On Sat, Jul 07, 2007 at 01:39:25PM +0200, Christian Boltz wrote:
Hello,
(CC to Marcus in case he's not subscribed here - he pointed out this issue some time ago)
Since SUSE Linux 10.1, the repo metadata is GPG-signed so that nobody can inject evil packages (like glibc from 9.1, which is a well-signed package from SUSE ;-)
There's still a hole left: It's impossible to check for replay attacks where an attacker provides an outdated version of the update repository, leaving some security holes unfixed. (Or there's just an outdated mirror, same effect...)
IMHO this could be solved by adding an expiration date to the repos. The distribution repos could have a TTL of two years, the update repos and Factory maybe one or two weeks. YaST and other tools could then warn the user if "outdated" repos are used.
Pros: - replay attacks with outdated update repos are impossible (at least if "outdated" means longer than some days) - outdated mirrors can be identified quickly (the users will complain ;-) - the end of lifetime of a distribution could be "announced" this way - users will instantly notice if their computer's date setting is wrong ;-))
Cons: - there's still a small timeframe between release of the fix and the expiration of the previous update repo version - if no updates are released for some days, you'll have to change the expiration date
What do you think about this idea?
Yes, this is a good one. I have opened an internal feature request. We will likely approach this for 11.0, not for the mostly done 10.3. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-softwaremgmt+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-softwaremgmt+help@opensuse.org