Db.sig corrupted by routers

Continuing the discussion from Error: failed to synchronize all databases (invalid or corrupted database (PGP signature)):

Found the issue by using the above post. I connected to an “open” wifi on a bus and all of my db.sig files on /var/lib/pacman/sync/ got corrupted by the bus’ router returning its redirection (html) output.

Could there be a way to prevent this? I am inexperienced user in this case and cannot contribute anything to solving the issue long-term, but some data validation could go a long way :slight_smile:

I would never ever update my system while on an unreliable network. I apologize in advance if my answer does not meet your expectations but this is a rule of thumb when it comes to updating your system.

There is no signature for any of the databases.

To understand how pacman works - will help you understand why this happened.

pacman does not do any network connectivitiy - it is outsourced (in a manner of speaking) to other tools - I think curl is the default - which will fetch whatever is at the end of the url provided e.g. core.db and on success 200 OK the result is saved at the storage locaton.

When the network is restricted - it will return something to the user - usually a html document explaining what to do next - or explaining why it is restricted.

This result is saved as the content of the requested file on success - only then pacman is parsing the result - but as it is not a database pacman throws the above message.

This is not a pacman issue but a consequence of the network connection.

You can remove the files - no problem - they will be fetched on the next sync command.

sudo rm -f /var/lib/pacman/sync/*
2 Likes

I understand this, but I would expect that at least some validation would be done before writing something to file?

In theory this could be a security issue as well. I do think pacman should know at that point, what data is expected and if the data doesn’t satisfy the criteria it should be rejected and not written to file?

This has nothing to do with pacman or pamac or libalpm - It is curl which is fetching the file and curl is writing what it fetches - what kind of validation can you expect - other than pacman validating the file it has recived on disk?

Which is the validation message you get - invalid db.

If you don’t see this as an issue and you’re DevSecOps- I am worried.

Why?

If you download a file using curl - you only validate the content after download - right?

If you download the ISO using curl - you only validate the checksum or the signature after download - right?.

pacman validate the file after download - the content is not a db throw a message - where is the problem in that?

Just like you can’t validate the download while it is progressing - pacman cannot validate the db until it has been downloaded - there is no issue until pacman validates the content and find it is not a database.

I am closing the topic as it is not really a package manager issue and it is moving off-topic to a discussion on how and when to validate a downloaded file.

Forum rules - Bigotry & Personal Attacks

Also closed because you are turning the dialog into a personal matter by questioning my merits - which has no place within the current context.