[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sofftware outside Debian (Re: holes in secure apt)

* Holger Levsen <holger@layer-acht.org>, 2014-06-18, 12:46:
usually one should depend on a fixed hash in such downloader packages... doing it with gpg is securely possible, but much more complicated.

and then for each update you need to update the launcher package - thats an aweful lot of work for little / no gain

Yes, maintaining packages properly takes time. If packaging new upstream releases is too much effort, why bother uploading it to Debian in the first place?

It find the way flashplugin-nonfree currently works absolutely scandalous. It's non-NMU-able, and non-auditable.

(and how do you handle downgrade attacks here?).

There are a few mechanisms to mitigate downgrade attacks within the archive:
* Valid-Until fields in the Release files;
* apt refusing to install an older version of a package, unless specifically asked to do so;
* security advisories and stable release announcements.

Jakub Wilk

Reply to: