Re: Debian Security Mirror
Quoting David U. (davidu@everydns.net):
> Your point is well made, but what makes you trust a package from the regular
> mirrors any more?
Threat models to the official archive structure really need to be FAQed,
so that rehashes of this discussion can be less frequent.
ftp.debian.org is a single point of security failure. If someone
compromises that site, then it and downstream mirrors are effected for n
hours, n to be determined experimentally. If a downstream mirror is
compromised, packages available from it will presumably be contaminated
at least until the next rsync session. If mirroring has been disabled,
longer.
Mechanisms available at the delivery end-point to compensate: md5sums
on Release files, gpg-signed packages and debsigs (not yet fully
implemented; see prior discussions, this mailing list).
> And here's one method with potential: You check the signatures from
> security.debian.org and get the binaries from a mirror. The signature
> can even include "approved" mirrors although the proof is in the
> binary so it doesn't really matter *where* it comes from. If the
> hashes+signature match up then you're golden.
Sounds reasonable, at a first glance.
>> I have an honest face. ;->
>
> [Well since I pray to DJB before bed, I'd of course disagree. :-) ]
Far be it from me to claim your kink isn't OK. ;->
(I hope and assume you're not calling me dishonest.)
--
Cheers, "Learning Java has been a slow and tortuous process for me. Every
Rick Moen few minutes, I start screaming 'No, you fools!' and have to go
rick@linuxmafia.com read something from _Structure and Interpretation of
Computer Programs_ to de-stress." -- The Cube, www.forum3000.org
Reply to: