Study: Attacks on package managers
Christoph Höger
choeger at cs.tu-berlin.de
Tue Jul 15 12:54:11 UTC 2008
Hi,
obviously that means metadata needs good signatures as packages do,
right? That should be easy to implement. Also metadata should be
versioned and that version should be updated on a regulary (e.g. daily)
base. (I don't know if it already is) Than one could simply diff the
metadata(-hash) of two or more servers with a trusted base server to
figure out if someone holds back updates.
So that should not be _that_ big problem at all, right?
Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080715/7717904b/attachment.sig>
More information about the fedora-devel-list
mailing list