联通的緩存劫持会导致 APT 和 YUM 更新软件源时校验失败

2016-11-20 15:16:48 +08:00
 raysonx

看到有人给这种劫持洗地,忍不住来发一帖。 比如用 APT 更新软件源时,联通的缓存会导致校验失败:

# apt update
Ign http://archive.ubuntu.com trusty InRelease
Get:1 http://archive.ubuntu.com trusty-updates InRelease [65.9 kB]
Get:2 http://archive.ubuntu.com trusty-security InRelease [65.9 kB]            
Get:3 http://archive.ubuntu.com trusty Release.gpg [933 B]                     
Get:4 http://archive.ubuntu.com trusty-updates/main Sources [476 kB]           
Get:5 http://archive.ubuntu.com trusty-updates/restricted Sources [476 kB]     
Get:6 http://archive.ubuntu.com trusty-updates/universe Sources [214 kB]       
Get:7 http://archive.ubuntu.com trusty-updates/main amd64 Packages [1145 kB]   
Get:8 http://archive.ubuntu.com trusty-updates/restricted amd64 Packages [1145 kB]
Get:9 http://archive.ubuntu.com trusty-updates/universe amd64 Packages [502 kB]
Get:10 http://archive.ubuntu.com trusty-security/main Sources [40 B]           
Get:11 http://archive.ubuntu.com trusty-security/restricted Sources [476 kB]   
Get:12 http://archive.ubuntu.com trusty-security/universe Sources [40 B]       
Get:13 http://archive.ubuntu.com trusty-security/main amd64 Packages [681 kB]  
99% [13 Packages 629 kB/681 kB 92%]                                3565 B/s 14s^C
root@09b8e74b8f93:/# apt update
Ign http://archive.ubuntu.com trusty InRelease
Hit http://archive.ubuntu.com trusty-updates InRelease
Hit http://archive.ubuntu.com trusty-security InRelease
Get:1 http://archive.ubuntu.com trusty Release.gpg [933 B]
Get:2 http://archive.ubuntu.com trusty-updates/main Sources [476 kB]
Get:3 http://archive.ubuntu.com trusty-updates/restricted Sources [476 kB]     
Get:4 http://archive.ubuntu.com trusty-updates/universe Sources [9183 B]       
Get:5 http://archive.ubuntu.com trusty-updates/main amd64 Packages [1145 kB]   
Get:6 http://archive.ubuntu.com trusty-updates/restricted amd64 Packages [1145 kB]
Get:7 http://archive.ubuntu.com trusty-updates/universe amd64 Packages [1145 kB]
Get:8 http://archive.ubuntu.com trusty-security/main Sources [1335 kB]         
Get:9 http://archive.ubuntu.com trusty-security/restricted Sources [476 kB]    
Get:10 http://archive.ubuntu.com trusty-security/universe Sources [1335 kB]    
Get:11 http://archive.ubuntu.com trusty-security/main amd64 Packages [1145 kB] 
Get:12 http://archive.ubuntu.com trusty-security/restricted amd64 Packages [17.0 kB]
Get:13 http://archive.ubuntu.com trusty-security/universe amd64 Packages [1145 kB]
Get:14 http://archive.ubuntu.com trusty Release [58.5 kB]                      
Get:15 http://archive.ubuntu.com trusty/main Sources [40 B]                    
Get:16 http://archive.ubuntu.com trusty/restricted Sources [5335 B]            
Get:17 http://archive.ubuntu.com trusty/universe Sources [214 kB]              
Get:18 http://archive.ubuntu.com trusty/main amd64 Packages [19.6 kB]          
Get:19 http://archive.ubuntu.com trusty/restricted amd64 Packages [1640 kB]    
Get:20 http://archive.ubuntu.com trusty/universe amd64 Packages [17.0 kB]      
Fetched 11.8 MB in 8s (1337 kB/s)                                              
W: Size of file /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_trusty-updates_universe_source_Sources.gz is not what the server reported 9183 213537
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/main/source/Sources  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/restricted/source/Sources  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/universe/source/Sources  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/main/binary-amd64/Packages  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/restricted/binary-amd64/Packages  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-updates/universe/binary-amd64/Packages  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/main/source/Sources  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/restricted/source/Sources  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/universe/source/Sources  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/main/binary-amd64/Packages  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/universe/binary-amd64/Packages  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/main/source/Sources  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/universe/source/Sources  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/main/binary-amd64/Packages  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/restricted/binary-amd64/Packages  Hash Sum mismatch

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty/universe/binary-amd64/Packages  Hash Sum mismatch

E: Some index files failed to download. They have been ignored, or old ones used instead.

不明真相的新手用户肯定会因为这种问题受阻。

 $ curl -v http://archive.ubuntu.com/ubuntu/dists/trusty/universe/binary-amd64/Packages.gz
*   Trying 91.189.88.161...
* Connected to archive.ubuntu.com (91.189.88.161) port 80 (#0)
> GET /ubuntu/dists/trusty/universe/binary-amd64/Packages.gz HTTP/1.1
> Host: archive.ubuntu.com
> User-Agent: curl/7.47.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Content-Length: 0
< Cache-Control: no-cache
< Connection: close
< Location: http://120.52.72.23:80/archive.ubuntu.com/c3pr90ntc0td/ubuntu/dists/trusty/universe/binary-amd64/Packages.gz
< 
* Closing connection 0
3616 次点击
所在节点    宽带症候群
7 条回复
akw2312
2016-11-20 15:18:01 +08:00
聯通的有緩存 電信的可能只是反代
不過這個 iptables 應該能幹掉吧..
話說聯通直接用首都在線的 mirror 就好 速度挺快的
aihimmel
2016-11-20 15:28:17 +08:00
SSL
dangge
2016-11-20 15:50:01 +08:00
安利一波
https://mirrors.zzu.edu.cn/
带宽不大,但是好歹有 SSL 保证不被劫持
PS:其实 USTC 啊 TUNA 这些大学的镜像站也是有 SSL 的~
zstack
2016-11-20 16:03:02 +08:00
用阿里云的 mirror 应该速度质量都比较有保障
Cu635
2016-11-20 16:16:32 +08:00
解决方法是用 https 链接源,这时候需要安装 apt-transport-https 这个包。

联通的还算好,那些小运营商的缓存那更可恶。
blindlf
2017-01-02 22:35:07 +08:00
http://archive.ubuntu.com
http://ppa.launchpad.net
apt-get update 时总是 Hash Sum Mismatch ,搞了 2 天,一直没法安装软件。今天才发现 TMD 联通搞鬼。 archive.ubuntu.com 有镜像还好点, ppa 没有镜像。日了狗的联通。
hbq007
2017-01-28 10:28:00 +08:00
帝都实测,昨天还没有今天就被劫持了 日了 U •ェ•*U 服了。。。

真怀疑 到底有没有底线。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/321871

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX