Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 2E030782C4C
	for <~alpine/devel@lists.alpinelinux.org>; Fri, 17 Jan 2020 01:41:23 +0000 (UTC)
Received: by mail-pj1-f46.google.com with SMTP id d5so2420684pjz.5
        for <~alpine/devel@lists.alpinelinux.org>; Thu, 16 Jan 2020 17:41:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=bpqp1e6WrVnAAUcYn8/T77aoVqo9C6eTB8Nmewdlrdg=;
        b=Nf8oq9sSkbE9gGbj48yi+n+QeRKA0/JNJfxyBcw7op+q4m0i6L/dRGLimIPenoa3j+
         olsujbw0yfQa5T7kpm9NEm4cveFH9p9KZ7yqurld7HHRYW0wfqpD2iYgtWLzBESFXbEy
         y3FFWxZz6TvVzKOuKdbgB4uj8V4pgXltLto1TwrLa04Mu7DGYnuICGXgVBbA+UFmpEZL
         WgghOTt61jwVa9dhmRugYzB4F7yVJR0/ulHm3m5S2ET+KKzETOB63/Lluh0gjUyt3Euz
         +P1JqP93C05t4UUE7E1nG9ov1upHmZB4GyT6X2RyRRLctoMfZ0V/87CnADQjnV9F64GW
         b6Mg==
X-Gm-Message-State: APjAAAWzRpJ7I3khYgsnhoNBYD81F9Hg2Ui2mLKk72kq6uWGdr2WzzCo
	CaY0r395ojh1VLaBQ/SBuUv11n9g
X-Google-Smtp-Source: APXvYqxNM7cCwAqTKH46w7LTAkOHanjgFvFxZ264sVrTkr0B2vImT2rd7wrC6JE3BA91n6+OEhfycg==
X-Received: by 2002:a17:90a:22e7:: with SMTP id s94mr2871971pjc.12.1579225281621;
        Thu, 16 Jan 2020 17:41:21 -0800 (PST)
Received: from vostro ([120.20.224.114])
        by smtp.gmail.com with ESMTPSA id o6sm25715977pgg.37.2020.01.16.17.41.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Jan 2020 17:41:21 -0800 (PST)
Date: Fri, 17 Jan 2020 03:41:11 +0200
From: Timo Teras <timo.teras@iki.fi>
To: Natanael Copa <ncopa@alpinelinux.org>
Cc: "Drew DeVault" <sir@cmpwn.com>, <~alpine/devel@lists.alpinelinux.org>
Subject: Re: apk-tools plans
Message-ID: <20200117034111.2afdcaec@vostro>
In-Reply-To: <20200116154250.2b1d1fda@ncopa-desktop.copa.dup.pw>
References: <20200116151947.63f7ade8@ncopa-desktop.copa.dup.pw>
	<BZXA7BCRF3I4.1S1I48FFFZ1KD@homura>
	<20200116154250.2b1d1fda@ncopa-desktop.copa.dup.pw>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Thu, 16 Jan 2020 15:42:50 +0100
Natanael Copa <ncopa@alpinelinux.org> wrote:

> On Thu, 16 Jan 2020 09:22:30 -0500
> "Drew DeVault" <sir@cmpwn.com> wrote:
> 
> > On Thu Jan 16, 2020 at 3:19 PM, Natanael Copa wrote:  
> > > I think it as been mentioned before but I think it would be nice
> > > if we could have 2 operational install modes:
> > >
> > > - quick: in-the-air extraction/verification of packages (current
> > > style)
> > > - safe: store all packages locally and verify before trying to
> > > extract them
> > >
> > > safe mode is useful when the network connection is unreliable. In
> > > case of network error it could continue where it left off last
> > > time, rather than try fetch it all from scratch. Something like
> > > `apk upgrade --fetch-first` or `apk upgrade --safe`.    
> > 
> > In my opinion, the "quick" mode is so unsafe that I find it really
> > objectionable to have at all. It's not just an unreliable network to
> > consider - what if a signature check fails partway through and the
> > upgrade aborts half-finished? What if an man in the middle
> > orchestrates this situation? "Quick" mode also makes it difficult
> > to reckon if there'll be sufficient disk space in advance - today
> > apk just breaks your system if it hits ENOSPC.  

True. This is something we want to fix also in the "fast" version. To
support rollback to the original state regardless of what happens and
where. I believe this was mentioned in one of the earlier mails, or in
one of the tickets.

> That is how current apk works, and is part of reason why it is
> significantly faster than other package managers. In general, when the
> other package managers are done with fetching the package and is about
> to start unpack them, apk is already done with it all.
> 
> What apk does is that it extracts each file into a temp file without
> execute permissions until the signature is verified. If signature
> matches it renames all the files in one go, or deletes on failure.
> Rename and set permissions are very quick operation, while read/write
> all the data once again is not.
> 
> Disk usage is available in the index so it can be calculated before
> anything is downloaded.
> 
> But you are right to be worried. CVE-2018-1000849 is a proof of that.

That is also partially due to tar-format and perhaps even how we do
signing on it. Those were implemented more than a decade ago as an
"optional" feature for apk.

Times have changes. We are looking to make security and performance
first class citizens in the file formats. This is driving the whole
development spurt.

Timo