[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Emacs package manager vulnerable to replay attacks

From: Ivan Shmakov
Subject: Re: Emacs package manager vulnerable to replay attacks
Date: Tue, 30 Dec 2014 11:45:13 +0000
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)

>>>>> Kelly Dean <address@hidden> writes:


 > To solve this problem, include a timestamp of archive-contents in
 > that file itself (so that the signature depends on the timestamp),
 > and have Emacs ignore any new archive-contents that's older than the
 > latest valid one that Emacs has already seen or is older than some
 > specified limit (IIRC Debian's apt-get uses a 10-day limit).

        Debian uses an explicit expiration date, as set in the InRelease
        (or Release) file.  Consider, e. g., [1]:

Date: Tue, 30 Dec 2014 08:52:15 UTC
Valid-Until: Tue, 06 Jan 2015 08:52:15 UTC

        For stable releases, Valid-Until: isn’t used (AIUI) [2]; perhaps
        then a fall back value of some kind is used.

[1] http://http.debian.net/debian/dists/jessie/InRelease
[2] http://http.debian.net/debian/dists/wheezy/InRelease


 > Fortunately, all four of these features (package hashes, content
 > length, archive timestamps, and archive hash chaining) are
 > straightforward to implement.

        Well, thanks for the heads-up, but could you please file these
        as actual Emacs bug reports, perhaps even separate ones?  I’d
        then try to suggest patches within the next few days.  (Not that
        I’m the only person who could do that, anyway.)

FSF associate member #7257  http://boycottsystemd.org/  … 3013 B6A0 230E 334A

reply via email to

[Prev in Thread] Current Thread [Next in Thread]