On Mon, Jun 16, 2014 at 12:04:51PM +0200, Thorsten Glaser wrote: > On Thu, 12 Jun 2014, David Kalnischkies wrote: > > For your attack to be (always) successful, you need a full-sources > > mirror on which you modify all tarballs, so that you can build a valid > > Sources file. You can't just build your attack tarball on demand as the > > Erm, no? You can just cache a working Sources file and exchange > the paragraph you are interested in. That’s something that would > be easy in a CGI written in shell, *and* perform well. Trivial.
The "always" refers to the small problem that a MITM isn't in control of what source package is acquired by the user later on. Modifying the Source file is of course trivial, the hard part is making the modification count given that at the time the request for the Sources file is made you have no idea what (if any) source package the user will request in 10 seconds/days following this 'apt-get update' (or equivalent) – if the user isn't on to you given that you have thrown away the signatures for binary packages, too, so that he can't even get his build-dependencies without saying yes to a (default: no) warning. From a theoretical standpoint, this is of course all negligible, but in practice it's so annoying/fragile that way better alternatives exist. (Me messing up InRelease parsing [twice] for example with ironically far less coverage - its all about catchy titles I guess) Best regards David Kalnischkies
signature.asc
Description: Digital signature
