Maybe a check should be added to APT to flag a warning if there has been no updates for a significant period of time? That way if a mirror ever does that, its more detectable. Michael
On Fri, Jul 11, 2008 at 8:55 AM, Steinar H. Gunderson < [EMAIL PROTECTED]> wrote: > On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote: >> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html >> >> What are people's thoughts on this? > > It's been known for quite a while. (I asked one of the guys publishing it, > and he was fully aware of that, but felt it was still important to bring > light to it.) > > In any case, it's pretty hard to exploit as long as you have security updates > on a different (trusted) server. The best thing you can do is DoS the process > so the user's package management software crashes, or simply never update > your mirror so users don't get updates. > > /* Steinar */ > -- > Homepage: http://www.sesse.net/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
