Posted Jul 17, 2008 12:57 UTC (Thu) by tzafrir (subscriber, #11501)
Parent article: Trust and mirrors
In the follow-ups to the previous story it has been pointed out that those concerens were
known and in some cases addressed.
In general, distributions consider the mirror systems as potentially unreliable copies of the
original archive. There is really no good way to assure no mirror is ever malicious.
In OpenSUSE, as of 10.3, the clients download the metadata separately from a central server.
The big bulk of the download is still from mirrors. But if they cheat, the metadata from the
main server fails to check.
Debian (and Ubuntu?) sign the metadata and propagate it as part of the mirrored context. So
far it seems that the described replay attack would work. But to avoid it, security updates
come from a smaller set of mirrors, which are all maintained by the Debian project directly
and thus are reliable.
Thus a signed metadata, on its own, is not good enough. It still allows a replay attack.
Encrypted connection does not help any bit. This is probably some confusion with the separate
guarantees that SSL provides.
As for the recommendation to only download from trusted mirrors: it is basically the same as
only browsing web sites you can trust.