Re: Package management unsafe?
On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson <email@example.com> was heard to say:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> What are people's thoughts on this?
I don't see anything new or surprising on that page. In fact, the two
attacks they list (replaying old versions of an archive and taking over
a mirror) were discussed at the time that archive signing was added to
My recollection is that the conclusion regarding replay attacks was
that it wasn't clear how signing archives would prevent this (you would
presumably need to somehow periodically change the archive signature,
and warn the user if it was out of date).
Mirror takeovers are, of course, exactly why archive signing was added
to apt. I'm talking now about their use to provide unsigned and faulty
packages, not to delay updates (which is just a replay attack). It's
not clear whether archive signing will actually defend against this
attack *in practice*; some users seem to investigate bad signatures, but
I'm sure a lot just override the warning, especially because there are
an unfortunately high number of false positives. But the technology
itself can detect this situation.
When I saw the headline I figured he was talking about actual code
vulnerabilities in package managers (e.g., buffer overflows parsing the
Packages file); that would be a lot more interesting and worrying.