On Tue, Dec 12, 2006 at 11:35:38PM +0100, Christian Boltz wrote: > > ? That would generate HTML files that point to content that do no > > exist in the any of the mirrors. The only way you can make those > > file valids if you break into one of the mirrors, and if a mirror is > > broken and you do not do per-release GPG checks of the archive your > > injection method is really pointless. > > It wouldn't be the first time a debian server is cracked :-/
In order for your md5sum "attack" to really work you have to crack *all* mirrors or the user has a ~1/38 chance on stumbling on the package that has been replaced by a cracker. Not a very good attack IMHO. As for "debian servers being cracked" I don't know about you, but I have not see too many notices sent to -announce saying that a mirror has been cracked. Only some Debian servers (not mirrors) have been compromised (mostly gluck.debian.org) but never ftp-master.debian.org Anyway, we could be discussing about this for days. I agree that the md5sum should not be taken verbatim from the user's input but, I understand, that's something that is fixed in the next release of the scripts. If other's think this should be fixed *right*now* then I think the only sensible option is to remove the md5sum information from the download page altogether and put it in the packages page with the autogenerated content in a cell next to "Installed size". Regards Javier
signature.asc
Description: Digital signature
