Re: sofftware outside Debian (Re: holes in secure apt)
* Holger Levsen <holger@layer-acht.org>, 2014-06-18, 12:46:
usually one should depend on a fixed hash in such downloader
packages... doing it with gpg is securely possible, but much more
complicated.
and then for each update you need to update the launcher package -
thats an aweful lot of work for little / no gain
Yes, maintaining packages properly takes time. If packaging new upstream
releases is too much effort, why bother uploading it to Debian in the
first place?
It find the way flashplugin-nonfree currently works absolutely
scandalous. It's non-NMU-able, and non-auditable.
(and how do you handle downgrade attacks here?).
There are a few mechanisms to mitigate downgrade attacks within the
archive:
* Valid-Until fields in the Release files;
* apt refusing to install an older version of a package, unless
specifically asked to do so;
* security advisories and stable release announcements.
--
Jakub Wilk
Reply to: