[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes



On Thursday 15 January 2009 22:37, Eugene V. Lyubimkin wrote:
> Florian Weimer wrote:
> > And if Valid-Until is only checked against the real-time clock, the
> > attacker can still feed bad data over NTP, so it's not even a complete
> > defense. 8-(

As there are questions about the implementation, and there's a chance we don't 
get it right the first time, and the release is very close, I would indeed 
support not rushing the change into lenny.

> However, it seems there is no better solution, or is there?

Why are we trying to invent something new here, with Valid-Until? The problem 
is that we want to ensure that the Release file of the security archive is 
actually provided by that archive and not by a man in the middle. That 
problem has already been solved: use https. If apt would get the release file 
over https from the security archive it would know it is the right one. The 
rest of the downloads can then happen over http. Of course this needs APT to 
have some notion of what a valid certificate is for security.debian.org; that 
could be addressed by adding it to the debian-archive-keyring package.


cheers,
Thijs

Attachment: pgppUyCKtPEZ4.pgp
Description: PGP signature


Reply to: