Surely package signing already solves this?
Posted Jul 15, 2008 3:52 UTC (Tue) by JoeBuck
In reply to: Surely package signing already solves this?
Parent article: Study: Attacks on package managers
The attack is for the mirror to serve up old (but digitally signed) versions of the packages that have known vulnerabilities. But the problem is that apt and yum won't downgrade packages, so this isn't much of an attack.
to post comments)