Re: Package management unsafe?

To: Joe Smith <unknown_kev_cat@hotmail.com>
Cc: debian-devel@lists.debian.org
Subject: Re: Package management unsafe?
From: Brian May <brian@microcomaustralia.com.au>
Date: Sun, 13 Jul 2008 10:57:15 +1000
Message-id: <[🔎] 487952EB.1040203@microcomaustralia.com.au>
In-reply-to: <[🔎] loom.20080712T053931-456@post.gmane.org>
References: <[🔎] 487753DC.5020802@cox.net> <[🔎] 87d4lkctb9.fsf@mid.deneb.enyo.de> <[🔎] loom.20080712T053931-456@post.gmane.org>

Joe Smith wrote:

However, if the security updates come from trusted security mirrors rather than
a general mirror, that attack would fail too. So with the exception of Sid or
Testing users that do not use the testing-security system to receive security

updates, Debian really is not terribly vulnerable to this.

It would still be possible to mount this attack if the attacker canintercept packets on the way to the official trusted security mirror andredirect them (e.g. transparent proxy) to an older copy of the mirror.


Brian May

Reply to:

Follow-Ups:
- Re: Package management unsafe?
  - From: "Joe Smith" <unknown_kev_cat@hotmail.com>

References:
- Package management unsafe?
  - From: Ron Johnson <ron.l.johnson@cox.net>
- Re: Package management unsafe?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Package management unsafe?
  - From: Joe Smith <unknown_kev_cat@hotmail.com>

Prev by Date: Re: Debian release versioning
Next by Date: Re: Changes detected by lintian on rebuilt packages
Previous by thread: Re: Package management unsafe?
Next by thread: Re: Package management unsafe?
Index(es):
- Date
- Thread