[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)

Le Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst a écrit :
> This education could be done in two steps: first, create a policy and
> link to it from debian-devel-announce; second, make this required
> reading for the NM procedure (similar to the 'DMUP' and 'SC/DFSG'
> questions that NMs need to agree to in a signed mail). In the case of
> Debian, I think it's fair to assume people do not want security
> breaches, which may or may not be the case for other organizations.

Hi all,

I think that it is an excellent idea. Few years ago I had a passwordless
SSH key on Alioth. I shamefully realised my mistake (and hereby deeply
apologise to the admins), but now feel very scared about operations on
the Debian network: am I doing other mistakes like this by ignorance?
During the recent discussion about DSA and RSA keys I realised that
things that were obvious to some are not obvious to me (for instance,
that DSA keys should not be used. I only saw this recommendation in
Debian. There is no such rule at my work place, where SSH
authentification on our workstations is mandatory).

I really agree with Wouter that a simple policy ruling how to not make
beginners mistakes with one's SSH and GPG key, how to not get ones's own
home Debian server hacked (1),… would be a great enhancement to Debian's
security. For the reasons exposed above, I can not propose myself to
write it ;)

(1) I have always been wondering of the following:
  - a malicous person gets the list of all DDs,
  - identifies those who have a home Debian server,
  - selects those who are on a distant timezone or on vacation,
  - patiently waits that a DSA for a grave issue is issued,
  - gets control of some machines in the delay between DSA publication
    and cron installation of the security updates,
  - exploits this position to do really bad things afterwards.

Have a nice day,

Charles Plessy
Debian Med packaging team,
Tsurumi, Kanagawa, Japan

Reply to: