Re: Package management unsafe?
Andrei Popescu <andreimpopescu <at> gmail.com> writes:
> How about distributing the Release files *only* from a trusted server?
That is problematic, as it does not deal with mirror synchronization properly.
If a mirror takes a few hours to update, it's Packages files may not be up to
date during those hours, resulting in apt claiming the Packages file is not
I see no benefits over re-signing the Release file daily, even if none of the
Packages files (and hence the checksums and Release file itself) have changed,
with apt then complaining if Release.gpg has a signature that is too old.
This adds security against the published attack for testing users who do not use
testing-security as well as sid users. It also helps warn users about
non-malicious stale mirrors. As my post made clear, stable is already secure
against the published attacked.
The other attack I mentioned (the attack of attempting to exploit a flaw in any
client that requests a security update) cannot be fixed in the general case,
except by clients using a trusted server, or a trusted proxy that does not
reveal the true requesting system's IP.
Stable is safe because the security servers are trusted. Users of testing or sid
should choose servers they trust or some form of trusted proxy.