[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19479: Package manager vulnerable

From: Kelly Dean
Subject: bug#19479: Package manager vulnerable
Date: Tue, 06 Jan 2015 06:38:12 +0000

Richard Stallman wrote:
> What do we need to do on ftp.gnu.org to avoid these dangers?

It depends on what you expect the user's responsibility to be.

If you expect him to know the latest version number of a package (without 
relying on the gnu.org webserver to find out, in case it's compromised), and 
you expect him to manually verify that his download is the latest version (in 
addition to verifying the signature, of course), and you give him the ability 
to do this by always including both the name and the version number in your 
packages (so far as I'm aware, you already do) and never re-using version 
numbers (I think you're ok here too), then you have no problem, so there's 
nothing you need to do.

Otherwise, the problems and solution are the same as for package distribution 
systems in general, as detailed at

reply via email to

[Prev in Thread] Current Thread [Next in Thread]