[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Study: Attacks on package managers (inclusing apt)

On Thu, Jul 17, 2008 at 3:43 PM, Goswin von Brederlow <goswin-v-b@web.de> wrote:
> The simple solution would be to create a Timestamp.gpg file that is
> signed daily (as oppsoed to Release.gpg being signed only on updates)
> and have apt-get warn if it gets old.

But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
and not only on a master, the various .gpg files and packages can,
even though difficult, be modified on the single mirror.   IMHO,
verification needs to have an alternate channel than the downloads.

-Jim P.

Reply to: