[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: kernel.org compromised

On 2011-09-02, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> On Fri, 02 Sep 2011, Bastian Blank wrote:
>> On Thu, Sep 01, 2011 at 06:05:01PM -0300, Henrique de Moraes Holschuh wrote:
>> > Our kernels are not a problem.  The Debian mirror in mirrors.kernel.org,
>> > on the other hand...  While the apt signature will protect users
>> > downloading packages through the package manager, users that get binary
>> > packages directly are not protected.
>> The connection is not authenticated, so it makes no difference if you
>> get modified stuff or if it is modified in transit.
> Yeah, yeah.  We've beaten that horse to death, and our side lost.  I also
> advocate that all debs should be signed, but that was not the will of the
> ftp-masters the last time the issue was up for discussion.

And we should get the archive signing key into a HSM.

Kind regards
Philipp Kern
Reply to: