[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why Linux, Why Debian

On Fri, Feb 13, 2004 at 09:59:25AM -0800, Matt Zimmerman wrote:
> On Thu, Feb 12, 2004 at 05:09:46PM -0600, Manoj Srivastava wrote:
> >  7) are security patch mechanisms convenient for the BSD's?
> >     For Linux in general? For Debian?
> I believe their methods of distributing updates securely are significantly
> more convenient than ours at present.  I believe you can checkout the ports
> tree via cvs over ssh, and so authenticate the server that you are talking
> to.

I don't think you can, unless you happen to have an account on the CVS
server (which, of course, is only true for the system's developers). And
even then, at least in FreeBSD, developers still use CVSup plus a bunch
of scripts to update their local repository.

> In our case, you need to verify a gpg signature on a file containing
> some md5sums which you must then verify by hand (and very few people do in
> my experience).

In their case, there isn't even a gpg key, at least not AFAIK. CVSup
servers can be compromised too...

Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
  -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.

Attachment: signature.asc
Description: Digital signature

Reply to: