Re: sofftware outside Debian (Re: holes in secure apt)
* Holger Levsen <email@example.com>, 2014-06-18, 12:46:
usually one should depend on a fixed hash in such downloader
packages... doing it with gpg is securely possible, but much more
and then for each update you need to update the launcher package -
thats an aweful lot of work for little / no gain
Yes, maintaining packages properly takes time. If packaging new upstream
releases is too much effort, why bother uploading it to Debian in the
It find the way flashplugin-nonfree currently works absolutely
scandalous. It's non-NMU-able, and non-auditable.
(and how do you handle downgrade attacks here?).
There are a few mechanisms to mitigate downgrade attacks within the
* Valid-Until fields in the Release files;
* apt refusing to install an older version of a package, unless
specifically asked to do so;
* security advisories and stable release announcements.