Re: Study: Attacks on package managers (inclusing apt)
Michael Stone <email@example.com> writes:
> On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:
>> But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
>> and not only on a master, the various .gpg files and packages can, even
>> though difficult, be modified on the single mirror. IMHO, verification
>> needs to have an alternate channel than the downloads.
> If someone can modify gpg signatures we have a bigger problem that can't
> be solved by any solution proposed thus far.
You have to make sure the Release.gpg and Timestamp.gpg files are linked
in some fashion, or the fake mirror will just update its Timestamp.gpg
file from the real mirror regularly while leaving all other files the
In the debian-devel thread, the proposal was to instead resign Release.gpg
and rely on the timestamp of its signature, which I think is a cleaner and
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>