[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why Linux, Why Debian

On Fri, Feb 13, 2004 at 08:15:34PM +0100, Wouter Verhelst wrote:

> On Fri, Feb 13, 2004 at 09:59:25AM -0800, Matt Zimmerman wrote:
> > On Thu, Feb 12, 2004 at 05:09:46PM -0600, Manoj Srivastava wrote:
> > 
> > >  7) are security patch mechanisms convenient for the BSD's?
> > >     For Linux in general? For Debian?
> > 
> > I believe their methods of distributing updates securely are significantly
> > more convenient than ours at present.  I believe you can checkout the ports
> > tree via cvs over ssh, and so authenticate the server that you are talking
> > to.
> 
> I don't think you can, unless you happen to have an account on the CVS
> server (which, of course, is only true for the system's developers). And
> even then, at least in FreeBSD, developers still use CVSup plus a bunch
> of scripts to update their local repository.

You can.

http://www.openbsd.org/anoncvs.html#WHICH

> > In our case, you need to verify a gpg signature on a file containing
> > some md5sums which you must then verify by hand (and very few people do in
> > my experience).
> 
> In their case, there isn't even a gpg key, at least not AFAIK. CVSup
> servers can be compromised too...

The question was about convenience.  In terms of server compromise, the two
systems are pretty much equivalent.

-- 
 - mdz
Reply to: