| 1 |
Hi, |
| 2 |
|
| 3 |
On Thu, 26 Oct 2017 22:12:25 +0200 |
| 4 |
Michał Górny <mgorny@g.o> wrote: |
| 5 |
|
| 6 |
> After a week of hard work, I'd like to request your comments |
| 7 |
> on the draft of GLEP 74. This GLEP aims to replace the old |
| 8 |
> tree-signing GLEPs 58 and 60 with a superior implementation and more |
| 9 |
> complete specification. |
| 10 |
|
| 11 |
Thanks for working on this, it's really one of the biggest security |
| 12 |
issues Gentoo has these days that need to be fixed. |
| 13 |
|
| 14 |
I hope I'll find time to read it in detail, but by skimming through it |
| 15 |
I noted that the downgrade attack prevention is kinda not very clear. |
| 16 |
It says in the timestamp section "The package manager can use it to |
| 17 |
detect an outdated repository checkout." But it doesn't say how exactly. |
| 18 |
|
| 19 |
Should a package manager reject a sync if it is too old? or not install |
| 20 |
packages if a sync hasn't happened for some time? What is considered |
| 21 |
"outdated"? I think that should be clarified how exactly it's supposed |
| 22 |
to work. |
| 23 |
|
| 24 |
-- |
| 25 |
Hanno Böck |
| 26 |
https://hboeck.de/ |
| 27 |
|
| 28 |
mail/jabber: hanno@××××××.de |
| 29 |
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 |
Archives