Re: Revival of the signed debs discussion
* Henning Makholm (email@example.com) [031206 13:25]:
> Scripsit Goswin von Brederlow <firstname.lastname@example.org>
> > If a package is compromised we can proof that the DD of the package
> > either is malicious or incompetent.
> Say, we just had a major compromise on certain Debian machines. Pray
> tell, who do you think this proves is malicious or incompetent? We'd
> certainly want to toss out the culprit ASAP.
IMHO there can also be a third explanation: "Bad luck". But this also
nullifies the trust in any keys on any compromised machine - and the
administrators did replace the keys.
(And, to be honest: Perhaps one should discuss whether the kernel-team
would need some security team, like we have here at Debian. But
speaking what other should do is always very easy, and leads mostly to
nothing than hot air. For this cause, I didn't start and don't want to
say anything more to this topic. If someone with profound security
knowledge would want to help out there, this would be a much better
starting point for any discussion.)
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C