LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Study: Attacks on package managers

Study: Attacks on package managers

Posted Jul 14, 2008 19:24 UTC (Mon) by rrdharan (guest, #41452)
Parent article: Study: Attacks on package managers 

It boggles the mind that there isn't more verification required in order to get listed as a
mirror.

(Log in to post comments)

Study: Attacks on package managers

Posted Jul 14, 2008 21:12 UTC (Mon) by rahulsundaram (subscriber, #21946) [Link] 

What kind of verification would you suggest for a voluntary mirror? If you add too much
overhead, good mirrors will just walk away and you will lose. That isn't the gateway where you
should be adding security. You should assume malicious mirrors are already present and work to
mitigate that within the distribution.

Study: Attacks on package managers

Posted Jul 15, 2008 9:43 UTC (Tue) by epa (subscriber, #39769) [Link] 

That is the wrong approach.  You are suggesting there should be verification so that only
trustworthy people (by some measure) can set up a mirror site.  But it will always be possible
for bad guys to slip through the net.  Even the US nuclear weapons programme, with the
strictest possible vetting of participants, contained spies.

And even a well-meaning mirror site can be taken over by an attacker.

Better to make sure the update system is secure so that even with total control of one or more
mirrors an attacker cannot push out bad packages or cause a denial of service for more than a
few minutes.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds