Re: Study: Attacks on package managers (inclusing apt)
"Jim Popovitch" <yahoo@jimpop.com> writes:
> On Thu, Jul 17, 2008 at 3:43 PM, Goswin von Brederlow <goswin-v-b@web.de> wrote:
>> The simple solution would be to create a Timestamp.gpg file that is
>> signed daily (as oppsoed to Release.gpg being signed only on updates)
>> and have apt-get warn if it gets old.
>
> But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
> and not only on a master, the various .gpg files and packages can,
> even though difficult, be modified on the single mirror. IMHO,
> verification needs to have an alternate channel than the downloads.
>
> -Jim P.
They can not be modified since gpg protects against that.
They can only be replayed with an older version.
And then the timestamp will be old. => detectable.
MfG
Goswin
Reply to: