[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A Look In the Mirror: Attacks on Package Managers

2010/6/6 Joey Hess <joeyh@debian.org>:
> Josselin Mouette wrote:
>> It does. If you don’t re-run “apt-get update”, the signature will be
>> considered invalid.
> joey@gnu:~/tmp/apt-0.7.26~exp5>grep -i Valid-Until -r .
> zsh: exit 2     grep -i Valid-Until -r .
> What'm I missing?

Nothing - or at least I didn't know about such a feature until now…
(Not impossible, but not very likely ;) )

A quick scan over the open bugreports also doesn't indicate that
it was requested so far.

Another quick look at non-official archives indicate also that it is
NOT commonly used (official debian and security use it,
backports not, anyone else?) so this should be propagated more?

Third one: reprepro has a ValidFor option to generate this stanza,
what about the others? (apt-ftparchive obviously doesn't so far)

In regards to APT i will have a look later how to implement it,
hints regarding a good error message are welcomed
as i can currently only thing about stuff like:
W: http://debian.example.org squeeze Release: The Validation date for
the archive has expired. (This can indicate an outdated mirror.)

Best regards,

David Kalnischkies

Reply to: