[Haskell-cafe] Offer to mirror Hackage

[Brandon S Allbery KF8NH]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/9/10 16:04 , Richard O'Keefe wrote:
> I thought "X is a mirror of Y" meant X would be a read-only replica of Y,
> with some sort of protocol between X and Y to keep X up to date.
> As long as the material from Y replicated at X is *supposed* to be
> publicly available, I don't see a security problem here.  Only Y accepts
> updates from outside, and it continues to do whatever authentication it
> would do without a mirror.  The mirror X would *not* accept updates.

The above assumes that the operator of the mirror is trustworthy.  It
wouldn't be difficult for a hostile party to set up a mirror, but then
modify the packages to include malware payloads --- if the packages aren't
signed.  (Or even if they are signed if it's a sufficiently weak algorithm.
 MD5 is already unusable for the purpose.)

Other possibilities include MITM attacks where the hostile party detects
that someone is attempting to download a package and spoofs a reply that
directs it to a different package.

(Or more complex tricks; see
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.167.4096&rep=rep1&type=pdf
for examples.)

- -- 
brandon s. allbery     [linux,solaris,freebsd,perl]      allbery at kf8nh.com
system administrator  [openafs,heimdal,too many hats]  allbery at ece.cmu.edu
electrical and computer engineering, carnegie mellon university      KF8NH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0D1jcACgkQIn7hlCsL25V3dQCfZ4zdF9KXNNS7bA35CL33e00q
FzUAnAvQiRhElO/86qgagtKzv/cwgQfJ
=DxV9
-----END PGP SIGNATURE-----