Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
The existence of flaky, corrupted mirror sites is another argument in favour of dropping
old-style mirrors and using Bittorrent or some other protocol that handles the mirroring
automatically and is robust against misbehaving nodes.
Study: Attacks on package managers
Posted Jul 15, 2008 12:07 UTC (Tue) by job (guest, #670)
No, it is not.
The system of signatures just prevented you from downloading data from a "misbehaving node"
(i.e. corrupted mirror), and you blame the system?
The mirroring IS handled automatically, AND you are protected from bad data. What would be
good would be failover handling in the package manager so you didn't need to see that message
It would also be desirable to protect from the attack described in the article, perhaps using
timestamped and signed package indexes?
Posted Jul 16, 2008 14:49 UTC (Wed) by epa (subscriber, #39769)
What would be good would be failover handling in the package manager so you didn't need to see that message at all.
Posted Jul 16, 2008 0:44 UTC (Wed) by motk (subscriber, #51120)
Bittorrent is not a hammer, and not everything is a nail.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds