* Ron Johnson: > http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html > > What are people's thoughts on this?
HTTPS doesn't help against non-trusted mirrors. The difficult question is how to tell an APT source which is not updated regularly from an APT source that has been rolled back in a replay attack. Apart from that, this is clearly a PR stunt. Next, we might see someone who tries to get into the project, with the intent to upload Trojanized packages--all in the name of academic research. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
