uvtool

uvt-simplestreams downloads via https, breaking caching

Bug #1409400 reported by Rob Thomas
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
uvtool
Fix Committed
Medium
Unassigned

Bug Description

The default (in uvtool/libvirt/simplestreams.py) is to download everything via https

   sync_subparser.add_argument('--source', dest='mirror_url',
        default='https://cloud-images.ubuntu.com/releases/')

This means that caching and proxying of images is not available.

Whilst this may be fine for those people who happen to have fibre or another fast connection to ubuntu.com, for people who are trying to develop or test things, having to repeatedly download 300+mb files is a massive issue.

Serving the files over https is counter intuitive, as well, as everything is already GPG signed. Normally, belt and suspenders security isn't an issue, but this is a significant issue, and doesn't offer any advantages over serving the files over http.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for reporting this bug.

It does leak what you're downloading though (which exact images, as opposed to just images). I'm not opposed to changing the default to http (as you say, downloads are verified with gpg), but I think that we need to be very cautious about making this change.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I've given the code a quick read and it does appear that the data is properly validated with GnuPG. Switching the default to HTTP would give immediate benefits to everyone with caching proxies already configured -- assuming the rest of the code will use a proxy -- while allowing a network observer to discover what is being downloaded. I don't think this is a significant risk; the images have different sizes, traffic analysis should be sufficient to discover which images are downloaded.

Using HTTP for download may introduce new errors -- because HTTP relies only upon CRC32 for integrity checking, the possibility exists that incorrectly downloaded data will be handed to GnuPG for verification. There's no real solution except trying the download again and re-verifying. (For what it's worth, I don't believe I have ever discovered this behaviour with apt despite downloading terabytes of packages and package lists. WiFi hotspot "landing pages" being stored in apt lists happens occasionally, though, and apt utterly fails to handle that gracefully. It'd be nice if simplestreams does better.)

I think switching to HTTP is a good idea.

Thanks

Revision history for this message
Robie Basak (racb) wrote :

Thank you for the security perspective, Seth. I'll make the change when I next look at uvtool.

Changed in uvtool:
status: New → Triaged
importance: Undecided → Medium
Robie Basak (racb)
Changed in uvtool:
status: Triaged → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.