Re: Why Linux, Why Debian
On Fri, Feb 13, 2004 at 08:15:34PM +0100, Wouter Verhelst wrote:
> On Fri, Feb 13, 2004 at 09:59:25AM -0800, Matt Zimmerman wrote:
> > On Thu, Feb 12, 2004 at 05:09:46PM -0600, Manoj Srivastava wrote:
> > > 7) are security patch mechanisms convenient for the BSD's?
> > > For Linux in general? For Debian?
> > I believe their methods of distributing updates securely are significantly
> > more convenient than ours at present. I believe you can checkout the ports
> > tree via cvs over ssh, and so authenticate the server that you are talking
> > to.
> I don't think you can, unless you happen to have an account on the CVS
> server (which, of course, is only true for the system's developers). And
> even then, at least in FreeBSD, developers still use CVSup plus a bunch
> of scripts to update their local repository.
> > In our case, you need to verify a gpg signature on a file containing
> > some md5sums which you must then verify by hand (and very few people do in
> > my experience).
> In their case, there isn't even a gpg key, at least not AFAIK. CVSup
> servers can be compromised too...
The question was about convenience. In terms of server compromise, the two
systems are pretty much equivalent.