[Haskell-cafe] Offer to mirror Hackage

Brandon S Allbery KF8NH allbery at ece.cmu.edu
Sat Dec 11 20:51:19 CET 2010

Hash: SHA1

On 12/9/10 16:04 , Richard O'Keefe wrote:
> I thought "X is a mirror of Y" meant X would be a read-only replica of Y,
> with some sort of protocol between X and Y to keep X up to date.
> As long as the material from Y replicated at X is *supposed* to be
> publicly available, I don't see a security problem here.  Only Y accepts
> updates from outside, and it continues to do whatever authentication it
> would do without a mirror.  The mirror X would *not* accept updates.

The above assumes that the operator of the mirror is trustworthy.  It
wouldn't be difficult for a hostile party to set up a mirror, but then
modify the packages to include malware payloads --- if the packages aren't
signed.  (Or even if they are signed if it's a sufficiently weak algorithm.
 MD5 is already unusable for the purpose.)

Other possibilities include MITM attacks where the hostile party detects
that someone is attempting to download a package and spoofs a reply that
directs it to a different package.

(Or more complex tricks; see
for examples.)

- -- 
brandon s. allbery     [linux,solaris,freebsd,perl]      allbery at kf8nh.com
system administrator  [openafs,heimdal,too many hats]  allbery at ece.cmu.edu
electrical and computer engineering, carnegie mellon university      KF8NH
Version: GnuPG v2.0.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Haskell-Cafe mailing list