On Mon, Mar 02, 2009 at 03:34:19PM +0100, Sebastien WILLEMIJNS wrote: > > On Mon, 2 Mar 2009 15:23:46 +0100, "Peter Poeml" <[email protected]> said: > > > I actually wanted to mention the following link > > http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html > > but I forgot it. It discusses the issue in depth, with relation to Linux > > package management clients, and attack scenarios. > > We known all online update can be a new kind of attack scenarios but it > is a little off-topic here i think because metalink is able to do other > downloads as core update OSes ;)
I beg to differ. I think it is not off-topic to discuss metalinks and security in a context of online updates. This for two reasons: First, aria2c and metalinks is used by at least 3 or 4 major Linux distros now. It is not a corner case. It might well be the largest use of metalinks so far. But it is not a linux (or package management) only topic. In addition, online update is used by many applications, and it is often automated. And most often, it is not done over secure channels. Many projects don't even supply their software with signatures or hashes provided (no .md5 or .sha1 files, no PGP signatures). Metalink usage is considered by some at least. I think it is very relevant to have this in mind and focus on some improvements here in the future. For example, once OpenOffice uses MirrorBrain (and thus will offer metalinks), I want them to also sign their code, and as a next step I would like to work on their "update channel". I recently used the built-in OOo updater and it downloaded a full OOo package through conventional means. And I would certainly like to see this happening via metalinks, because the update is not small in this case, and in addition I would like to see it happening securely. Of course, this is hypothetical so far, and something to work on for the future. So, security of software delivery certainly becomes more relevant once metalinks are used at large scale, because the risk (and impact) of problems rises respectively. It's not irrelevant to "smaller" use cases though. I don't want to bother the list with stuff that's not enough on-topic of course. And I value your critique. Maybe I am too narrow-minded on some things. I'll try to take care in the future :) Thanks, Peter -- Contact: [email protected] (a.k.a. [email protected]) #opensuse-mirrors on freenode.net Info: http://en.opensuse.org/Mirror_Infrastructure SUSE LINUX Products GmbH Research & Development
pgpWF1dfsSlOJ.pgp
Description: PGP signature
