Insecure updates are the rule, not the exception
The Update Framework
As with most things in open source, you don't have to reinvent the wheel. The Update Framework (TUF)  is available under an open source license (but not one I recognize) and is written mostly in Python, so it's pretty understandable. Even better is that all the above security issues have been taken into account for the system design and implementation. It even addresses possible problems like key compromise.
One basic thing to keep in mind about security, especially for software updates, is that you need to make your system as secure as you can, but you also need to make it possible to return to a known good state (i.e., you have removed all the compromised packages and so on from your update infrastructure).
TUF places all of the heavy lifting on the server and end client. Thus, the intermediary mirror systems don't even need to know about it, which in turn makes deployment possible (trying to get a major mirror site to install some software so they can securely serve updates is a battle you will lose). Unfortunately, TUF isn't perfect – the only client is written in Python, so integrating it with non-Python software or on systems that don't natively support Python (e.g., Windows) will be difficult, to say the least. For more information, an excellent lightning talk is available on YouTube  that covers all the basics of TUF using PyPI.
You can certainly use TUF to secure updates, but, unfortunately, deploying TUF is nontrivial. You're going to need at least two servers (in case one fails) and some keys that will require management. That means it's probably not going to be used; in fact, I'm not aware of any software that uses TUF for updates. So, unless people start demanding that organizations and vendors, like WordPress, Drupal, Joomla, RubyGems, PyPI, Hackage, CPAN, and so on, start providing secure updates for all the code they make available, it isn't going to happen.
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
- HTP Zine 5: http://straylig.ht/zines/HTP5/0x02_Linode.txt
- Social Media Widget remote file inclusion: http://seclists.org/oss-sec/2013/q2/83
- OpenPGP Card: http://en.wikipedia.org/wiki/OpenPGP_card
- Kernel Concepts Security/Smartcards: http://shop.kernelconcepts.de/index.php?cPath=1_26
- The Update Framework: https://www.updateframework.com/
- TUF lightning talk: https://www.youtube.com/watch?v=2sx1lS6cT3g
Buy this article as PDF
Linux users can now download and install the Windows code editor
New initiative will address security and interoperability concerns around container technology.
Developers can use RHEL as a development platform without a subscription fee.
Windows users will soon have native access to the Bash shell.
Improvements to SMTP will provide better guarantee of confidentiality
Graphics vendor embraces new reality in Linux graphics
Pioneer Ray Tomlinson bequeathed the @ sign to billions of Internet users
Redmond says its classic database tool will run without Windows
New intrusion technique affects most non-Bluetooth wireless mice
GENIVI Alliance announces the release of the first beta of the GENIVI Demo Platform ivi9.