[ubuntu-hardened] Updates: re-synchronize the package index files via HTTP protocol.
Marc Deslauriers
marc.deslauriers at canonical.com
Fri Nov 1 18:59:22 UTC 2013
On 13-11-01 11:53 AM, Seth Arnold wrote:
> On Fri, Nov 01, 2013 at 02:46:12PM +0100, Daniel Curtis wrote:
<snip>
> There is one weakness with the current APT mechanism -- a mirror site may
> stop updating, and offer only old and known-broken packages to clients.
> There is no easy way to fix this except requiring every client to connect
> to an Ubuntu-controlled machine periodically, but the steps involved in
> getting that correct would be substantial. (It might still be worthwhile.)
>
There is functionality in apt to respect a "Valid-Until" tag in the Release
file, but we have not implemented that since a malicious mirror could simply use
the Release file for a previous Ubuntu release and prevent updates from being
installed.
Marc.
More information about the ubuntu-hardened
mailing list