Re: Package management unsafe?

To: Ron Johnson <ron.l.johnson@cox.net>
Cc: debian-devel <debian-devel@lists.debian.org>
Subject: Re: Package management unsafe?
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 11 Jul 2008 17:51:54 +0200
Message-id: <[🔎] 87d4lkctb9.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 487753DC.5020802@cox.net> (Ron Johnson's message of "Fri, 11 Jul 2008 07:36:44 -0500")
References: <[🔎] 487753DC.5020802@cox.net>

* Ron Johnson:

> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?

HTTPS doesn't help against non-trusted mirrors.

The difficult question is how to tell an APT source which is not updated
regularly from an APT source that has been rolled back in a replay
attack.

Apart from that, this is clearly a PR stunt.  Next, we might see someone
who tries to get into the project, with the intent to upload Trojanized
packages--all in the name of academic research.

Reply to:

Follow-Ups:
- Re: Package management unsafe?
  - From: Joe Smith <unknown_kev_cat@hotmail.com>

References:
- Package management unsafe?
  - From: Ron Johnson <ron.l.johnson@cox.net>

Prev by Date: Re: Package management unsafe?
Next by Date: Re: RFC: Removal of user/groups
Previous by thread: Re: Package management unsafe?
Next by thread: Re: Package management unsafe?
Index(es):
- Date
- Thread