Erik de Castro Lopo <er...@mega-nerd.com> writes: > Michael Gilbert wrote:
>> Of course the major flaw with this statement is that there aren't a >> whole these "proactive" users. However, if there are enough, some will >> spot the activity, and raise concern, which will ultimately protect >> others when the evil mirror is shut down. > Ok, my concerns over this have been assuaged somewhat. However, I still > think that having the package management software more secure by default > might still be better than relying on proactive users. Note that the only attack described in that paper that's viable against Debian is the one in which security updates are suppressed on a particular mirror and the attacker then takes advantage of unpatched software. There isn't any way for a mirror operator to insert modified or additional packages given how Debian's repository signing system works, with the possible exception of the initial bootstrap of a new installation unless the user doing the install manually establishes an initial chain of trust by verifying the signature of the installation image. There was some discussion of periodically resigning the security archive even if there are no updates so that package managers could warn if more than X days had gone by without an update to the security archive signatures. I don't know if anyone has concrete plans to implement that. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ljas7mqs....@windlord.stanford.edu
