Task #2667
use new 'max age' feature of repos
Status: | Closed | Start date: | 11/27/2013 | |
---|---|---|---|---|
Priority: | Urgent | Due date: | ||
Assignee: | pd0x | % Done: | 0% | |
Category: | - | |||
Target version: | improved security/usability | |||
Component: |
Description
looks like CiaranG added the Debian-style fix for freeze/update attacks:
- https://gitorious.org/f-droid/fdroidserver/commit/7cc21fe89afba4c64c758417000a46be9a8a1c38
- https://gitorious.org/f-droid/fdroidclient/commit/d21788569fe9e38f7ac6c4f2e1a2a42bbc3daa0e
we should include this in kerplapp repos. It might be useful for dealing with short-lived p2p repos as well, this could be set quite short, like 1 hour or 1 day or something.
Associated revisions
Adding max age property to Kerplapp repo index metadata.
In order to help address the "freeze attack" identified in the Fdroid
audit support has been added to the fdroid-client & server for a 'max
age' property
(https://gitorious.org/f-droid/fdroidclient/commit/d21788569fe9e38f7ac6c4f2e1a2a42bbc3daa0e).
Presently the fdroid client does not enforce this max age, but we should
add it to our repo index for future support.
A preference screen entry was added to allow manipulation of the max age
timeout. It has been set to the same default value as the official
FDroid repo's maxage property (14 days).
refs #2667
History
#1 Updated by hans about 4 years ago
- Priority changed from Normal to Urgent
#2 Updated by pd0x about 4 years ago
- Status changed from New to Closed
- Assignee set to pd0x
Addressed with commit eba2b9031711cd538b6e23fbb17b5e8e05d8553a in my Kerplapp fork:
https://github.com/binaryparadox/Kerplapp/commit/eba2b9031711cd538b6e23fbb17b5e8e05d8553a