FS#34442 - [abs] Validate/verify tars
Attached to Project:
Arch Linux
Opened by Dave Gilbert (penguin42) - Sunday, 24 March 2013, 14:07 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 15 May 2017, 17:18 GMT
Opened by Dave Gilbert (penguin42) - Sunday, 24 March 2013, 14:07 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 15 May 2017, 17:18 GMT
|
Details
Description:
abs should validate/verify the tars it downloads; I used abs for the 1st time, but one of the mirrors was screwed and returned an HTML page rather than a tar, the only error was when the tar/gzip failed to decompress it. But the more serious problem is that since there is absolutely no verification an evil mirror/MITM could drop a tar in there with any old crap in. I'd suggest something like signing with a key in the abs package or the like, and verifying before unpacking (not quite sure what the sanest way to do that is - if it was a separate sum file you'd have the problem of ensuring it stayed in sync with the tar). Additional info: * abs 2.4.4-1 Steps to reproduce: 1) Take a fresh arch install 2) Find a screwed mirror that returns HTML instead of the tar 3) run abs |
This task depends upon
Closed by Doug Newgard (Scimmia)
Monday, 15 May 2017, 17:18 GMT
Reason for closing: None
Additional comments about closing: Removed from repos
Monday, 15 May 2017, 17:18 GMT
Reason for closing: None
Additional comments about closing: Removed from repos
1. There is already a way to verify checksums of downloaded files before they are dealt with by makepkg, and most packages I have seen use this. Just a random example but a super short PKGBUILD: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=python2-dulwich
The package provides a sha1 checksum and if it does not match an error is given. The way it stays "in sync" is the ABS package owner has to update the package with each new release, true an additional thing to do but I think this solves the problem you were facing.
2. If your problem is not having a *useful* error message, having a failed checksum I think is much more useful than an error about decompression. The only thing else I can think of would be running:
$ file archive.tar.gz
and outputting the results of the file type if the checksum is invalid, though I think this is excessive and simply knowing the checksum is invalid would be mostly sufficient.
The ABS will be supplanted by something else; this request will likely sit here until it becomes obsolete at that point.