Comment 19 for bug 756317
Revision history for this message
| Morten Welinder (terra-gnome) wrote Re: Captive portals may corrupt apt package lists | #19 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
> "patch"
That would certainly be useful.
But seriously, complaining over semi-broken captive portals? You need a vacation.
Fixing an unknown number, but probably hundreds of thousands, broken routers
mostly operated by non-tech-savvy people is not going to happen in a timely manner.
They will get replaced when they fail and the replacements will have a new set of
bugs.
So where do we stand?
1. APT cannot recover from receiving broken files. This is *not* just the result of
captive portals. Truncated files -- even zero-length files -- seem to cause it
trouble too.
2. Anyone with a router can stop a user from getting security updates from then on.
Just hand out an IP address and serve a broken file. Yes, that really is a security
issue.
*You* need to stop blaming the messengers. The problem here is cutting corners in
the design: putting that amount of trust on the network is not "best practices" and
hasn't been for 3-4 decades.
I probably shouldn't write all this without being constructive myself, so here goes:
Item 1 seems to be fixable with a basic syntax check on the file. If the check fails,
toss the file and life goes on.
Item 2 is much trickier. A full fix probably requires signatures or strong checksums, i.e.,
it cannot happen in APT alone, but APT could certainly issue a "HEAD" request and
verify basic things like file length.