There has been a proof of concept where a group of people has injected bad packages into a distribution by asking to be a mirror and providing erroneous updates (1). The issue is not that they provided spoofed, hacked or broken packages, which would fail with bad signature (or the user had to add the key to their keyring), but they used old packages which they updated version information for. An example for GoboLinux would be to repack an old version, Foo--1.2--i686.tar.bz2 as Foo--2.3--i686.tar.bz2 and our tools would be fooled to thing that the latter was an update/later version (you would also change the name of the version directory in the tarball). This meant that users that used that "mirror" would get "updates" that wasn't always up to date and even might have security issues. We need to add version information to our packages, any idea on a good scheme for that?
-- /Jonas 1) http://it.slashdot.org/article.pl?sid=08/07/10/227220 Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ _______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
