apt-cacher in main + apt-zeroconf

[Fabian Rodriguez]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Sam Tygier wrote:
> it looks like they have got the security side covered.
>
> "Now, one might think this could potentially pose a security threat
>  as everyone can offer and distribute debs without any
> authentication whatsoever. This is not the case as we are not yet
> caching the package lists or pdiffs, which are PGP-signed and
> contain MD5, SHA1 and SHA256 checksums of the packages. But due to
> the trusted PGP signatures, caching package lists shouldn't be an
> issue."
>
> Is there any reason this would not be sufficient?
I see many ways to trick someone into installing newer versions of
existing common packages that include malicious files, using
apt-zeroconf. You'd be surprised how many people will click through
any amount of security warnings if approached with authority by a
neighbor. An Internet cafe comes to mind, but many other public places
would also serve this purpose. You'd guess I love being paranoid about
this.

> The only thing I can imagine is some sort of DOS attack by sending
> a large number of requests to one machine. Maybe checking for
> shared packages on the network could be enabled by default, but
> sharing disabled. The option to enable sharing could be in System
> -> Administration -> Software Sources
If this was actually checked against a local web of trust (like
OpenPGP or Gaim-OTR keys or else) it may become interesting. But who
uses that "safely" ? :)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: PGP/Mime available upon request
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHPIeHfUcTXFrypNURAw11AJ4imDZOFur2KkChrkwSuIevF0PH7gCeMMkd
ukGYlyYrvzBkDMbdp+1e6F4=
=tLrv
-----END PGP SIGNATURE-----