[pacman-dev] [arch-general] Package signing

Florian Pritz bluewind at server-speed.net
Fri May 7 16:00:25 CEST 2010


On 06.05.2010 22:48, Denis A. Altoé Falqueto wrote:
> But this doesn't solve the problem of a replay attack (as pointed by
> Dan, some emails above), where an evil mirror admin puts an old
> validly signed repo.db to force some user to download a validly signed
> old package with an known vulnerability. This is tougher to solve. We
> would need some guaranteed way to tell if the downloaded repo.db is
> really the latest..... No ideas for now.

Add the date when the database was signed (inside of the same signature
of course) and when updating the database (not when installing a
package) let pacman check if this date is at maximum 1 or 2 days old.
This requires low mirror delays though.

If there are no updates for 2 days some dev would have to resign the
database, but that's quite unlikely and acceptable I think.
Pacman should also check if the new date is more recent than the old one.

-- 
Florian Pritz -- {flo,bluewind}@server-speed.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20100507/c4097855/attachment.bin>


More information about the pacman-dev mailing list