FS#34442 - [abs] Validate/verify tars

Attached to Project: Arch Linux
Opened by Dave Gilbert (penguin42) - Sunday, 24 March 2013, 14:07 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 15 May 2017, 17:18 GMT
Task Type Feature Request
Category Arch Projects
Status Closed
Assigned To matt mooney (mfm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

abs should validate/verify the tars it downloads; I used abs for the 1st time,
but one of the mirrors was screwed and returned an HTML page rather than a tar,
the only error was when the tar/gzip failed to decompress it.

But the more serious problem is that since there is absolutely no verification an
evil mirror/MITM could drop a tar in there with any old crap in.

I'd suggest something like signing with a key in the abs package or the like,
and verifying before unpacking (not quite sure what the sanest way to do that is
- if it was a separate sum file you'd have the problem of ensuring it stayed in sync
with the tar).

Additional info:
* abs 2.4.4-1

Steps to reproduce:

1) Take a fresh arch install
2) Find a screwed mirror that returns HTML instead of the tar
3) run abs
This task depends upon

Closed by  Doug Newgard (Scimmia)
Monday, 15 May 2017, 17:18 GMT
Reason for closing:  None
Additional comments about closing:  Removed from repos
Comment by Samantha McVey (samcv) - Thursday, 09 June 2016, 06:46 GMT
2 things:
1. There is already a way to verify checksums of downloaded files before they are dealt with by makepkg, and most packages I have seen use this. Just a random example but a super short PKGBUILD: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=python2-dulwich
The package provides a sha1 checksum and if it does not match an error is given. The way it stays "in sync" is the ABS package owner has to update the package with each new release, true an additional thing to do but I think this solves the problem you were facing.
2. If your problem is not having a *useful* error message, having a failed checksum I think is much more useful than an error about decompression. The only thing else I can think of would be running:
$ file archive.tar.gz
and outputting the results of the file type if the checksum is invalid, though I think this is excessive and simply knowing the checksum is invalid would be mostly sufficient.
Comment by Doug Newgard (Scimmia) - Thursday, 09 June 2016, 23:28 GMT
You misunderstood this request, it's about the tarball the ABS downloads when you first run it, not about the source tarballs of individual packages.

The ABS will be supplanted by something else; this request will likely sit here until it becomes obsolete at that point.
Comment by Samantha McVey (samcv) - Thursday, 09 June 2016, 23:29 GMT
Thank you for for that information. This is indeed a valid suggestion then. Thanks.

Loading...