On Sun, Jun 6, 2010 at 1:34 PM, David Kalnischkies
wrote:
> In regards to APT i will have a look later how to implement it,
> hints regarding a good error message are welcomed
> as i can currently only thing about stuff like:
>>
> W: http://debian.example.org squeeze Release: The Validation da
2010/6/6 Joey Hess :
> Josselin Mouette wrote:
>> It does. If you don’t re-run “apt-get update”, the signature will be
>> considered invalid.
>
> j...@gnu:~/tmp/apt-0.7.26~exp5>grep -i Valid-Until -r .
> zsh: exit 2 grep -i Valid-Until -r .
>
> What'm I missing?
Nothing - or at least I didn't
On Sun, Jun 6, 2010 at 5:31 AM, Florian Weimer wrote:
> * Fernando Lemos:
>
>> 1. Man-in-the-middle attacks between clients and security update servers
>> 2. Denial-of-service attacks to the security updates infrastructure
>> 3. No trusted servers for security updates for testing and unstable
>>
>
Josselin Mouette wrote:
> It does. If you don’t re-run “apt-get update”, the signature will be
> considered invalid.
j...@gnu:~/tmp/apt-0.7.26~exp5>grep -i Valid-Until -r .
zsh: exit 2 grep -i Valid-Until -r .
What'm I missing?
--
see shy jo
signature.asc
Description: Digital signature
On Sun, 06 Jun 2010, Florian Weimer wrote:
> You'd have to fetch the root metadata from a trusted server over
> something like HTTPS (that is, something with authentication and a
> challange-response component built in).
That wouldn't be a stupid design at all. It would also allow that root
meta
* Fernando Lemos:
> 1. Man-in-the-middle attacks between clients and security update servers
> 2. Denial-of-service attacks to the security updates infrastructure
> 3. No trusted servers for security updates for testing and unstable
>
> Using HTTPS for the security update infrastructure could solv
Le dimanche 06 juin 2010 à 14:50 +0900, Ansgar Burchardt a écrit :
> The Release file in the repository has now a Valid-Until field that
> invalidates the repository after some time without updates. This can be
> used to detect a mirror provided outdated packages.
>
> I am not sure whether APT che
Russ Allbery writes:
> There was some discussion of periodically resigning the security archive
> even if there are no updates so that package managers could warn if more
> than X days had gone by without an update to the security archive
> signatures. I don't know if anyone has concrete plans t
On Sun, Jun 6, 2010 at 1:37 AM, Michael Gilbert
wrote:
> All of the issues raised in this paper can be mitigated by a "proactive"
> user. Malicious mirror activity can be detected by paying attention to
> debsecan and the security tracker [0]. debsecan displays all known
> vulnerable packages on
Erik de Castro Lopo writes:
> Michael Gilbert wrote:
>> Of course the major flaw with this statement is that there aren't a
>> whole these "proactive" users. However, if there are enough, some will
>> spot the activity, and raise concern, which will ultimately protect
>> others when the evil mir
Michael Gilbert wrote:
> Of course the major flaw with this statement is that there aren't a
> whole these "proactive" users. However, if there are enough, some will
> spot the activity, and raise concern, which will ultimately protect
> others when the evil mirror is shut down.
Ok, my concerns
On Sun, 6 Jun 2010 12:28:27 +1000 Erik de Castro Lopo wrote:
> Hi All,
>
> Did anyone see this paper:
>
> A Look In the Mirror: Attacks on Package Managers
> http://www.cs.arizona.edu/~jhh/papers/ccs08.pdf
>
> It suggests that anyone who has control of a mirror can cause client
> machin
James Vega wrote:
> On Sun, Jun 06, 2010 at 12:28:27PM +1000, Erik de Castro Lopo wrote:
> > Did anyone see this paper:
> >
> > A Look In the Mirror: Attacks on Package Managers
> > http://www.cs.arizona.edu/~jhh/papers/ccs08.pdf
>
> See the previous discussion that already happend on th
On Sun, Jun 06, 2010 at 12:28:27PM +1000, Erik de Castro Lopo wrote:
> Did anyone see this paper:
>
> A Look In the Mirror: Attacks on Package Managers
> http://www.cs.arizona.edu/~jhh/papers/ccs08.pdf
See the previous discussion that already happend on this list:
http://lists.debian.org/
14 matches
Mail list logo
