Is there any possibility of mirror censorship?

[jharris1993]

Note to moderators: I hope this is the correct forum. Move as necessary.

Additional note:
This is not intended to be a "political" topic, but the present realities compel me to ask this.

Given:
* Linux Mint is extremely popular and there are mirrors almost everywhere. (Except maybe Mars? )
* There are some countries that restrict points of view and might have objections to certain packages, and/or might want them to confirm to specific national ideologies.
* China, for example, requires very specific changes to things like Google for them to be used there.

Question:
I am currently an expatriate living in Russia with my granddaughters, and the Yandex mirrors are SIGNIFICANTLY faster than other mirrors located in other parts of the world, so I choose them.

I don't want to sound like a fear-monger, but I am curious if there is any possibility of censorship here?

If not, what things are in place to prevent it?

Note: I do NOT want a discussion about the ills of censorship or various countries, I simply want a discussion about the specific question.

Thanks!

[xenopeek]

The list of packages available in the repository and their checksums are signed with a public key of Linux Mint (or Ubuntu/Debian for packages from the package base repositories) and are thus verified by your package management tools to originate from Linux Mint (or Ubuntu/Debian) and to have been downloaded without errors or tampering.

Attackers can't tamper with the packages themselves—undetected—unless they have the private key of Linux Mint (or Ubuntu/Debian) to sign the changed checksums for the changed packages or for the changed packages list.

You'd get errors from your package management tools if a repository wasn't signed or signed with the wrong private key, or if a package from the packages list can't be downloaded or its checksum doesn't match.

See https://www.debian.org/doc/manuals/debi ... on.en.html for more information about this.

[jharris1993]

I remember that awhile back Mint got hacked and the ISOs were twerked with.

How is that different?

[trinidad]

The mirrors are not the issue for you. Since you are in Russia your ISP can censor or control whatever content you are attempting to download, and keep records of your connections.

TC

[Moem]

I remember that awhile back Mint got hacked and the ISOs were twerked with.

No, that's not what happened. The download page was hacked, and pointed to a fake mirror with backdoored ISOs. That's bad too, but it's not the same thing.

[DPM]

Attackers can't tamper with the packages themselves—undetected—unless they have the private key of Linux Mint (or Ubuntu/Debian) to sign the changed checksums for the changed packages or for the changed packages list.

What malicious mirror operators could do, however, is willingly keeping old packages with known security issues instead of offering the updated ones, and then try to exploit the machines that they kept vulnerable this way.

[t42]

What malicious mirror operators could do, however, is willingly keeping old packages with known security issues instead of offering the updated ones, and then try to exploit the machines that they kept vulnerable this way.

I doubt it is possible to achieve. If the mirror is stale you will get the error such as "Release file for http://xxx.xxx is expired (invalid since 1h 19min 43s). Updates for this repository will not be applied.". Look at any release file, you just can't substitute a package for an older one:

Code: Select all

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Origin: Debian
Label: Debian
Suite: testing
Codename: trixie
Changelogs: https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog
Date: Tue, 23 Jan 2024 08:13:08 UTC
Valid-Until: Tue, 30 Jan 2024 08:13:08 UTC
Acquire-By-Hash: yes
No-Support-for-Architecture-all: Packages
Architectures: all amd64 arm64 armel armhf i386 mips64el ppc64el s390x
Components: main contrib non-free-firmware non-free
Description: Debian x.y Testing distribution - Not Released
MD5Sum:
 321bcf9936de80e348af81c7e2e3a0c2  1742632 contrib/Contents-all
 6682421e6ee6dfb3558b16ca58a2b7c3    27796 contrib/Contents-all.diff/Index
 e70db9137ab8f8beb7117e63181ca923   115810 contrib/Contents-all.gz
 0582a15e8faf3ecef849f7ccd6ed8d2d  1976595 contrib/Contents-amd64
 ...
 ...
 ...

[DPM]

Look at any release file, you just can't substitute a package for an older one:

Code: Select all

Date: Tue, 23 Jan 2024 08:13:08 UTC
Valid-Until: Tue, 30 Jan 2024 08:13:08 UTC

Good point, that would allow only up to one week of malicious delays. Still possible to abuse in principle, but actually doing so would require high effort so that even state actors would only consider that for high profile targets, and then they'd probably rather use their stash of zero-day-exploits.

[jharris1993]

So, the ultimate answer is. . . .

Short answer:
No.

Longer answer:
Not without going to insane lengths, and even then the best they could hope for is to not mirror certain things.

Correct?

Corollary question:
Can mirrors "pick-and-choose" what parts of the Mint repo's they mirror? (i.e. exclude WhatsApp or Spotify because they think they're "sinful".) Or force "ideologically friendly" packages to be substituted for the original ones?

I know one of the bedrock principles of the Open Source/FOSS movement is trust and transparency and I don't want to sound like there's a boogyman under every rock, but challenging times virtually compel these questions.

Thanks for your patience with me!

[xenopeek]

Practically at worst the mirror can delay syncing so you wouldn't get security updates in a timely manner.

For the corollary question the short answer is no mirrors can't pick-and-choose what they mirror. Bit of a misnomer otherwise. The why is evident by looking at the Release and related files on a mirror. So have a look at a mirror yourself. You can find the repository mirror addresses also on this page: https://linuxmint.com/mirrors.php. Pick one, open the dists/virginia/Release file for example and take it from there for what other files to open to answer why mirrors can't pick-and-choose which packages from the repository they mirror.

[jharris1993]

the short answer is no, mirrors can't pick-and-choose what they mirror.

Weeeel. . . .

About looking at mirrors. . . I did that. Once.

Silly me, I actually tried to clone a mirror. ONCE.
It was a raspberry pi mirror, not Mint/Ubuntu, and it was still a bad idea.

Yes, a "mirror" is supposed to be a one-to-one copy of the master, but what guarantees that? Is there any auditing or verification? Or do we blindly trust the benevolent good will of the target mirror? If something is missing from mirror "X", does the system automatically fall-back to an upstream mirror?

Note:
As a (retired) software QA guy from way back, I'm used to asking tough questions and looking under rocks for boogie monsters. I'm not trying to offend.

[Hoser Rob]

I remember that awhile back Mint got hacked and the ISOs were twerked with.

How is that different?

How is that remotely similar???

[xenopeek]

Yes, a "mirror" is supposed to be a one-to-one copy of the master, but what guarantees that? Is there any auditing or verification? Or do we blindly trust the benevolent good will of the target mirror? If something is missing from mirror "X", does the system automatically fall-back to an upstream mirror?

As indicated before the answer lies in the Release file, and the Packages files listed in it. Pick a random repository mirror, open it in your web browser, look at the Release file and then browse to a Packages file and look at it.

Every package in the repository is listed in one of those Packages files with its sha256 checksum, every Packages file is listed in the Release file with its sha256 checksum and the Release file is signed with the developer's private key. Your package manager verifies the Release file with the developer's public key stored on your system and verifies the Packages files and the packages themselves with the sha256 checksums. A mirror can exclude a package but your package manager would know it should be there so will give you an error that your mirror is missing a package when you try to install or update it.

Read the apt-secure manpage https://manpages.debian.org/buster/apt/ ... .8.en.html for more information. As referenced from the Debian Administrator's Handbook page I shared before.