Re: testing group -- please test the documentation

To: Adam Di Carlo <adam@onshore.com>
Cc: debian-cd@lists.debian.org
Subject: Re: testing group -- please test the documentation
From: Arto Astala <arto.astala@ntc.nokia.com>
Date: Fri, 29 Jan 1999 21:47:29 +0200
Message-id: <[🔎] 36B21050.25204123@ntc.nokia.com>
References: <oaaezxuk67.fsf@burrito.fake> <369B6881.72BD8D2F@ntc.nokia.com> <oau2xd5txk.fsf@burrito.fake>

Hi,

I will try to do some more over the weekend, but here is some
clarification to one point you rejected. I cc: the cd-list in
the hope that they can do something for this.

Adam Di Carlo wrote:
> 
> On Tue, 12 Jan 1999 17:21:37 +0200, Arto Astala <arto.astala@ntc.nokia.com> said:
> > [...]
> [...]
> >   To protect your system againsta trojan horses and other bogus
> >   software all Debian packages are PGP-signed by developer. Thus you
> >   can (but are not required to) at any time verify that your
> >   packages are originating from the real Debian maintainer. Debian
> >   also takes great care to configure the packages in a secure manner.
> >   Security fixes are generally quickly available for the packages.
> 
> For one, this isn't true; .debs aren't signed.  For two, I don't want
> to bait crackers.

There was talk about this quite some time ago, I must have taken wish
for fact. At least we know that the package came where it should have
come and it has not been tampered with. Packages file contains MD5sum
but that is not very secure against tampering, especially when Packages
has no checksum. On the other hand there is MD5sum for the whole cd-rom.
Catch 22, altogether: Debian verifies the path from developer to Debian,
and RH verifies path from RH to user, but neither verifies the whole
path. (But Debian users are still slightly better off, since they can
download from Debian and be pretty sure they have the authentic stuff.)

Perhaps we could add some stronger guarantee for the authenticity of the
official cd images. Could there be some detached certificate that in
turn would be signed by release manager or some such authority? It should
be available in www & ftp.

I was talking about the same themes as Bruce in
 http://lwn.net/1998/1119/Trojan.html
I think that encouraging forward movement and user education is more
important than not baiting the crackers.

Perhaps something like:
To protect your system against trojan horses and other bogus
software Debian has verified that packages have come from their
real Debian maintainers. Debian also takes great care to configure
the packages in a secure manner. Security fixes are generally
quickly available for the packages. You should check if there are
fix releases available in Debian ftp site. <I do not have good
formulation for fix releases like 2.0 r4 but that should be mentioned
somehow.>

> > [...]
> [...]

t.aa

Reply to:

Follow-Ups:
- Re: testing group -- please test the documentation
  - From: Brandon Mitchell <bhmit1@mail.wm.edu>

Prev by Date: Re: slink_cd 1.03
Next by Date: Re: testing group -- please test the documentation
Previous by thread: Re: symlink farm
Next by thread: Re: testing group -- please test the documentation
Index(es):
- Date
- Thread