On Fri, Feb 13, 2004 at 09:59:25AM -0800, Matt Zimmerman wrote: > On Thu, Feb 12, 2004 at 05:09:46PM -0600, Manoj Srivastava wrote: > > > 7) are security patch mechanisms convenient for the BSD's? > > For Linux in general? For Debian? > > I believe their methods of distributing updates securely are significantly > more convenient than ours at present. I believe you can checkout the ports > tree via cvs over ssh, and so authenticate the server that you are talking > to. I don't think you can, unless you happen to have an account on the CVS server (which, of course, is only true for the system's developers). And even then, at least in FreeBSD, developers still use CVSup plus a bunch of scripts to update their local repository. > In our case, you need to verify a gpg signature on a file containing > some md5sums which you must then verify by hand (and very few people do in > my experience). In their case, there isn't even a gpg key, at least not AFAIK. CVSup servers can be compromised too... -- Wouter Verhelst Debian GNU/Linux -- http://www.debian.org Nederlandstalige Linux-documentatie -- http://nl.linux.org "Stop breathing down my neck." "My breathing is merely a simulation." "So is my neck, stop it anyway!" -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
Description: Digital signature