On Sun, 14 Feb 2016 20:42:02 +0000 Josh Branning <[email protected]> wrote:
> Thanks for telling about this. I commented out the line and it seems > to work ok for now. It does, after upgrading you can even put back the new default mirrorlist since it has been updated. My main concerns about that issue are: -> Many users don't know about it, they used the default configuration and are trapped (forever?) into the past. -> Parabola is vulnerable to outdated mirror, and parabola developers can't do nothing about it when it happens. Affected systems live in the past. And that doesn't even take into account MITM or malicious mirrors. MITM is very easy to fix, assuming we find a way to enforce good https for all mirrors, onion services don't need fixes. As for malicious mirrors, we can at least detect it, and with an http redirect, not make them the first mirror used. I really hope that bugreport will be taken into account by parabola developers, and not forgotten and left rotting in the bug tracker. We should also look if there are any vulnerable packages inside that outdated mirror. Firefox derivatives such as icecat and iceweasel might have some, since they are older than the ones in the up to date mirrors. I've added more information in https://labs.parabola.nu/issues/933 Denis.
pgp2ZsKosCkaO.pgp
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
