Re: Study: Attacks on package managers (inclusing apt)

To: debian-security@lists.debian.org
Subject: Re: Study: Attacks on package managers (inclusing apt)
From: Russ Allbery <rra@debian.org>
Date: Thu, 17 Jul 2008 16:17:45 -0700
Message-id: <8763r485ie.fsf@windlord.stanford.edu>
In-reply-to: <20080717210837.GN2712@mathom.us> (Michael Stone's message of "Thu\, 17 Jul 2008 17\:08\:39 -0400")
References: <1216306014.31418.6.camel@localhost> <20080717150835.GJ2712@mathom.us> <20080717153012.GT17993@pond.riseup.net> <87r69si9el.fsf@frosties.localdomain> <7ff145960807171254s5bee43b6keb26e7e2ecef924b@mail.gmail.com> <20080717210837.GN2712@mathom.us>

Michael Stone <mstone@debian.org> writes:
> On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:

>> But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
>> and not only on a master, the various .gpg files and packages can, even
>> though difficult, be modified on the single mirror.  IMHO, verification
>> needs to have an alternate channel than the downloads.

> If someone can modify gpg signatures we have a bigger problem that can't
> be solved by any solution proposed thus far.

You have to make sure the Release.gpg and Timestamp.gpg files are linked
in some fashion, or the fake mirror will just update its Timestamp.gpg
file from the real mirror regularly while leaving all other files the
same.

In the debian-devel thread, the proposal was to instead resign Release.gpg
and rely on the timestamp of its signature, which I think is a cleaner and
simpler solution.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Goswin von Brederlow <goswin-v-b@web.de>

References:
- Study: Attacks on package managers (inclusing apt)
  - From: Daniel Leidert <daniel.leidert.spam@gmx.net>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Michael Stone <mstone@debian.org>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Micah Anderson <micah@riseup.net>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: "Jim Popovitch" <yahoo@jimpop.com>
- Re: Study: Attacks on package managers (inclusing apt)
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Study: Attacks on package managers (inclusing apt)
Next by Date: Re: Study: Attacks on package managers (inclusing apt)
Previous by thread: Re: Study: Attacks on package managers (inclusing apt)
Next by thread: Re: Study: Attacks on package managers (inclusing apt)
Index(es):
- Date
- Thread