[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19479: Package manager vulnerable
From: |
Kelly Dean |
Subject: |
bug#19479: Package manager vulnerable |
Date: |
Tue, 06 Jan 2015 06:38:12 +0000 |
Richard Stallman wrote:
> What do we need to do on ftp.gnu.org to avoid these dangers?
It depends on what you expect the user's responsibility to be.
If you expect him to know the latest version number of a package (without
relying on the gnu.org webserver to find out, in case it's compromised), and
you expect him to manually verify that his download is the latest version (in
addition to verifying the signature, of course), and you give him the ability
to do this by always including both the name and the version number in your
packages (so far as I'm aware, you already do) and never re-using version
numbers (I think you're ok here too), then you have no problem, so there's
nothing you need to do.
Otherwise, the problems and solution are the same as for package distribution
systems in general, as detailed at
https://www.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html
https://www.cs.arizona.edu/stork/packagemanagersecurity/otherattacks.html
- bug#19479: Copyright issue, (continued)
- bug#19479: Copyright issue, Richard Stallman, 2015/01/12
- bug#19479: Copyright issue, Richard Stallman, 2015/01/10
- bug#19479: Copyright issue, Kelly Dean, 2015/01/09
- bug#19479: Copyright issue, Glenn Morris, 2015/01/09
- bug#19479: Copyright issue, Glenn Morris, 2015/01/09
bug#19479: (on-topic) Re: bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/10
bug#19479: Disclaimer is now on file at FSF, Kelly Dean, 2015/01/20
bug#19479: Package manager vulnerable,
Kelly Dean <=