Re: Package management unsafe?

To: debian-devel@lists.debian.org
Subject: Re: Package management unsafe?
From: "Michael Casadevall" <sonicmctails@gmail.com>
Date: Fri, 11 Jul 2008 11:48:03 -0400
Message-id: <[🔎] 5a1037520807110848n4aca315ax3f2b606ebcbd6e9d@mail.gmail.com>
In-reply-to: <[🔎] 20080711125506.GC16323@uio.no>
References: <[🔎] 487753DC.5020802@cox.net> <[🔎] 20080711125506.GC16323@uio.no>

Maybe a check should be added to APT to flag a warning if there has been no updates for a significant period of time? That way if a mirror ever does that, its more detectable.
Michael

On Fri, Jul 11, 2008 at 8:55 AM, Steinar H. Gunderson <sgunderson@bigfoot.com> wrote:
> On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
>> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>>
>> What are people's thoughts on this?
>
> It's been known for quite a while. (I asked one of the guys publishing it,
> and he was fully aware of that, but felt it was still important to bring
> light to it.)
>
> In any case, it's pretty hard to exploit as long as you have security updates
> on a different (trusted) server. The best thing you can do is DoS the process
> so the user's package management software crashes, or simply never update
> your mirror so users don't get updates.
>
> /* Steinar */
> --
> Homepage: http://www.sesse.net/
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: Package management unsafe?
  - From: Frank Lichtenheld <djpig@debian.org>

References:
- Package management unsafe?
  - From: Ron Johnson <ron.l.johnson@cox.net>
- Re: Package management unsafe?
  - From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

Prev by Date: Re: RFC: Removal of user/groups
Next by Date: Re: Package management unsafe?
Previous by thread: Re: Package management unsafe?
Next by thread: Re: Package management unsafe?
Index(es):
- Date
- Thread