[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Emacs package manager vulnerable to replay attacks
|
From: |
Ivan Shmakov |
|
Subject: |
Re: Emacs package manager vulnerable to replay attacks |
|
Date: |
Tue, 30 Dec 2014 11:45:13 +0000 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) |
>>>>> Kelly Dean <address@hidden> writes:
[…]
> To solve this problem, include a timestamp of archive-contents in
> that file itself (so that the signature depends on the timestamp),
> and have Emacs ignore any new archive-contents that's older than the
> latest valid one that Emacs has already seen or is older than some
> specified limit (IIRC Debian's apt-get uses a 10-day limit).
Debian uses an explicit expiration date, as set in the InRelease
(or Release) file. Consider, e. g., [1]:
Date: Tue, 30 Dec 2014 08:52:15 UTC
Valid-Until: Tue, 06 Jan 2015 08:52:15 UTC
For stable releases, Valid-Until: isn’t used (AIUI) [2]; perhaps
then a fall back value of some kind is used.
[1] http://http.debian.net/debian/dists/jessie/InRelease
[2] http://http.debian.net/debian/dists/wheezy/InRelease
[…]
> Fortunately, all four of these features (package hashes, content
> length, archive timestamps, and archive hash chaining) are
> straightforward to implement.
Well, thanks for the heads-up, but could you please file these
as actual Emacs bug reports, perhaps even separate ones? I’d
then try to suggest patches within the next few days. (Not that
I’m the only person who could do that, anyway.)
--
FSF associate member #7257 http://boycottsystemd.org/ … 3013 B6A0 230E 334A