Re: Revival of the signed debs discussion

To: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Andreas Barth <aba@not.so.argh.org>
Date: Sat, 6 Dec 2003 13:53:49 +0100
Message-id: <[🔎] 20031206125349.GA26236@mails.so.argh.org>
Mail-followup-to: Andreas Barth <aba@not.so.argh.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 87ptf2dv06.fsf@kreon.lan.henning.makholm.net>
References: <[🔎] 87ptf6focp.fsf@mrvn.homelinux.org> <[🔎] 20031203190216.GH582@dijkstra.csh.rit.edu> <[🔎] 87u14hcpac.fsf@mrvn.homelinux.org> <[🔎] 20031204164750.GG582@dijkstra.csh.rit.edu> <[🔎] 878yls77za.fsf@glaurung.green-gryphon.com> <[🔎] 20031204194143.GR582@dijkstra.csh.rit.edu> <[🔎] 87d6b34mjf.fsf@glaurung.green-gryphon.com> <[🔎] 1070647822.16250.12.camel@bohr.local> <[🔎] 87d6b2bobz.fsf@mrvn.homelinux.org> <[🔎] 87ptf2dv06.fsf@kreon.lan.henning.makholm.net>

* Henning Makholm (henning@makholm.net) [031206 13:25]:
> Scripsit Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
> > If a package is compromised we can proof that the DD of the package
> > either is malicious or incompetent.
 
> Say, we just had a major compromise on certain Debian machines. Pray
> tell, who do you think this proves is malicious or incompetent? We'd
> certainly want to toss out the culprit ASAP.

IMHO there can also be a third explanation: "Bad luck". But this also
nullifies the trust in any keys on any compromised machine - and the
administrators did replace the keys.

(And, to be honest: Perhaps one should discuss whether the kernel-team
would need some security team, like we have here at Debian. But
speaking what other should do is always very easy, and leads mostly to
nothing than hot air. For this cause, I didn't start and don't want to
say anything more to this topic. If someone with profound security
knowledge would want to help out there, this would be a much better
starting point for any discussion.)


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

References:
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Revival of the signed debs discussion
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Revival of the signed debs discussion
  - From: Anthony DeRobertis <asd@suespammers.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Henning Makholm <henning@makholm.net>

Prev by Date: Re: exim4-config and exim4-base installed on systems with non-exim-MTA
Next by Date: apt-utils compatible debsigs
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread