Received: from mx1.tetrasec.net (mx1.tetrasec.net [74.117.189.118])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id A6A4B782C0E
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 16 Jan 2020 14:42:58 +0000 (UTC)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id 640F62DE409E;
	Thu, 16 Jan 2020 14:42:57 +0000 (UTC)
Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no [37.200.63.67])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: alpine@tanael.org)
	by mx1.tetrasec.net (Postfix) with ESMTPSA id 383DB2DE3B3B;
	Thu, 16 Jan 2020 14:42:55 +0000 (UTC)
Date: Thu, 16 Jan 2020 15:42:50 +0100
From: Natanael Copa <ncopa@alpinelinux.org>
To: "Drew DeVault" <sir@cmpwn.com>
Cc: "Timo Teras" <timo.teras@iki.fi>, <~alpine/devel@lists.alpinelinux.org>
Subject: Re: apk-tools plans
Message-ID: <20200116154250.2b1d1fda@ncopa-desktop.copa.dup.pw>
In-Reply-To: <BZXA7BCRF3I4.1S1I48FFFZ1KD@homura>
References: <20200116151947.63f7ade8@ncopa-desktop.copa.dup.pw>
	<BZXA7BCRF3I4.1S1I48FFFZ1KD@homura>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Thu, 16 Jan 2020 09:22:30 -0500
"Drew DeVault" <sir@cmpwn.com> wrote:

> On Thu Jan 16, 2020 at 3:19 PM, Natanael Copa wrote:
> > I think it as been mentioned before but I think it would be nice if we
> > could have 2 operational install modes:
> >
> > - quick: in-the-air extraction/verification of packages (current style)
> > - safe: store all packages locally and verify before trying to extract
> > them
> >
> > safe mode is useful when the network connection is unreliable. In case
> > of network error it could continue where it left off last time, rather
> > than try fetch it all from scratch. Something like
> > `apk upgrade --fetch-first` or `apk upgrade --safe`.  
> 
> In my opinion, the "quick" mode is so unsafe that I find it really
> objectionable to have at all. It's not just an unreliable network to
> consider - what if a signature check fails partway through and the
> upgrade aborts half-finished? What if an man in the middle orchestrates
> this situation? "Quick" mode also makes it difficult to reckon if
> there'll be sufficient disk space in advance - today apk just breaks
> your system if it hits ENOSPC.

That is how current apk works, and is part of reason why it is
significantly faster than other package managers. In general, when the
other package managers are done with fetching the package and is about
to start unpack them, apk is already done with it all.

What apk does is that it extracts each file into a temp file without
execute permissions until the signature is verified. If signature
matches it renames all the files in one go, or deletes on failure.
Rename and set permissions are very quick operation, while read/write
all the data once again is not.

Disk usage is available in the index so it can be calculated before
anything is downloaded.

But you are right to be worried. CVE-2018-1000849 is a proof of that.

-nc