In the follow-ups to the previous story it has been pointed out that those concerens were known and in some cases addressed. In general, distributions consider the mirror systems as potentially unreliable copies of the original archive. There is really no good way to assure no mirror is ever malicious. In OpenSUSE, as of 10.3, the clients download the metadata separately from a central server. The big bulk of the download is still from mirrors. But if they cheat, the metadata from the main server fails to check. Debian (and Ubuntu?) sign the metadata and propagate it as part of the mirrored context. So far it seems that the described replay attack would work. But to avoid it, security updates come from a smaller set of mirrors, which are all maintained by the Debian project directly and thus are reliable. Thus a signed metadata, on its own, is not good enough. It still allows a replay attack. Encrypted connection does not help any bit. This is probably some confusion with the separate guarantees that SSL provides. As for the recommendation to only download from trusted mirrors: it is basically the same as only browsing web sites you can trust.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds