[pacman-dev] [arch-general] Package signing

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Fri May 7 20:34:00 CEST 2010


On Fri, May 7, 2010 at 3:17 PM, Denis A. Altoé Falqueto
<denisfalqueto at gmail.com> wrote:
> I was thinking about something like that, I would choose something
> like 5 or 7 days. This would give a window of attack of at most 7 days
> and would give enough time to the mirrors to sync. So, if some package
> has a known vulnerability, it would be exploitable by replay attack
> only for the last 7 days. After that, the repo.db would expire and the
> user would have to download a new one (say, if the mirror is
> compromised, it would be an indication of that). If the repository
> activity is really low, it would require a new repo.db being resigned
> each 5 or 7 days.

Just one more note. GnuPG already embeds the current date and time on
the signature. So, counting on the correct time on the dev's machines,
we could rely on that to do the check.

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------


More information about the pacman-dev mailing list