[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Security Mirror

Quoting David U. (davidu@everydns.net):

> Your point is well made, but what makes you trust a package from the regular
> mirrors any more?

Threat models to the official archive structure really need to be FAQed,
so that rehashes of this discussion can be less frequent.

ftp.debian.org is a single point of security failure.  If someone
compromises that site, then it and downstream mirrors are effected for n
hours, n to be determined experimentally.  If a downstream mirror is
compromised, packages available from it will presumably be contaminated
at least until the next rsync session.  If mirroring has been disabled,

Mechanisms available at the delivery end-point to compensate:  md5sums
on Release files, gpg-signed packages and debsigs (not yet fully
implemented; see prior discussions, this mailing list).

> And here's one method with potential: You check the signatures from
> security.debian.org and get the binaries from a mirror.  The signature
> can even include "approved" mirrors although the proof is in the
> binary so it doesn't really matter *where* it comes from.  If the
> hashes+signature match up then you're golden.

Sounds reasonable, at a first glance.

>> I have an honest face.  ;->
> [Well since I pray to DJB before bed, I'd of course disagree. :-) ]

Far be it from me to claim your kink isn't OK.  ;->

(I hope and assume you're not calling me dishonest.)

Cheers,     "Learning Java has been a slow and tortuous process for me.  Every 
Rick Moen   few minutes, I start screaming 'No, you fools!' and have to go
rick@linuxmafia.com       read something from _Structure and Interpretation of
            Computer Programs_ to de-stress."   -- The Cube, www.forum3000.org

Reply to: