Re: A Look In the Mirror: Attacks on Package Managers

To: debian-devel <debian-devel@lists.debian.org>
Subject: Re: A Look In the Mirror: Attacks on Package Managers
From: David Kalnischkies <kalnischkies+debian@gmail.com>
Date: Sun, 6 Jun 2010 18:34:48 +0200
Message-id: <[🔎] AANLkTimo3xK5WrojZiEGmPq1Aj1cGiMRKxbnlPnxr1CW@mail.gmail.com>
In-reply-to: <[🔎] 20100606152629.GA7944@gnu.kitenet.net>
References: <[🔎] 20100606122827.acb09dd5.mle+debian@mega-nerd.com> <[🔎] 20100606003753.f701e457.michael.s.gilbert@gmail.com> <[🔎] 20100606145810.2ea1ad40.erikd@mega-nerd.com> <[🔎] 87ljas7mqs.fsf@windlord.stanford.edu> <[🔎] 87k4qc90bc.fsf@marvin.43-1.org> <[🔎] 1275810938.3775.0.camel@tomoyo> <[🔎] 20100606152629.GA7944@gnu.kitenet.net>

2010/6/6 Joey Hess <joeyh@debian.org>:
> Josselin Mouette wrote:
>> It does. If you don’t re-run “apt-get update”, the signature will be
>> considered invalid.
>
> joey@gnu:~/tmp/apt-0.7.26~exp5>grep -i Valid-Until -r .
> zsh: exit 2     grep -i Valid-Until -r .
>
> What'm I missing?

Nothing - or at least I didn't know about such a feature until now…
(Not impossible, but not very likely ;) )

A quick scan over the open bugreports also doesn't indicate that
it was requested so far.

Another quick look at non-official archives indicate also that it is
NOT commonly used (official debian and security use it,
backports not, anyone else?) so this should be propagated more?

Third one: reprepro has a ValidFor option to generate this stanza,
what about the others? (apt-ftparchive obviously doesn't so far)

In regards to APT i will have a look later how to implement it,
hints regarding a good error message are welcomed
as i can currently only thing about stuff like:
>>>>>
W: http://debian.example.org squeeze Release: The Validation date for
the archive has expired. (This can indicate an outdated mirror.)
<<<<<

Best regards,

David Kalnischkies

Reply to:

Follow-Ups:
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Fernando Lemos <fernandotcl@gmail.com>

References:
- A Look In the Mirror: Attacks on Package Managers
  - From: Erik de Castro Lopo <mle+debian@mega-nerd.com>
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Erik de Castro Lopo <erikd@mega-nerd.com>
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Russ Allbery <rra@debian.org>
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Ansgar Burchardt <ansgar@43-1.org>
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Josselin Mouette <joss@debian.org>
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: status of circulars dependencies in unstable
Next by Date: Re: status of circulars dependencies in unstable
Previous by thread: Re: A Look In the Mirror: Attacks on Package Managers
Next by thread: Re: A Look In the Mirror: Attacks on Package Managers
Index(es):
- Date
- Thread