[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: kernel.org compromised



On Fri, 02 Sep 2011, Bastian Blank wrote:
> On Thu, Sep 01, 2011 at 06:05:01PM -0300, Henrique de Moraes Holschuh wrote:
> > Our kernels are not a problem.  The Debian mirror in mirrors.kernel.org,
> > on the other hand...  While the apt signature will protect users
> > downloading packages through the package manager, users that get binary
> > packages directly are not protected.
> 
> The connection is not authenticated, so it makes no difference if you
> get modified stuff or if it is modified in transit.

Yeah, yeah.  We've beaten that horse to death, and our side lost.  I also
advocate that all debs should be signed, but that was not the will of the
ftp-masters the last time the issue was up for discussion.

So what if data could also be changed on transit: that's still a lot less
likely than it being changed in-place on a compromised system, so it really
doesn't make the case for verifying the data in mirrors.k.o any weaker.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


Reply to: