Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think the original article offered a range of solutions, the crucial one in this case being time expiry on signed metadata which at least reduces the window for attack.
Thanks for pointing that out, I just noticed that under the "in the future" section. Yeah, that sounds pretty similar to what I had in mind. Except I had thought about putting creation dates on the metadata, not expiration dates.
Quote:
The best solution would seem to be to only update direct from the original distro repositories using https but that's likely to remain an option for commercial distros only. Perhaps package manager clients should always refer the signed metadata to the original distro repository via https to compare timestamps before accepting the mirror's version as valid? So not only is the metadata known to be good and within its expiry limit but is also proven to be the latest available (there may be times when a patch is pushed through in quick time). This might be a reasonable alternative to using https for the entire transaction which would be cost prohibitive for the mirrors.
Yeah, having package managers download signed metadata via HTTPS directly from their distributor before any upgrade would do the trick indeed. That said, I personally don't believe HTTPS (or any other sort of secure communication) or direct connection requirements should play a part in the solution here. I'm not exactly sure why I think that way, though.
Direct connection for the whole transaction would place such a huge burden on the distros that any non commercial distro probably can't do it anyway, which is why I was thinking of just verifying the signed metadata and obtaining security updates this way and relying on the mirrors for the regular bandwidth hungry part.
The discussion on slashdot is quite entertaining/informative. There are all the usual comments from people who only read the headline but the the original article's authors are contributing their comments too. One thing I noticed is how many people state that because Debian does directly host their security repos that Debian isn't vulnerable....which equates to believing that only packages audited by Debian security (i.e excluding non-free and contrib and 3rd party repos) would ever be identified as vulnerable and updated. Brave thinking!
What to do about the mirrors knowing your IP (and that you are in need of a security patch)? Maybe package managers could use some kinda Tor-like network so that mirrors never know your IP when you download from them. Actually, now that I think about it, there's nothing stopping anyone from making their package manager go through Tor to contact mirrors.
What to do about the mirrors knowing your IP (and that you are in need of a security patch)? Maybe package managers could use some kinda Tor-like network so that mirrors never know your IP when you download from them. Actually, now that I think about it, there's nothing stopping anyone from making their package manager go through Tor to contact mirrors.
I've had to do that in the past (guy who controlled local network was a prize idiot, lots of inappropriate filtering by keywords which blocked certain packages and lists) and I found it's fairly impractical to use tor due to low speed and timeouts, though it's not impossible.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.