-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Steinar H. Gunderson wrote:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
What are people's thoughts on this?
It's been known for quite a while. (I asked one of the guys publishing it,
and he
On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson [EMAIL PROTECTED] was
heard to say:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
What are people's thoughts on this?
I don't see
On Sun, 2008-07-13 at 02:13 +0200, Franklin PIAT wrote:
Hello,
On Sat, 2008-07-12 at 23:13 +, Joe Smith wrote:
Andrei Popescu andreimpopescu at gmail.com writes:
One costly solution would be to get the client the send a challenge to a
trusted server, which would respond by
On Sun, 2008-07-13 at 16:19 +0930, Karl Goetz wrote:
On Sun, 2008-07-13 at 02:13 +0200, Franklin PIAT wrote:
Hello,
On Sat, 2008-07-12 at 23:13 +, Joe Smith wrote:
Andrei Popescu andreimpopescu at gmail.com writes:
One costly solution would be to get the client the send a
Florian Weimer fw at deneb.enyo.de writes:
* Ron Johnson:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
What are people's thoughts on this?
HTTPS doesn't help against non-trusted mirrors.
The difficult question is how to tell an
On Sat,12.Jul.08, 06:12:33, Joe Smith wrote:
However, if the security updates come from trusted security mirrors rather
than
a general mirror, that attack would fail too. So with the exception of Sid or
Testing users that do not use the testing-security system to receive security
updates,
Andrei Popescu andreimpopescu at gmail.com writes:
How about distributing the Release files *only* from a trusted server?
Regards,
Andrei
That is problematic, as it does not deal with mirror synchronization properly.
If a mirror takes a few hours to update, it's Packages files may not be up
Hello,
On Sat, 2008-07-12 at 23:13 +, Joe Smith wrote:
Andrei Popescu andreimpopescu at gmail.com writes:
How about distributing the Release files *only* from a trusted server?
The other attack I mentioned (the attack of attempting to exploit a flaw in
any
client that requests a
Joe Smith wrote:
However, if the security updates come from trusted security mirrors rather than
a general mirror, that attack would fail too. So with the exception of Sid or
Testing users that do not use the testing-security system to receive security
updates, Debian really is not terribly
On Sun, Jul 13, 2008 at 02:13:08AM +0200, Franklin PIAT wrote:
If we also consider the fact that the computer local time might be wrong
(hwclock bug + a ntp man-in-the-middle...), re-signing the files doesn't
help either [in this very specific case].
I think that your average user would notice
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
What are people's thoughts on this?
- --
Ron Johnson, Jr.
Jefferson LA USA
Kittens give Morbo gas. In lighter news, the city of New New
York is
On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
What are people's thoughts on this?
It's been known for quite a while. (I asked one of the guys publishing it,
and he was fully aware of
Maybe a check should be added to APT to flag a warning if there has been no
updates for a significant period of time? That way if a mirror ever does
that, its more detectable.
Michael
On Fri, Jul 11, 2008 at 8:55 AM, Steinar H. Gunderson
[EMAIL PROTECTED] wrote:
On Fri, Jul 11, 2008 at
* Ron Johnson:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
What are people's thoughts on this?
HTTPS doesn't help against non-trusted mirrors.
The difficult question is how to tell an APT source which is not updated
regularly from an APT
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It doesn't have to have updated packages, maybe have something like this
APT-Ping: *timestamp*
and then push out a new packages file with just an updated timestamp in it.
Michael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:
Maybe a check should be added to APT to flag a warning if there has been no
updates for a significant period of time? That way if a mirror ever does
that, its more detectable.
That really doesn't make any sense for stable
On Sat, 12 Jul 2008, Frank Lichtenheld wrote:
On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:
Maybe a check should be added to APT to flag a warning if there has been no
updates for a significant period of time? That way if a mirror ever does
that, its more detectable.
17 matches
Mail list logo