Hi, Summary: -------- If you used the default pacman mirrorlists, your system is not up to date.
http://parabolagnulinux.mirrors.linux.ro/$repo/os/$arch was the default mirror in /etc/pacman.d/mirrorlist That mirror was not updated for a while, so people using the default configuration are still stuck with an old mirrorlist pointing to a mirror that is not updated anymore... How to check if you are affected: --------------------------------- > # pacman -Q -o /etc/pacman.d/mirrorlist > /etc/pacman.d/mirrorlist is owned by pacman-mirrorlist > 20151101-1.parabola1 > # mkdir tmp && cd tmp && tar \ > xf /var/cache/pacman/pkg/pacman-mirrorlist-20151101-1.parabola1-any.pkg.tar.xz > # diff -u etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist ; echo $? > 0 > # grep "^Server" /etc/pacman.d/mirrorlist | head -n1 > Server = http://parabolagnulinux.mirrors.linux.ro/$repo/os/$arch How should Parabola deal with it: --------------------------------- We need various solutions, for shorter and longer term. As for shorter term, we probably need to make sure the mirrorlist is coming from a trusted mirror that can be updated. We should of course use transports that can't be tempered with, such as https or onion services it. Else a man in the middle can just replace what is being downloaded by older versions. We should also warn the users on the parabola website as soon as possible. I should also do a proper bugreport. I've also no idea how CVE are created. Medium term: ------------ We might want to split the db update files from the packages, and make the parabola infrastructure serve them, still with a transport that can't be tempered with to avoid man in the middle attacks. Long term: ---------- We should make sure that pacman update the db files safely, in a distributed manner. I've also heard about an update framework that address some of the issue https://theupdateframework.github.io/ but I didn't look into it yet. Denis.
pgp5KF6YIzllF.pgp
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
