Hi Simon,
This one time, simon+debian-security@josefsson.org wrote:
> I am a bit worried about the ssh advisories, not the actual package
> itself (well, that too) but the way it was handled -- the openssh team
> issued new versions of a package and a security advisory asking
> everyone to update to the new package, Debian and others jumped on it
> and sent the new version out. The possibility of distributing a wide
> scale worm or virus using this approach is obvious.
Always, always, check the digital signature. I don't think that
Theo and co. would want to distribute a worm in this way. This
would defeat their purpose for existence in the UNIX security
world.
I agree though.. it's really poorly handled.
I really hope that's what the deb packagers do before creating
the package.
Speaking of which..
<soapbox>
When is Debian going to implement SHA-1 checksums or gpg sigs
into the apt-get, dpkg, and the debs before installing? This
just trusting the deb source is really scary..
</soapbox>
> violating the social contract as well. If the social contract was
> followed, there wouldn't be a security advisories based on information
> that the community cannot verify (in this case, I understand that not
> even the security officers could verify if the ssh package was
> vulnerable or not?). Only when someone points at the code that is
> bad, in public, and it is agreed that it is bad, only then should a
> security update be made.
Wow, this and Apache all in a matter of weeks ;-).
*sigh* I agree, especially since any monkey can go and audit the
source themselves.
> One (somewhat costly) way to solve this would be to have two kinds of
> security updates. One is made early and with information not
> available to the community, the other is made only when the community
> can verify security bugs. Users can decide which one they want to
> trust.
I would say use one or the other, but not both. This is something
the security community should decide, not the users. You'll confuse
the poor folks ;)
> Anyone share my concerns? </troll ;-)>
*raises hand*
Both the Apache and OpenSSH announcements were done poorly, without
any reasonable thought given to the user community.
They should be taken out and shot ;-) (IMHO).
-Anne
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
(O/ O) \-' ` -="""=. ', Center for Advanced Computing Research
~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attachment:
pgpBI7vqg2pjz.pgp
Description: PGP signature