On 06.05.2010 22:48, Denis A. Altoé Falqueto wrote: > But this doesn't solve the problem of a replay attack (as pointed by > Dan, some emails above), where an evil mirror admin puts an old > validly signed repo.db to force some user to download a validly signed > old package with an known vulnerability. This is tougher to solve. We > would need some guaranteed way to tell if the downloaded repo.db is > really the latest..... No ideas for now.
Add the date when the database was signed (inside of the same signature
of course) and when updating the database (not when installing a
package) let pacman check if this date is at maximum 1 or 2 days old.
This requires low mirror delays though.
If there are no updates for 2 days some dev would have to resign the
database, but that's quite unlikely and acceptable I think.
Pacman should also check if the new date is more recent than the old one.
--
Florian Pritz -- {flo,[email protected]
signature.asc
Description: OpenPGP digital signature
