Hi, On Thu, 26 Oct 2017 22:12:25 +0200 Michał Górny <mgo...@gentoo.org> wrote:
> After a week of hard work, I'd like to request your comments > on the draft of GLEP 74. This GLEP aims to replace the old > tree-signing GLEPs 58 and 60 with a superior implementation and more > complete specification. Thanks for working on this, it's really one of the biggest security issues Gentoo has these days that need to be fixed. I hope I'll find time to read it in detail, but by skimming through it I noted that the downgrade attack prevention is kinda not very clear. It says in the timestamp section "The package manager can use it to detect an outdated repository checkout." But it doesn't say how exactly. Should a package manager reject a sync if it is too old? or not install packages if a sync hasn't happened for some time? What is considered "outdated"? I think that should be clarified how exactly it's supposed to work. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42