Corrupted repositories?

mico · 2009-02-10 20:51:07

Hi archers! When I did a pacman -Syu on 2009-01-29 apache got upgraded (2.2.11-1 -> 2.2.11-2). I used the same pkg files to upgrade another archlinux machine, but here I used a different mirror to sync the database. When pacman found apache-2.2.11-2-i686.pkg.tar.gz it said it is corrupted. So I downloaded the package again from a few different mirrors and it was ok in all mirrors.

But the package I got in the first place is different and it is not due to a network error! I don't know which mirror I got it from because I changed /etc/pacman.d/mirrorlist recently but I suspect it was either belnet.be or hosteurope.de because I used mostly those two. At this moment both belnet.be and hosteurope.de have the same fine packages of apache.

Here is md5sum output:

a86a7048450a8326521af48766305ab5  /var/cache/pacman/pkg/apache-2.2.11-2-i686.pkg.tar.gz
7ceaaa89043fd961f8a9e094a1f9d431  /var/cache/pacman/pkg/apache-2.2.11-2-i686.pkg.tar.gz.weird

The packages extracted ok. Here is output of diff -ur of extracted tar.gz archives:

--- apache-ok/.PKGINFO    2009-01-29 15:15:00.000000000 +0100
+++ apache-corrupted/.PKGINFO    2009-01-29 18:02:47.000000000 +0100
@@ -1,13 +1,13 @@
 # Generated by makepkg 3.2.2
 # using fakeroot version 1.12.1
-# Thu Jan 29 14:15:00 UTC 2009
+# Thu Jan 29 17:02:47 UTC 2009
 pkgname = apache
 pkgver = 2.2.11-2
 pkgdesc = A high performance Unix-based HTTP server
 url = http://www.apache.org/dist/httpd
-builddate = 1233238500
-packager = Pierre Schmitz <pierre@archlinux.de>
-size = 4251648
+builddate = 1233248567
+packager = Giovanni Scafora <giovanni@archlinux.org>
+size = 4139008
 arch = i686
 license = APACHE
 depend = openssl
diff -ur apache-ok/usr/lib/httpd/build/config_vars.mk apache-corrupted/usr/lib/httpd/build/config_vars.mk
--- apache-ok/usr/lib/httpd/build/config_vars.mk    2009-01-29 15:14:55.000000000 +0100
+++ apache-corrupted/usr/lib/httpd/build/config_vars.mk    2009-01-29 18:02:46.000000000 +0100
@@ -78,7 +78,7 @@
 EXTRA_INCLUDES = -I$(includedir) -I. -I/usr/include/apr-1 -I/usr/include
 LIBTOOL = /usr/share/apr-1/build/libtool --silent
 SHELL = /bin/sh
-RSYNC =
+RSYNC = /usr/bin/rsync
 SH_LIBS =
 SH_LIBTOOL = $(LIBTOOL)
 MK_IMPLIB =
diff -ur apache-ok/usr/sbin/apachectl apache-corrupted/usr/sbin/apachectl
--- apache-ok/usr/sbin/apachectl    2009-01-29 15:13:15.000000000 +0100
+++ apache-corrupted/usr/sbin/apachectl    2009-01-29 18:00:32.000000000 +0100
@@ -51,7 +51,7 @@
 # a command that outputs a formatted text version of the HTML at the
 # url given on the command line.  Designed for lynx, however other
 # programs may work.  
-LYNX="lynx -dump"
+LYNX="links -dump"
 #
 # the URL to your server's mod_status status page.  If you do not
 # have one, then status and fullstatus will not work.
Binary files apache-ok/usr/sbin/httpd and apache-corrupted/usr/sbin/httpd differ

The most scarry part is that httpd binaries differ! Could it be that 2 developers built the same package, labeled them the same version and they got uploaded to different mirrors? I hope this is the case because the first thing I thought was that I may have some malware on my computer.

Which brings me to another question: are there any measures to ensure the integrity of pacman database? In other words, if some mirror gets hacked and somebody puts some malicious stuff into a package, if and how would pacman be able to detect this? Pacman gets the database from the same mirror as it gets the packages, and if a package is deliberately modified, the database on the same server could be as well. Perhaps the database could be signed by archlinux.org and the pacman package would include the public key to verify the signature on each pacman -Sy operation?

Allan · 2009-02-10 22:24:49

It looks like two different developers have both uploaded the package. File a bug report.

Xyne · 2009-02-10 23:41:26

Even if this is a simple and innocent mistake on the part of the devs, it does highlight the need for package signing. I haven't been following it myself, but I believe that PGP signing is in the pipeline but I have no idea if there's any ETA for that or if it's even on anybody's priority list.

As for the database and packages coming from the same server, you could use powerpill to get around that. Put archlinux.org (or another trusted server) at the top of your mirrorlist and pacman will use it to sync the database. Uncomment several other servers to which you get a good connection (or use reflector) and powerpill will use them to download the packages but will check their md5sums against the database from your trusted server. The info page linked in my sig provides more details.

Allan · 2009-02-11 00:51:00

Package signing would not fix this. What is does highlight is the need for extra checks in the repo update scripts.

The ETA for package signing is whenever someone actually codes it...

Xyne · 2009-02-11 04:20:13

In this particular case, you're right as it was just a duplicate upload, but I still think it shows the potential damage of a compromised server. Don't misunderstand me though... I'm not saying "zomg wtf dooo eeeeeeeet 4 we gets h4XX0rd!!!!11". I just remember reading about this on the mailing list and having the impression that someone was working on it.

TheBodziO · 2009-02-16 19:27:26

I must agree with both Allan and Xyne.

Sure, adding signature verification to pacman would introduce a bit of complication to arch package management scheme, yet it seems necessity to me. I hope it'll be done before someone will try to screw us up on a big scale which with current state of affairs would be braindead easy (at least from the point that one gains rights to change mirror's files) .

Arch Linux

#1 2009-02-10 20:51:07

Corrupted repositories?

#2 2009-02-10 22:24:49

Re: Corrupted repositories?

#3 2009-02-10 23:41:26

Re: Corrupted repositories?

#4 2009-02-11 00:51:00

Re: Corrupted repositories?

#5 2009-02-11 04:20:13

Re: Corrupted repositories?

#6 2009-02-16 19:27:26

Re: Corrupted repositories?

Board footer