire::Max-Default-Age::Debian-security" will be used. The default number of
> > days for this option, "7", is discussible, of course.
> 
> We'd like to hear from the Security Team what they think of this feature
> as a candidate for Lenny. If they believe it's extremely important that
> we have it in place for Lenny, and they (or somebody delegated by them)
> could do a review of the code and test it, we'd be okay with including it.
> 
> The final debian-installer upload is going to be soon, though, so we'd
> have to seek input from the Debian Installer team as well.
> 
> And there is also the option of including it in the first point release,
> after a month or two of testing in unstable.

Since the replay attack isn't exactly grave, it could just as well be added
into 5.0.1 oder 5.0.2 once it has gotten some testing.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 15 Jan 2009 21:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 15 Jan 2009 21:30:02 GMT) Full text and rfc822 format available.

Message #144 received at 499897@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Thu, 15 Jan 2009 22:27:24 +0100
* Moritz Muehlenhoff:

>> And there is also the option of including it in the first point release,
>> after a month or two of testing in unstable.
>
> Since the replay attack isn't exactly grave, it could just as well be added
> into 5.0.1 oder 5.0.2 once it has gotten some testing.

And if Valid-Until is only checked against the real-time clock, the
attacker can still feed bad data over NTP, so it's not even a complete
defense. 8-(




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 15 Jan 2009 21:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 15 Jan 2009 21:42:02 GMT) Full text and rfc822 format available.

Message #149 received at 499897@bugs.debian.org (full text, mbox):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Thu, 15 Jan 2009 23:37:08 +0200
[Message part 1 (text/plain, inline)]
Hello Florian,

Florian Weimer wrote:
> And if Valid-Until is only checked against the real-time clock, the
> attacker can still feed bad data over NTP, so it's not even a complete
> defense. 8-(

However, it seems there is no better solution, or is there?

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ developer, Debian Maintainer, APT contributor

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 15 Jan 2009 21:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 15 Jan 2009 21:54:02 GMT) Full text and rfc822 format available.

Message #154 received at 499897@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Thu, 15 Jan 2009 22:50:31 +0100
* Eugene V. Lyubimkin:

> Florian Weimer wrote:
>> And if Valid-Until is only checked against the real-time clock, the
>> attacker can still feed bad data over NTP, so it's not even a complete
>> defense. 8-(
>
> However, it seems there is no better solution, or is there?

A counter in the style of a Lamport clock should work, or checking
that the Valid-Until header does not recede in time.




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Thu, 15 Jan 2009 22:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Thu, 15 Jan 2009 22:39:06 GMT) Full text and rfc822 format available.

Message #159 received at 499897@bugs.debian.org (full text, mbox):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Fri, 16 Jan 2009 00:35:37 +0200
[Message part 1 (text/plain, inline)]
(dropping debian-release@ from CC)

Florian Weimer wrote:
> * Eugene V. Lyubimkin:
> 
>> Florian Weimer wrote:
>>> And if Valid-Until is only checked against the real-time clock, the
>>> attacker can still feed bad data over NTP, so it's not even a complete
>>> defense. 8-(
>> However, it seems there is no better solution, or is there?
> 
> A counter in the style of a Lamport clock should work, or checking
> that the Valid-Until header does not recede in time.
It seems that Lamport clock is primarily designed for distributed system and
always-in-work processes, which is not the APT's case, unless we create a unstoppable APT
daemon.

Second approach... well, the bad guy can start/stop clock for every APT run, with some
small seed, e.g. 1 minute or similar. So, delaying the time is possible for quite a long
time after Valid-Until value.

Generally, I assume that delaying the clock for at least 1 day would leave very suspicious
info in logs, websebver timestamps i.e., and such a case would be easily captured by
(good?) system administrator. Also I assume that security team prefers having checking
against the real-time clock than having no mechanism at all. Am I wrong?

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ developer, Debian Maintainer, APT contributor

[signature.asc (application/pgp-signature, attachment)]

Reply sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
You have taken responsibility. (Fri, 16 Jan 2009 15:12:08 GMT) Full text and rfc822 format available.

Notification sent to Peter Palfrader <weasel@debian.org>:
Bug acknowledged by developer. (Fri, 16 Jan 2009 15:12:08 GMT) Full text and rfc822 format available.

Message #164 received at 499897-done@bugs.debian.org (full text, mbox):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: 499897-done@bugs.debian.org
Subject: closing #499897
Date: Fri, 16 Jan 2009 17:03:39 +0200
[Message part 1 (text/plain, inline)]
Version: 0.7.21~exp1

Fix of this bug is present in apt 0.7.21~exp1.

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ Developer, Debian Maintainer, APT contributor

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Sat, 17 Jan 2009 19:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 17 Jan 2009 19:27:02 GMT) Full text and rfc822 format available.

Message #169 received at 499897@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: Florian Weimer <fw@deneb.enyo.de>, Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Sat, 17 Jan 2009 20:24:52 +0100
[Message part 1 (text/plain, inline)]
On Thursday 15 January 2009 22:37, Eugene V. Lyubimkin wrote:
> Florian Weimer wrote:
> > And if Valid-Until is only checked against the real-time clock, the
> > attacker can still feed bad data over NTP, so it's not even a complete
> > defense. 8-(

As there are questions about the implementation, and there's a chance we don't 
get it right the first time, and the release is very close, I would indeed 
support not rushing the change into lenny.

> However, it seems there is no better solution, or is there?

Why are we trying to invent something new here, with Valid-Until? The problem 
is that we want to ensure that the Release file of the security archive is 
actually provided by that archive and not by a man in the middle. That 
problem has already been solved: use https. If apt would get the release file 
over https from the security archive it would know it is the right one. The 
rest of the downloads can then happen over http. Of course this needs APT to 
have some notion of what a valid certificate is for security.debian.org; that 
could be addressed by adding it to the debian-archive-keyring package.


cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 19 Jan 2009 11:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 19 Jan 2009 11:42:03 GMT) Full text and rfc822 format available.

Message #174 received at 499897@bugs.debian.org (full text, mbox):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org, Debian FTP Master <ftpmaster@ftp-master.debian.org>
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Mon, 19 Jan 2009 13:47:36 +0200
[Message part 1 (text/plain, inline)]
Hello Thijs,
hello FTP masters, please see problem 2) below...

Thijs Kinkhorst wrote:
>> However, it seems there is no better solution, or is there?
> 
> Why are we trying to invent something new here, with Valid-Until? The problem 
> is that we want to ensure that the Release file of the security archive is 
> actually provided by that archive and not by a man in the middle. That 
> problem has already been solved: use https. If apt would get the release file 
> over https from the security archive it would know it is the right one. The 
> rest of the downloads can then happen over http. Of course this needs APT to 
> have some notion of what a valid certificate is for security.debian.org; that 
> could be addressed by adding it to the debian-archive-keyring package.
This makes sense for me, but may introduce some problems...

1) insert apt-transport-https and all its deps into base system (libcurl,
kerberos etc.)
2) Release and Release.gpg, installed on security.debian.org, should be
somehow synchronized with at least all official Debian mirrors, I don't know
how hard it would be to insert this move into archive infrastructure (ftp
masters CC'ed)
3) needs some hardcoded black magic in APT - if user has an entry

'deb http://abc.def.edu/debian lenny main'

in sources.list, how can we know whether it is an official Debian archive and
do we need to pick Release file from 'https://security.debian.org' or from
host itself?..

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ Developer, Debian Maintainer, APT contributor

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 19 Jan 2009 12:00:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 19 Jan 2009 12:00:06 GMT) Full text and rfc822 format available.

Message #179 received at 499897@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: team@security.debian.org, "APT Development Team" <deity@lists.debian.org>, 499897@bugs.debian.org, "Debian FTP Master" <ftpmaster@ftp-master.debian.org>
Subject: Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes
Date: Mon, 19 Jan 2009 12:58:13 +0100 (CET)
I've removed some CC's.

On Mon, January 19, 2009 12:47, Eugene V. Lyubimkin wrote:
> 1) insert apt-transport-https and all its deps into base system (libcurl,
>  kerberos etc.)

I'm not sure if we need kerberos for this to work. Just like apt uses a
small version of gnupg to verify signatures, we can use a small version of
the https transport that satisfies our needs?

> 2) Release and Release.gpg, installed on
> security.debian.org, should be somehow synchronized with at least all
> official Debian mirrors, I don't know how hard it would be to insert this
> move into archive infrastructure (ftp masters CC'ed)
> 3) needs some hardcoded black magic in APT - if user has an entry

I think it's essential to note that the scheme is in principle only
required for the security mirrors, because the attack scenario is based on
withholding security updates. As we fully control the security mirrors, I
think we need not consider mirrors to solve the problem adequately, and
have a reliable way to know which sources.list entry it applies to.


cheers,
Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 19 Jan 2009 12:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 19 Jan 2009 12:09:03 GMT) Full text and rfc822 format available.

Message #184 received at 499897@bugs.debian.org (full text, mbox):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: team@security.debian.org, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org, Debian FTP Master <ftpmaster@ftp-master.debian.org>
Subject: Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes
Date: Mon, 19 Jan 2009 14:15:30 +0200
[Message part 1 (text/plain, inline)]
Thijs Kinkhorst wrote:
> I've removed some CC's.
> 
> On Mon, January 19, 2009 12:47, Eugene V. Lyubimkin wrote:
>> 1) insert apt-transport-https and all its deps into base system (libcurl,
>>  kerberos etc.)
> 
> I'm not sure if we need kerberos for this to work. Just like apt uses a
> small version of gnupg to verify signatures, we can use a small version of
> the https transport that satisfies our needs?
apt-transport-https really depends only on curl, but curl itself has
significant amount of dependencies, so maybe, it depends how the curl binary
package could  be split.

> 
>> 2) Release and Release.gpg, installed on
>> security.debian.org, should be somehow synchronized with at least all
>> official Debian mirrors, I don't know how hard it would be to insert this
>> move into archive infrastructure (ftp masters CC'ed)
>> 3) needs some hardcoded black magic in APT - if user has an entry
> 
> I think it's essential to note that the scheme is in principle only
> required for the security mirrors, because the attack scenario is based on
> withholding security updates. As we fully control the security mirrors, I
> think we need not consider mirrors to solve the problem adequately, and
> have a reliable way to know which sources.list entry it applies to.
Ah, agreed, makes sense too.

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ Developer, Debian Maintainer, APT contributor

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 19 Jan 2009 17:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Otavio Salvador <otavio@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 19 Jan 2009 17:33:02 GMT) Full text and rfc822 format available.

Message #189 received at 499897@bugs.debian.org (full text, mbox):

From: Otavio Salvador <otavio@debian.org>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: Thijs Kinkhorst <thijs@debian.org>, team@security.debian.org, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org, Debian FTP Master <ftpmaster@ftp-master.debian.org>
Subject: Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes
Date: Mon, 19 Jan 2009 15:24:43 -0200
"Eugene V. Lyubimkin" <jackyf.devel@gmail.com> writes:

> Thijs Kinkhorst wrote:
>> I've removed some CC's.
>> 
>> On Mon, January 19, 2009 12:47, Eugene V. Lyubimkin wrote:
>>> 1) insert apt-transport-https and all its deps into base system (libcurl,
>>>  kerberos etc.)
>> 
>> I'm not sure if we need kerberos for this to work. Just like apt uses a
>> small version of gnupg to verify signatures, we can use a small version of
>> the https transport that satisfies our needs?
> apt-transport-https really depends only on curl, but curl itself has
> significant amount of dependencies, so maybe, it depends how the curl binary
> package could  be split.

Or we might consider an alternative way to provide a https method. Did
someone taken a look how difficult would be to write one?

-- 
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: otavio@debian.org      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://otavio.ossystems.com.br
---------------------------------------------
"Microsoft sells you Windows ... Linux gives
 you the whole house."




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 19 Jan 2009 18:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 19 Jan 2009 18:30:02 GMT) Full text and rfc822 format available.

Message #194 received at 499897@bugs.debian.org (full text, mbox):

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
To: Otavio Salvador <otavio@debian.org>
Cc: team@security.debian.org, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Subject: Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes
Date: Mon, 19 Jan 2009 20:22:04 +0200
[Message part 1 (text/plain, inline)]
Otavio Salvador wrote:
> "Eugene V. Lyubimkin" <jackyf.devel@gmail.com> writes:
> 
>> Thijs Kinkhorst wrote:
>>> I've removed some CC's.
>>>
>>> On Mon, January 19, 2009 12:47, Eugene V. Lyubimkin wrote:
>>>> 1) insert apt-transport-https and all its deps into base system (libcurl,
>>>>  kerberos etc.)
>>> I'm not sure if we need kerberos for this to work. Just like apt uses a
>>> small version of gnupg to verify signatures, we can use a small version of
>>> the https transport that satisfies our needs?
>> apt-transport-https really depends only on curl, but curl itself has
>> significant amount of dependencies, so maybe, it depends how the curl binary
>> package could  be split.
> 
> Or we might consider an alternative way to provide a https method. Did
> someone taken a look how difficult would be to write one?
Oh, no, we don't need another reinvented wheel for https... (btw, who wants
to re-implement openssl or gnutls? :)) We already have it
for http and ftp (which are candidates to be replaced by libcurl (at least
at my view)).

