On Fri, 11 Jul 2008, Mike Tibor wrote:
> I can't get to the original article Slashdot references since it appears
> to be slashdotted at the moment. :-) However, having maintained AKLUG's
> Red Hat mirror for a few years I can confirm that anyone can fire up a
> mirror and be listed in a release announcement. Nobody was ever really
> concerned about that because the package signatures should have prevented
> a malicious mirror admin from tampering with them.
:-) Read below...
> Arthur, can you give a quick summary of the original article?
This focused primarily on "replay" attacks. In short, a mirror could easily
serve up older packages with known flaws in lieu of the updated one and none
of the major tools (APT, YUM, YaST, etc.) would catch it, since there's no
way to "retire" known bad packages.
Also, a mirror could simply not carry a lot of the security updates
published, leaving a lot of users vulnerable while feeling safe in that they
think they're up to date.
He also linked to another report about endless data attacks, extraneous
dependencies, etc.
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jul 11 07:40:54 2008
This archive was generated by hypermail 2.1.8 : Fri Jul 11 2008 - 07:40:54 AKDT