-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Steinar H. Gunderson wrote:
>> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>>
>> What are people's thoughts on this?
>
> It's been known for quite a while. (I asked one of the guys publishing it,
>
"Brian May" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Joe Smith wrote:
However, if the security updates come from trusted security mirrors
rather than
a general mirror, that attack would fail too. So with the exception of
Sid or
Testing users that do not use the testing-secu
On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson <[EMAIL PROTECTED]> was
heard to say:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?
I don't
On Sun, 2008-07-13 at 16:19 +0930, Karl Goetz wrote:
> On Sun, 2008-07-13 at 02:13 +0200, Franklin PIAT wrote:
> > Hello,
> >
> > On Sat, 2008-07-12 at 23:13 +, Joe Smith wrote:
> > > Andrei Popescu gmail.com> writes:
> > >
>
> >
> > One costly solution would be to get the client the send
On Sun, 2008-07-13 at 02:13 +0200, Franklin PIAT wrote:
> Hello,
>
> On Sat, 2008-07-12 at 23:13 +, Joe Smith wrote:
> > Andrei Popescu gmail.com> writes:
> >
>
> One costly solution would be to get the client the send a challenge to a
> trusted server, which would respond by gpg-signed th
On Sun, Jul 13, 2008 at 02:13:08AM +0200, Franklin PIAT wrote:
If we also consider the fact that the computer local time might be wrong
(hwclock bug + a ntp man-in-the-middle...), re-signing the files doesn't
help either [in this very specific case].
I think that your average user would notice
Joe Smith wrote:
However, if the security updates come from trusted security mirrors rather than
a general mirror, that attack would fail too. So with the exception of Sid or
Testing users that do not use the testing-security system to receive security
updates, Debian really is not terribly vulne
Hello,
On Sat, 2008-07-12 at 23:13 +, Joe Smith wrote:
> Andrei Popescu gmail.com> writes:
>
> > How about distributing the Release files *only* from a trusted server?
> The other attack I mentioned (the attack of attempting to exploit a flaw in
> any
> client that requests a security upda
Andrei Popescu gmail.com> writes:
> How about distributing the Release files *only* from a trusted server?
>
> Regards,
> Andrei
That is problematic, as it does not deal with mirror synchronization properly.
If a mirror takes a few hours to update, it's Packages files may not be up to
date duri
On Sat,12.Jul.08, 06:12:33, Joe Smith wrote:
> However, if the security updates come from trusted security mirrors rather
> than
> a general mirror, that attack would fail too. So with the exception of Sid or
> Testing users that do not use the testing-security system to receive security
> updat
Florian Weimer deneb.enyo.de> writes:
>
> * Ron Johnson:
>
> >
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
> >
> > What are people's thoughts on this?
>
> HTTPS doesn't help against non-trusted mirrors.
>
> The difficult question is how to t
On Sat, 12 Jul 2008, Frank Lichtenheld wrote:
> On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:
> > Maybe a check should be added to APT to flag a warning if there has been no
> > updates for a significant period of time? That way if a mirror ever does
> > that, its more detect
On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:
> Maybe a check should be added to APT to flag a warning if there has been no
> updates for a significant period of time? That way if a mirror ever does
> that, its more detectable.
That really doesn't make any sense for stable us
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It doesn't have to have updated packages, maybe have something like this
APT-Ping: *timestamp*
and then push out a new packages file with just an updated timestamp in it.
Michael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comme
* Ron Johnson:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?
HTTPS doesn't help against non-trusted mirrors.
The difficult question is how to tell an APT source which is not updated
regularly from an APT
Maybe a check should be added to APT to flag a warning if there has been no
updates for a significant period of time? That way if a mirror ever does
that, its more detectable.
Michael
On Fri, Jul 11, 2008 at 8:55 AM, Steinar H. Gunderson <
[EMAIL PROTECTED]> wrote:
> On Fri, Jul 11, 2008 at 07:36:
On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?
It's been known for quite a while. (I asked one of the guys publishing it,
and he was fully aware
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
What are people's thoughts on this?
- --
Ron Johnson, Jr.
Jefferson LA USA
"Kittens give Morbo gas. In lighter news, the city of New New
York is doome
18 matches
Mail list logo