On 06.05.2010 22:48, Denis A. Altoé Falqueto wrote:
But this doesn't solve the problem of a replay attack (as pointed by Dan, some emails above), where an evil mirror admin puts an old validly signed repo.db to force some user to download a validly signed old package with an known vulnerability. This is tougher to solve. We would need some guaranteed way to tell if the downloaded repo.db is really the latest..... No ideas for now.
Add the date when the database was signed (inside of the same signature of course) and when updating the database (not when installing a package) let pacman check if this date is at maximum 1 or 2 days old. This requires low mirror delays though. If there are no updates for 2 days some dev would have to resign the database, but that's quite unlikely and acceptable I think. Pacman should also check if the new date is more recent than the old one. -- Florian Pritz -- {flo,bluewind}@server-speed.net