[gobolinux-devel] Include version in signed meta data

[Jonas Karlsson]

On Fri, 11 Jul 2008 16:37:51 +0200, Hisham <hisham.hm at gmail.com> wrote:

> On Fri, Jul 11, 2008 at 3:43 AM, Jonas Karlsson <jonas at gobolinux.org> wrote:
>> There has been a proof of concept where a group of people has injected
>> bad packages into a distribution by asking to be a mirror and providing
>> erroneous updates (1).
>> The issue is not that they provided spoofed, hacked or broken packages,
>> which would fail with bad signature (or the user had to add the key to
>> their keyring), but they used old packages which they updated version
>> information for. An example for GoboLinux would be to repack an old
>> version, Foo--1.2--i686.tar.bz2 as Foo--2.3--i686.tar.bz2 and our tools
>> would be fooled to thing that the latter was an update/later version
>> (you would also change the name of the version directory in the tarball).
>> This meant that users that used that "mirror" would get "updates" that
>> wasn't always up to date and even might have security issues.
>> We need to add version information to our packages, any idea on a good
>> scheme for that?
>
> Yes, we just need to add the full path to the FileHash file entries.
> If they are tampered with, FileHash.sig will alert. Fix committed to
> svn.

I don't think we should use *full* paths, only <program name>/<version>.
People might not have $goboPrograms at /Programs.

-- 
/Jonas

Using Opera's revolutionary e-mail client: http://www.opera.com/mail/