22 Jan
2019
22 Jan
'19
4:42 p.m.
Hi,
On Tue, Jan 22, 2019 at 04:33:15PM +0000, Andy Bennett wrote:
I've discussed this issue with Andy and he has
asked me to post it here for
wider discussion. I've not yet succesfully performed the upgrade yet. I'd be
interested to hear what others have done or are intending to do.
I think if you are concerned that someone may MitM your upgrade of
apt you should probably download the .deb from the mirror directly
and check its hash as noted in the advisory.
What I can tell you is that quite a few people have already obtained
the apt upgrade via BitFolk's apt-cachers.
The message says that some mirrors have trouble with
it and, indeed, when I
try it against the http://apt-cacher.lon.bitfolk.com mirrors,
`sudo apt -o Acquire::http::AllowRedirect=false update` gives me
-----
...
Fetched 15.5 kB in 4s (3,224 B/s)
W: Failed to fetch
http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/dists/jessie/u…
302 Found
I don't think I can fix this, not unless the apt-cacher-ng authors
have some miracle fix in the very near future that would justify
holding off on upgrading apt until it's ready.
Seems more sensible to either:
a) accept the apt upgrade as normal (don't disable redirects);
b) remove the apt-cacher from your /etc/apt/sources.list just to do
this package upgrade
c) download the apt .deb file directly and check its hash before
installing it with dpkg -i
Perhaps if the cache was already populated it would
work OK?
Sadly it doesn't appear to - many people have already ugraded apt
so it's already cached, but still this error appears.
For the longer term I am thinking of adding a new backend to the
apt-cachers that points at https://deb.debian.org/ so they fetch
packages over TLS.
I am more convinced by:
https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-repo…
than I am by:
https://whydoesaptnotusehttps.com/
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting