Hi Simon, This one time, simon+debian-security@josefsson.org wrote: > I am a bit worried about the ssh advisories, not the actual package > itself (well, that too) but the way it was handled -- the openssh team > issued new versions of a package and a security advisory asking > everyone to update to the new package, Debian and others jumped on it > and sent the new version out. The possibility of distributing a wide > scale worm or virus using this approach is obvious. Always, always, check the digital signature. I don't think that Theo and co. would want to distribute a worm in this way. This would defeat their purpose for existence in the UNIX security world. I agree though.. it's really poorly handled. I really hope that's what the deb packagers do before creating the package. Speaking of which.. <soapbox> When is Debian going to implement SHA-1 checksums or gpg sigs into the apt-get, dpkg, and the debs before installing? This just trusting the deb source is really scary.. </soapbox> > violating the social contract as well. If the social contract was > followed, there wouldn't be a security advisories based on information > that the community cannot verify (in this case, I understand that not > even the security officers could verify if the ssh package was > vulnerable or not?). Only when someone points at the code that is > bad, in public, and it is agreed that it is bad, only then should a > security update be made. Wow, this and Apache all in a matter of weeks ;-). *sigh* I agree, especially since any monkey can go and audit the source themselves. > One (somewhat costly) way to solve this would be to have two kinds of > security updates. One is made early and with information not > available to the community, the other is made only when the community > can verify security bugs. Users can decide which one they want to > trust. I would say use one or the other, but not both. This is something the security community should decide, not the users. You'll confuse the poor folks ;) > Anyone share my concerns? </troll ;-)> *raises hand* Both the Apache and OpenSSH announcements were done poorly, without any reasonable thought given to the user community. They should be taken out and shot ;-) (IMHO). -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=. ', Center for Advanced Computing Research ~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attachment:
pgpBI7vqg2pjz.pgp
Description: PGP signature