Michael Stone <[EMAIL PROTECTED]> writes:
> On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:
>> But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
>> and not only on a master, the various .gpg files and packages can, even
>> though difficult, be modified on the sing
On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:
But as long as Release.gpg/Timestamp.gpg are local to the mirror(s),
and not only on a master, the various .gpg files and packages can,
even though difficult, be modified on the single mirror. IMHO,
verification needs to have an alt
On Thu, Jul 17, 2008 at 11:30:12AM -0400, Micah Anderson wrote:
Although PGP-signed Release file prevent tampering with files, the
attack doesn't require tampering with files or tampering with signed
release files. If I were to MitM security.debian.org, I could provide
an outdated (yet properly s
On Thu, Jul 17, 2008 at 3:43 PM, Goswin von Brederlow <[EMAIL PROTECTED]> wrote:
> The simple solution would be to create a Timestamp.gpg file that is
> signed daily (as oppsoed to Release.gpg being signed only on updates)
> and have apt-get warn if it gets old.
But as long as Release.gpg/Timestam
Micah Anderson <[EMAIL PROTECTED]> writes:
> * Michael Stone <[EMAIL PROTECTED]> [2008-07-17 08:09-0400]:
>> On Thu, Jul 17, 2008 at 04:46:54PM +0200, Daniel Leidert wrote:
>>> Today there were some news about a study from the University of Arizona
>>> regarding security issues with package manage
* Michael Stone <[EMAIL PROTECTED]> [2008-07-17 08:09-0400]:
> On Thu, Jul 17, 2008 at 04:46:54PM +0200, Daniel Leidert wrote:
>> Today there were some news about a study from the University of Arizona
>> regarding security issues with package management systems (like apt). I
>> did not yet read th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2008-07-17 16:46, Daniel Leidert wrote:
> I'm sorry, if this has already been brought up. I did not find a posting
> regarding this study, so I hereby start this thread).
http://lists.debian.org/debian-devel/2008/07/msg00321.html
Johannes
-BE
On Thu, Jul 17, 2008 at 04:46:54PM +0200, Daniel Leidert wrote:
Today there were some news about a study from the University of Arizona
regarding security issues with package management systems (like apt). I
did not yet read the whole study, but probably it's interesting for the
project (they wri
Hi all,
Today there were some news about a study from the University of Arizona
regarding security issues with package management systems (like apt). I
did not yet read the whole study, but probably it's interesting for the
project (they write about "vulnerabilities"). The study is here:
http://w
On 16 July 2008 21:18:32 Thijs Kinkhorst wrote:
>
> Debian Security Advisory DSA-1611-1 [EMAIL PROTECTED]
> http://www.debian.org/security/ Thijs Kinkhorst
> July 16, 2008
10 matches
Mail list logo
