Re: A Look In the Mirror: Attacks on Package Managers

[Russ Allbery <rra@debian.org>]

Erik de Castro Lopo <erikd@mega-nerd.com> writes:
> Michael Gilbert wrote:

>> Of course the major flaw with this statement is that there aren't a
>> whole these "proactive" users.  However, if there are enough, some will
>> spot the activity, and raise concern, which will ultimately protect
>> others when the evil mirror is shut down.

> Ok, my concerns over this have been assuaged somewhat. However, I still
> think that having the package management software more secure by default
> might still be better than relying on proactive users.

Note that the only attack described in that paper that's viable against
Debian is the one in which security updates are suppressed on a particular
mirror and the attacker then takes advantage of unpatched software.  There
isn't any way for a mirror operator to insert modified or additional
packages given how Debian's repository signing system works, with the
possible exception of the initial bootstrap of a new installation unless
the user doing the install manually establishes an initial chain of trust
by verifying the signature of the installation image.

There was some discussion of periodically resigning the security archive
even if there are no updates so that package managers could warn if more
than X days had gone by without an update to the security archive
signatures.  I don't know if anyone has concrete plans to implement that.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>