Re: kernel.org compromised
On 2011-09-02, Henrique de Moraes Holschuh <email@example.com> wrote:
> On Fri, 02 Sep 2011, Bastian Blank wrote:
>> On Thu, Sep 01, 2011 at 06:05:01PM -0300, Henrique de Moraes Holschuh wrote:
>> > Our kernels are not a problem. The Debian mirror in mirrors.kernel.org,
>> > on the other hand... While the apt signature will protect users
>> > downloading packages through the package manager, users that get binary
>> > packages directly are not protected.
>> The connection is not authenticated, so it makes no difference if you
>> get modified stuff or if it is modified in transit.
> Yeah, yeah. We've beaten that horse to death, and our side lost. I also
> advocate that all debs should be signed, but that was not the will of the
> ftp-masters the last time the issue was up for discussion.
And we should get the archive signing key into a HSM.