Re: kernel.org compromised
(debian-kernel dropped from CC, since our kernels have already been reported
to be safe elsewhere in the thread).
On Thu, 01 Sep 2011, Christoph Anton Mitterer wrote:
> Any knowledge how far Debian's kernels and sources are concerned by this?
> Do you guys take them from git, or from the kernel.org tar balls.
> How do you verify their integrity?
Our kernels are not a problem. The Debian mirror in mirrors.kernel.org,
on the other hand... While the apt signature will protect users
downloading packages through the package manager, users that get binary
packages directly are not protected. Source packages are signed, but
you have to check the signature _and_ make sure it was signed by a
I am not sure what the kernel.org admin team will do to resync the
mirrors. A rsync -c followed by a normal pulse would do it, but it is
going to be _painful_ to both mirrors.kernel.org AND its upstream
mirror, not to mention slow.
Do we have a automated way to signature-check every binary and source
package in a repository against the hashes in the signed release files?
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot