(dropping debian-release@ from CC) Florian Weimer wrote: > * Eugene V. Lyubimkin: > >> Florian Weimer wrote: >>> And if Valid-Until is only checked against the real-time clock, the >>> attacker can still feed bad data over NTP, so it's not even a complete >>> defense. 8-( >> However, it seems there is no better solution, or is there? > > A counter in the style of a Lamport clock should work, or checking > that the Valid-Until header does not recede in time. It seems that Lamport clock is primarily designed for distributed system and always-in-work processes, which is not the APT's case, unless we create a unstoppable APT daemon.
Second approach... well, the bad guy can start/stop clock for every APT run, with some small seed, e.g. 1 minute or similar. So, delaying the time is possible for quite a long time after Valid-Until value. Generally, I assume that delaying the clock for at least 1 day would leave very suspicious info in logs, websebver timestamps i.e., and such a case would be easily captured by (good?) system administrator. Also I assume that security team prefers having checking against the real-time clock than having no mechanism at all. Am I wrong? -- Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com Ukrainian C++ developer, Debian Maintainer, APT contributor
signature.asc
Description: OpenPGP digital signature
