[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)

Colin Watson wrote:
> There was a problem with the Debian web site not being updated quickly
> enough. I believe this was due to it running off a cron job which was
> rather infrequent, and people noticed the gap between the advisory and
> the cron job firing (please correct me if I'm wrong).

I'm not 100% sure, but the cron job appeared to not be running at the
usual times, probably because it relied on ssh keys to fetch from CVS.
This kept the DSA off the front page for longer than usual. And there
was also no communication that I saw between the security team and the
web team regarding the key-rollover page for about 1 day after the
advisory. Result was the security/key-rollover page linked to from the
DSA being at first a 404 and then eventually a placeholder for so long
that the equivilant page on the wiki became (and largely remains) its
de-facto replacement.

Once the security team did start to provide content for the page, it was
up within about 4 hours IIRC; most of that delay was due to the typical
annoyance of the webwml build only happening a few times daily.

(There's an interesting contrast between the web site, which produced a
key-rollover page with nearly no content, but translated into a couple
languages, and the wiki, which produced a long, comprehensive, and
fairly polished page in the same timeframe. The wiki page still has
some information that isn't on key-rollover BTW.)

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: