lists.zerezo.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BOGO Re: Package management unsafe?

Date: Fri, 11 Jul 2008 17:51:54 +0200
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Subject: ***BOGO*** Re: Package management unsafe?

* Ron Johnson:

> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?

HTTPS doesn't help against non-trusted mirrors.

The difficult question is how to tell an APT source which is not updated
regularly from an APT source that has been rolled back in a replay
attack.

Apart from that, this is clearly a PR stunt.  Next, we might see someone
who tries to get into the project, with the intent to upload Trojanized
packages--all in the name of academic research.


-- 
To UNSUBSCRIBE, email to debian-devel-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Follow-Ups:
- ***BOGO*** Re: Package management unsafe?
  - From: Joe Smith

References:
- ***BOGO*** Package management unsafe?
  - From: Ron Johnson

Prev by Date: ***BOGO*** Re: Package management unsafe?
Next by Date: ***BOGO*** Re: RFC: Removal of user/groups
Previous by thread: ***BOGO*** Re: Package management unsafe?
Next by thread: ***BOGO*** Re: Package management unsafe?
Index(es):
- Date
- Thread

lists.zerezo.com

***BOGO*** Re: Package management unsafe?

BOGO Re: Package management unsafe?