Mirror security

Posted Sep 23, 2025 20:02 UTC (Tue) by NAR (subscriber, #1313)
In reply to: Mirror security by fraetor
Parent article: Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship

to avoid being vulnerable to getting served an old version of a package

I think for build reproducibility (and to avoid breaking changes) some environments do prefer to download the same (old) version and not the latest and greatest.

Mirror security

Posted Sep 23, 2025 21:07 UTC (Tue) by fraetor (subscriber, #161147) [Link]

If you know what version you require (and ideally its hash) then you don't need to query the index in the same way.

I'm more talking about when you request the latest version of a well known package, an attacker may want to make the "latest" version appear to be an old one, so they can take advantage of security issues that have since been fixed, and would be able to provide a valid signature because that package _was_ legitimately served by the repository, just before the vulnerability was fixed.