1 |
Hi, |
2 |
|
3 |
On Thu, 26 Oct 2017 22:12:25 +0200 |
4 |
Michał Górny <mgorny@g.o> wrote: |
5 |
|
6 |
> After a week of hard work, I'd like to request your comments |
7 |
> on the draft of GLEP 74. This GLEP aims to replace the old |
8 |
> tree-signing GLEPs 58 and 60 with a superior implementation and more |
9 |
> complete specification. |
10 |
|
11 |
Thanks for working on this, it's really one of the biggest security |
12 |
issues Gentoo has these days that need to be fixed. |
13 |
|
14 |
I hope I'll find time to read it in detail, but by skimming through it |
15 |
I noted that the downgrade attack prevention is kinda not very clear. |
16 |
It says in the timestamp section "The package manager can use it to |
17 |
detect an outdated repository checkout." But it doesn't say how exactly. |
18 |
|
19 |
Should a package manager reject a sync if it is too old? or not install |
20 |
packages if a sync hasn't happened for some time? What is considered |
21 |
"outdated"? I think that should be clarified how exactly it's supposed |
22 |
to work. |
23 |
|
24 |
-- |
25 |
Hanno Böck |
26 |
https://hboeck.de/ |
27 |
|
28 |
mail/jabber: hanno@××××××.de |
29 |
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 |