On Fri, Jul 11, 2008 at 3:43 AM, Jonas Karlsson <[EMAIL PROTECTED]> wrote: > There has been a proof of concept where a group of people has injected > bad packages into a distribution by asking to be a mirror and providing > erroneous updates (1). > The issue is not that they provided spoofed, hacked or broken packages, > which would fail with bad signature (or the user had to add the key to > their keyring), but they used old packages which they updated version > information for. An example for GoboLinux would be to repack an old > version, Foo--1.2--i686.tar.bz2 as Foo--2.3--i686.tar.bz2 and our tools > would be fooled to thing that the latter was an update/later version > (you would also change the name of the version directory in the tarball). > This meant that users that used that "mirror" would get "updates" that > wasn't always up to date and even might have security issues. > We need to add version information to our packages, any idea on a good > scheme for that?
Yes, we just need to add the full path to the FileHash file entries. If they are tampered with, FileHash.sig will alert. Fix committed to svn. -- Hisham _______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
