Task #2667

use new 'max age' feature of repos

Added by hans about 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:11/27/2013
Priority:UrgentDue date:
Assignee:pd0x% Done:

0%

Category:-
Target version:improved security/usability
Component:

Description

looks like CiaranG added the Debian-style fix for freeze/update attacks:

we should include this in kerplapp repos. It might be useful for dealing with short-lived p2p repos as well, this could be set quite short, like 1 hour or 1 day or something.

Associated revisions

Revision 6beaa391
Added by pd0x about 4 years ago

Adding max age property to Kerplapp repo index metadata.

In order to help address the "freeze attack" identified in the Fdroid
audit support has been added to the fdroid-client & server for a 'max
age' property
(https://gitorious.org/f-droid/fdroidclient/commit/d21788569fe9e38f7ac6c4f2e1a2a42bbc3daa0e).
Presently the fdroid client does not enforce this max age, but we should
add it to our repo index for future support.

A preference screen entry was added to allow manipulation of the max age
timeout. It has been set to the same default value as the official
FDroid repo's maxage property (14 days).

refs #2667

History

#1 Updated by hans about 4 years ago

  • Priority changed from Normal to Urgent

#2 Updated by pd0x about 4 years ago

  • Status changed from New to Closed
  • Assignee set to pd0x

Addressed with commit eba2b9031711cd538b6e23fbb17b5e8e05d8553a in my Kerplapp fork:
https://github.com/binaryparadox/Kerplapp/commit/eba2b9031711cd538b6e23fbb17b5e8e05d8553a

Also available in: Atom PDF