You are not logged in.
Pages: 1
Hi archers! When I did a pacman -Syu on 2009-01-29 apache got upgraded (2.2.11-1 -> 2.2.11-2). I used the same pkg files to upgrade another archlinux machine, but here I used a different mirror to sync the database. When pacman found apache-2.2.11-2-i686.pkg.tar.gz it said it is corrupted. So I downloaded the package again from a few different mirrors and it was ok in all mirrors.
But the package I got in the first place is different and it is not due to a network error! I don't know which mirror I got it from because I changed /etc/pacman.d/mirrorlist recently but I suspect it was either belnet.be or hosteurope.de because I used mostly those two. At this moment both belnet.be and hosteurope.de have the same fine packages of apache.
Here is md5sum output:
a86a7048450a8326521af48766305ab5 /var/cache/pacman/pkg/apache-2.2.11-2-i686.pkg.tar.gz
7ceaaa89043fd961f8a9e094a1f9d431 /var/cache/pacman/pkg/apache-2.2.11-2-i686.pkg.tar.gz.weird
The packages extracted ok. Here is output of diff -ur of extracted tar.gz archives:
--- apache-ok/.PKGINFO 2009-01-29 15:15:00.000000000 +0100
+++ apache-corrupted/.PKGINFO 2009-01-29 18:02:47.000000000 +0100
@@ -1,13 +1,13 @@
# Generated by makepkg 3.2.2
# using fakeroot version 1.12.1
-# Thu Jan 29 14:15:00 UTC 2009
+# Thu Jan 29 17:02:47 UTC 2009
pkgname = apache
pkgver = 2.2.11-2
pkgdesc = A high performance Unix-based HTTP server
url = http://www.apache.org/dist/httpd
-builddate = 1233238500
-packager = Pierre Schmitz <pierre@archlinux.de>
-size = 4251648
+builddate = 1233248567
+packager = Giovanni Scafora <giovanni@archlinux.org>
+size = 4139008
arch = i686
license = APACHE
depend = openssl
diff -ur apache-ok/usr/lib/httpd/build/config_vars.mk apache-corrupted/usr/lib/httpd/build/config_vars.mk
--- apache-ok/usr/lib/httpd/build/config_vars.mk 2009-01-29 15:14:55.000000000 +0100
+++ apache-corrupted/usr/lib/httpd/build/config_vars.mk 2009-01-29 18:02:46.000000000 +0100
@@ -78,7 +78,7 @@
EXTRA_INCLUDES = -I$(includedir) -I. -I/usr/include/apr-1 -I/usr/include
LIBTOOL = /usr/share/apr-1/build/libtool --silent
SHELL = /bin/sh
-RSYNC =
+RSYNC = /usr/bin/rsync
SH_LIBS =
SH_LIBTOOL = $(LIBTOOL)
MK_IMPLIB =
diff -ur apache-ok/usr/sbin/apachectl apache-corrupted/usr/sbin/apachectl
--- apache-ok/usr/sbin/apachectl 2009-01-29 15:13:15.000000000 +0100
+++ apache-corrupted/usr/sbin/apachectl 2009-01-29 18:00:32.000000000 +0100
@@ -51,7 +51,7 @@
# a command that outputs a formatted text version of the HTML at the
# url given on the command line. Designed for lynx, however other
# programs may work.
-LYNX="lynx -dump"
+LYNX="links -dump"
#
# the URL to your server's mod_status status page. If you do not
# have one, then status and fullstatus will not work.
Binary files apache-ok/usr/sbin/httpd and apache-corrupted/usr/sbin/httpd differ
The most scarry part is that httpd binaries differ! Could it be that 2 developers built the same package, labeled them the same version and they got uploaded to different mirrors? I hope this is the case because the first thing I thought was that I may have some malware on my computer.
Which brings me to another question: are there any measures to ensure the integrity of pacman database? In other words, if some mirror gets hacked and somebody puts some malicious stuff into a package, if and how would pacman be able to detect this? Pacman gets the database from the same mirror as it gets the packages, and if a package is deliberately modified, the database on the same server could be as well. Perhaps the database could be signed by archlinux.org and the pacman package would include the public key to verify the signature on each pacman -Sy operation?
Offline
It looks like two different developers have both uploaded the package. File a bug report.
Offline
Even if this is a simple and innocent mistake on the part of the devs, it does highlight the need for package signing. I haven't been following it myself, but I believe that PGP signing is in the pipeline but I have no idea if there's any ETA for that or if it's even on anybody's priority list.
As for the database and packages coming from the same server, you could use powerpill to get around that. Put archlinux.org (or another trusted server) at the top of your mirrorlist and pacman will use it to sync the database. Uncomment several other servers to which you get a good connection (or use reflector) and powerpill will use them to download the packages but will check their md5sums against the database from your trusted server. The info page linked in my sig provides more details.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
Package signing would not fix this. What is does highlight is the need for extra checks in the repo update scripts.
The ETA for package signing is whenever someone actually codes it...
Offline
In this particular case, you're right as it was just a duplicate upload, but I still think it shows the potential damage of a compromised server. Don't misunderstand me though... I'm not saying "zomg wtf dooo eeeeeeeet 4 we gets h4XX0rd!!!!11". I just remember reading about this on the mailing list and having the impression that someone was working on it.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
I must agree with both Allan and Xyne.
Sure, adding signature verification to pacman would introduce a bit of complication to arch package management scheme, yet it seems necessity to me. I hope it'll be done before someone will try to screw us up on a big scale which with current state of affairs would be braindead easy (at least from the point that one gains rights to change mirror's files) .
It's not the best thing when they call you a "member" you know…
Offline
Pages: 1