Re: How to ensure the integrity of Debian mirrors?
Thomas Gebhardt wrote:
> yesterday I had to take a look at a machine that was emerging
> ping floods and did other nasty things. It turned out that it
> was a freshly installed Linux box (not a Debian system but
> another well known Linux distribution) and some investigation
> revealed that pretty soon after the installation several
> people from different sites got root access and reconfigured
> the system for their "needs".
Do you mind telling what distribution this was?
If this was a redhat machine I know 2 people personally that had their
machines hacked (yes I don't like saying cracked) just last week so it
may not have come from the mirror.
> So there is some strong evidence that the system was installed
> from an compromised ftp mirror which included a Troan horse
> ehm... Trojan horse and some mechanism to distribute the ip
> address of the installed host.
> I'd suggest to provide some mechanism to make compromising a
> Debian mirror more difficult. For now one could provide
> a PGP and/or GPG signed list of MD5 sums of all .deb
> packages. This list could be generated when constructing
> the Packages file. In the future one might implement a
> more elaborate certification scheme.
This sounds like a good idea, I don't see why it can't be done.
Stephen Crowley email@example.com, firstname.lastname@example.org
-* Finger email@example.com for my public key. PGP#22714B25 *-