Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

New Google repository for mod_pagespeed

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
User avatar
danjde
Posts: 7
Joined: 2017-08-22 14:36
Location: Italy

New Google repository for mod_pagespeed

#1 Post by danjde »

Hi Friends,
I've installed on my VPS Debian Jessie, Apache mod-pagespeed.
Then I've realized a new Google repo entry:

Code: Select all

  /etc/apt/sources.list.d/mod-pagespeed.list:deb http://dl.google.com/linux/mod-pagespeed/deb/ stable main
My question is:

Can we consider the use of Google repositories on a production VPS sufficiently secure?

Many thanks!


Davide
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

Bulkley
Posts: 6382
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

Re: New Google repository for mod_pagespeed

#2 Post by Bulkley »

So how did that link get into /etc/apt/sources.list.d/ ? I followed the link and got 404. At this point I don't think it does anything but I suggest you watch your updates very carefully.

Personally I try not to use Google repositories for anything. If I found that on my machine I would remove it.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: New Google repository for mod_pagespeed

#3 Post by debiman »

question is, how did you install mod-pagespeed?

i also wouldn't trust google on my system.

bedtime
Posts: 146
Joined: 2012-12-16 19:34
Has thanked: 1 time
Been thanked: 6 times

Re: New Google repository for mod_pagespeed

#4 Post by bedtime »

I have to agree with the first two posters.

It seems that whatever Google is offering, they are only using it as another tool to extract data from your pc and sell it.

So no matter what it is they are giving, it's not worth it.

User avatar
danjde
Posts: 7
Joined: 2017-08-22 14:36
Location: Italy

Re: New Google repository for mod_pagespeed

#5 Post by danjde »

@ debiman: question is, how did you install mod-pagespeed?
This is the real question!
And my answer could be "as usual" by apt.
Certainly I did not add the google repository manually, I would never do it !! This is precisely what leaves me baffled!

But looking into /etc/apt/sources.list.d/ I've found: mod-pagespeed.list where the content:

Code: Select all

### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb http://dl.google.com/linux/mod-pagespeed/deb/ stable main
I repeat, I'm really baffled!

So the question now is: if this file is auto generated or auto configured, ho I could remove it??
And where did he come from?

I've run:

Code: Select all

dpkg -S /etc/apt/sources.list.d/mod-pagespeed.list
obtaining:

Code: Select all

dpkg-query:no path corresponding to /etc/apt/sources.list.d/mod-pagespeed.list
so I've installed apt-file and then run:

apt-file update

obtaining:

[...]

100 334 100 334 0 0 5803 0 --:--:-- --:--:-- --:--:-- 5859
100 5854k 100 5854k 0 0 9935k 0 --:--:-- --:--:-- --:--:-- 12.5M
Ignoring source without Contents File:
http://dl.google.com/linux/mod-pagespee ... s-amd64.gz


Then if I try to run "dpkg -l |grep google":

obtain "nothing"

and nothing running:

Code: Select all

apt-file find mod-pagespeed.list
I do not know what to think!

@bedtime: It seems that whatever Google is offering, they are only using it as another tool to extract data from your pc and sell it.
This is also one of my concerns!


Many thanks to all!

Davide
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

User avatar
danjde
Posts: 7
Joined: 2017-08-22 14:36
Location: Italy

Re: New Google repository for mod_pagespeed

#6 Post by danjde »

I've found something.
I had manually installed "mod-pagespeed" and within the same package is located "/etc/cron.daily/mod-pagespeed", where contains:

Code: Select all

[..]
# System-wide package configuration.
DEFAULTS_FILE="/etc/default/mod-pagespeed"

# sources.list setting for mod-pagespeed updates.
REPOCONFIG="deb http://dl.google.com/linux/mod-pagespeed/deb/ stable main"

APT_GET="`which apt-get 2> /dev/null`"
APT_CONFIG="`which apt-config 2> /dev/null`"

SOURCES_PREAMBLE="### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.\n"

# Parse apt configuration and return requested variable value.
apt_config_val() {
  APTVAR="$1"
  if [ -x "$APT_CONFIG" ]; then
    "$APT_CONFIG" dump | sed -e "/^$APTVAR /"'!d' -e "s/^$APTVAR \"\(.*\)\".*/\1/"
  fi
}

# Install the repository signing key (see also:
# http://www.google.com/linuxrepositories/aboutkey.html)
install_key() {
  APT_KEY="`which apt-key 2> /dev/null`"
  if [ -x "$APT_KEY" ]; then
    "$APT_KEY" add - >/dev/null 2>&1 <<KEYDATA
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

[..]
So the mystery is soon solved, it is the same package that installs its new repository ....
Without communicating anything to the user, crazy !!!!!!

Removing package mod_pagespeed all (I hope!) should be came back to the normality...
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: New Google repository for mod_pagespeed

#7 Post by debiman »

^ there you are.
i assume you installed it from a .deb downloaded directly from some google-affiliated website.

btw, they (google) do the same thing for chrome, and i have seen debian installs broken because of it.

User avatar
danjde
Posts: 7
Joined: 2017-08-22 14:36
Location: Italy

Re: New Google repository for mod_pagespeed

#8 Post by danjde »

@debiman: i assume you installed it from a .deb downloaded directly from some google-affiliated website.
Sure!
@debiman: btw, they (google) do the same thing for chrome, and i have seen debian installs broken because of it.
crazy!!!! Remains only that google also enter into the linux servers!!
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: New Google repository for mod_pagespeed

#9 Post by debiman »

danjde wrote:Sure!
erm.
you know that that is not the debian way?

User avatar
danjde
Posts: 7
Joined: 2017-08-22 14:36
Location: Italy

Re: New Google repository for mod_pagespeed

#10 Post by danjde »

yes, I was superficial and hurried, I was wrong!
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

Post Reply