Re: [bitfolk] Fwd: [SECURITY] [DLA 1637-1] apt security upda…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MAndy Bennett at <-
 
Author: Andy Smith
Date:  
To: users
Subject: Re: [bitfolk] Fwd: [SECURITY] [DLA 1637-1] apt security update

Reply to this message
gpg: Signature made Tue Jan 22 16:42:40 2019 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi,

On Tue, Jan 22, 2019 at 04:33:15PM +0000, Andy Bennett wrote:
> I've discussed this issue with Andy and he has asked me to post it here for
> wider discussion. I've not yet succesfully performed the upgrade yet. I'd be
> interested to hear what others have done or are intending to do.

I think if you are concerned that someone may MitM your upgrade of
apt you should probably download the .deb from the mirror directly
and check its hash as noted in the advisory.

What I can tell you is that quite a few people have already obtained
the apt upgrade via BitFolk's apt-cachers.

> The message says that some mirrors have trouble with it and, indeed, when I
> try it against the http://apt-cacher.lon.bitfolk.com mirrors,
>
> `sudo apt -o Acquire::http::AllowRedirect=false update` gives me
>
> -----
> ...
> Fetched 15.5 kB in 4s (3,224 B/s)
> W: Failed to fetch http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/dists/jessie/updates/main/binary-i386/Packages
> 302 Found

I don't think I can fix this, not unless the apt-cacher-ng authors
have some miracle fix in the very near future that would justify
holding off on upgrading apt until it's ready.

Seems more sensible to either:

a) accept the apt upgrade as normal (don't disable redirects);

b) remove the apt-cacher from your /etc/apt/sources.list just to do
this package upgrade

c) download the apt .deb file directly and check its hash before
installing it with dpkg -i

> Perhaps if the cache was already populated it would work OK?

Sadly it doesn't appear to - many people have already ugraded apt
so it's already cached, but still this error appears.

For the longer term I am thinking of adding a new backend to the
apt-cachers that points at https://deb.debian.org/ so they fetch
packages over TLS.

I am more convinced by: 

    https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-repositories/


than I am by: 

    https://whydoesaptnotusehttps.com/


Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting
This message was posted to the following mailing lists:
users
Mailing List Info | Nearby Messages		<-[bitfolk] Fwd: [SECURITY] [DLA 1637-1] apt security update[bitfolk] 2GiB of backup space now included for free->
Bitfolk Mailing List Archive administrated by List AdminLurker (version 2.3)