In order for upgrades to be safe, signatures are not enough. This is because most old packages are signed with a key that is trusted by the system being updated. Even if db are signed, that stills applies.
The main idea is to: -------------------- -> Prevent MITM attacks. This should be done soon in my opinion. -> Prevent not updated mirrors from being picked up by pacman, this doesn't address the malicious mirrors concern. -> Prevent malicious mirrors. On Sat, 13 Feb 2016 23:06:38 +0100 Denis 'GNUtoo' Carikli <gnu...@no-log.org> wrote: > How should Parabola deal with it: > --------------------------------- > We need various solutions, for shorter and longer term. As said, I think we should enforce https or onion for mirrors. This is to prevents MITM. I however wonder how to enforce the security of TLS, since it can be configured to be unsafe on both, the server side and the client side. With that done, just having the mirrorlist hosted by parabola (for instance in a parabola/mirrorlist) protects against malicious MITM, mirrors not being updated for various reasons. I however wonder what would happen if a mirror also include an old version of the mirrorlist. Can it do that, or does the db prevent that, it probably would if it was signed by parabola. A malicious mirror would then have theses options left: -> Have a version of the mirror served that was made before the move of the mirrorlists. I guess that would be notified easily and very unpractical since, in the long run, it would only contain software that is older than what is running on the user's computer. -> As a mirror, pacman will contact it, and it might still be able to instead of hosting the usual packages, host an older version of the mirrorlist. Still even deploying that would be more secure than the current status. > Medium term: > ------------ > We might want to split the db update files from the packages, and make > the parabola infrastructure serve them, still with a transport that > can't be tempered with to avoid man in the middle attacks. We might also want to prevent pacman from picking it from a mirror that is not supposed to host it (like a mirror that already hosts the usual packages) Denis.
pgp5bc0NA5Hiq.pgp
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list Dev@lists.parabola.nu https://lists.parabola.nu/mailman/listinfo/dev