[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19479: Package manager vulnerable to replay attacks
|
From: |
Jean Louis |
|
Subject: |
bug#19479: Package manager vulnerable to replay attacks |
|
Date: |
Thu, 26 Nov 2020 06:56:44 +0300 |
|
User-agent: |
Mutt/2.0 (3d08634) (2020-11-07) |
* Stefan Kangas <stefan@marxist.se> [2020-11-26 05:07]:
> PS. Note that if we add a checksum, there will no longer be any need to
> sign individual packages for future versions of Emacs. We would
> then only need to sign the metadata.
I do not know internals as I did not see yet signed package. But if
signed package fetched from GNU ELPA then such is verified against
official key on user's computer, right?
Now take in account that signed packages will be distributed through
mirrors and mirrors already exist.
If archive-contents or meta data is signed and can be technically used
by mirror, that would be fine. If archive-contents need to be changed
or mirror wants to mirror only specific packages then package need to
be signed.