LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Study: Attacks on package managers

Study: Attacks on package managers

Posted Jul 15, 2008 8:50 UTC (Tue) by jond (subscriber, #37669)
In reply to: Study: Attacks on package managers by MattPerry
Parent article: Study: Attacks on package managers 

> It doesn't inspire confidence because I'm not a cryptography expert,
> nor do I desire to be one.  As an end user, all I see is an error 
> that I do not understand.  I > don't know why the signature is invalid
> and the error doesn't give me any guidance on what > the significance 
> is nor how to correct it.

I think I agree with you here that the UI side needs work.

> It's using TCP, not UDP, to download the data.  Shouldn't TCP should 
> ensure that I'm getting the correct data?

TCP would protect you against the data being corrupted in transit from the mirror to yourself.
This looks like corruption at the mirror end or (in the case of a bad transparent proxy) stale
data being served up from a cache that doesn't correspond to the package index.

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds