On Fri, Nov 09, 2007 at 08:54:06PM -0600, Raphael Geissert wrote: > Michael Banck wrote: > > Won't somebody else stop the attack in their place then, who does check > > the signatures? > > If a mirror is compromised, unless I'm missing something, it won't be > updated until ftp-master sends a mirror push. And the period of time > between the last mirror push, the compromise and the next mirror push might > be enough for a buildd to download a compromised package. > > The buildd owners would be unable to know that the mirror they use was > compromised and thus they would probably sign a .changes file for a package > which might also be compromised (introducing a signature-verified > compromised package in the archive, affecting all users).
Assuming that compromised mirrors get quickly identified by people using signatures, and buildd packages having to be uploaded directly, the amount of compromised packages this way is probably small, so they can be rebuilt using packages from another mirror, after the build logs have been inspected to see whether compromised packages have indeed been used. Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