-- 
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ developer, Debian Maintainer, APT contributor

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 19 Jan 2009 21:03:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Otavio Salvador <otavio@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 19 Jan 2009 21:03:10 GMT) Full text and rfc822 format available.

Message #199 received at 499897@bugs.debian.org (full text, mbox):

From: Otavio Salvador <otavio@debian.org>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: team@security.debian.org, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org
Subject: Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes
Date: Mon, 19 Jan 2009 18:31:34 -0200
"Eugene V. Lyubimkin" <jackyf.devel@gmail.com> writes:

> Otavio Salvador wrote:
>> "Eugene V. Lyubimkin" <jackyf.devel@gmail.com> writes:
>> 
>>> Thijs Kinkhorst wrote:
>>>> I've removed some CC's.
>>>>
>>>> On Mon, January 19, 2009 12:47, Eugene V. Lyubimkin wrote:
>>>>> 1) insert apt-transport-https and all its deps into base system (libcurl,
>>>>>  kerberos etc.)
>>>> I'm not sure if we need kerberos for this to work. Just like apt uses a
>>>> small version of gnupg to verify signatures, we can use a small version of
>>>> the https transport that satisfies our needs?
>>> apt-transport-https really depends only on curl, but curl itself has
>>> significant amount of dependencies, so maybe, it depends how the curl binary
>>> package could  be split.
>> 
>> Or we might consider an alternative way to provide a https method. Did
>> someone taken a look how difficult would be to write one?
> Oh, no, we don't need another reinvented wheel for https... (btw, who wants
> to re-implement openssl or gnutls? :)) We already have it
> for http and ftp (which are candidates to be replaced by libcurl (at least
> at my view)).

I agree that reinvent the wheel is not what we want however a bloded
minimal system is bad for embedded and others minimal systems.

I believe that we need to provide a simplified libcurl or something
like, if possible.

-- 
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: otavio@debian.org      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://otavio.ossystems.com.br
---------------------------------------------
"Microsoft sells you Windows ... Linux gives
 you the whole house."




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#499897; Package apt. (Mon, 26 Jan 2009 21:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 26 Jan 2009 21:27:03 GMT) Full text and rfc822 format available.

Message #204 received at 499897@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: Thijs Kinkhorst <thijs@debian.org>, Florian Weimer <fw@deneb.enyo.de>, Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Debian Release <debian-release@lists.debian.org>, APT Development Team <deity@lists.debian.org>, 499897@bugs.debian.org, Debian FTP Master <ftpmaster@ftp-master.debian.org>
Subject: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Date: Mon, 26 Jan 2009 22:26:23 +0100
Eugene V. Lyubimkin wrote:
> Hello Thijs,
> hello FTP masters, please see problem 2) below...
> 
> Thijs Kinkhorst wrote:
>>> However, it seems there is no better solution, or is there?
>> Why are we trying to invent something new here, with Valid-Until? The problem 
>> is that we want to ensure that the Release file of the security archive is 
>> actually provided by that archive and not by a man in the middle. That 
>> problem has already been solved: use https. If apt would get the release file 
>> over https from the security archive it would know it is the right one. The 
>> rest of the downloads can then happen over http. Of course this needs APT to 
>> have some notion of what a valid certificate is for security.debian.org; that 
>> could be addressed by adding it to the debian-archive-keyring package.
> This makes sense for me, but may introduce some problems...
> 
> 1) insert apt-transport-https and all its deps into base system (libcurl,
> kerberos etc.)
> 2) Release and Release.gpg, installed on security.debian.org, should be
> somehow synchronized with at least all official Debian mirrors, I don't know
> how hard it would be to insert this move into archive infrastructure (ftp
> masters CC'ed)
> 3) needs some hardcoded black magic in APT - if user has an entry
> 
> 'deb http://abc.def.edu/debian lenny main'
> 
> in sources.list, how can we know whether it is an official Debian archive and
> do we need to pick Release file from 'https://security.debian.org' or from
> host itself?..

2) and 3) are moot AFAICS as the user has no choice in what to put in
sources.list for the security archive. 1) doesn't have to be mandatory
for Lenny IMHO, just possible for interesting parties who want to try it
already. We probably should discuss this after Lenny and maybe even test
 alternatives properly.

Cheers

Luk




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 05 Jun 2009 07:39:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 19:59:52 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.