On Tue, Feb 8, 2011 at 10:02 PM, Dan McGee <[email protected]> wrote: > On Tue, Feb 8, 2011 at 5:43 PM, Denis A. Altoé Falqueto > <[email protected]> wrote: >> On Tue, Feb 8, 2011 at 8:02 PM, Dan McGee <[email protected]> wrote: >>> On Tue, Feb 8, 2011 at 2:47 PM, Michael Seiwald <[email protected]> wrote: >>>> (3) Repository Freeze Attacks >>>> An attacker is able to prevent clients from updating by replaying an old >>>> sync db file with a valid signature. This could be used to keep clients >>>> from updating software with known vulnerabilities. >>>> Solution: gpg-signatures already contain a timestamp. Before each >>>> update, pacman could check if the timestamp is not older than a >>>> specified period (e.g. a week). >>> >>> Yes, very well known, and the site I tell all people to have a read >>> before hacking on this stuff: >>> http://www.cs.arizona.edu/stork/packagemanagersecurity/ >>> >>> We will find a way to address this before we consider package signing >>> complete. >> >> I remember some talking about that in the mailing list. It was >> suggested to have a time limit for the validity of the database >> signature, so the developers would have to generate a new signature at >> least every n days, if the database didn't change. That would be a >> worst case scenario, because the rolling release nature of Arch >> generates lots of database updates and they would be signed very >> often. > > Allan and I are going to repeat this until our heads explode, but > pacman != Arch Linux. > > What was that? > > pacman != Arch Linux.
Yes, of course, my fault :) I always forget about it. Probably you'll have to remember me some more times :) > This needs to somehow be feasible for *everyone*, or at least not get > in their way. I've had (although it has gone stagnant) my one-package > eee kernel repo; I shouldn't have to sign that every 10 days if > nothing changes, nor should some in-office repo providing a custom 10 > packages or so, esp. if said database can be fetched from a reliable > (HTTPS with valid cert, say) source. Maybe each database could have a property specifying the length of validity? It could be in days and 0 could be always valid. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------
