Re: Debian Security Mirror
Quoting David U. (email@example.com):
> Your point is well made, but what makes you trust a package from the regular
> mirrors any more?
Threat models to the official archive structure really need to be FAQed,
so that rehashes of this discussion can be less frequent.
ftp.debian.org is a single point of security failure. If someone
compromises that site, then it and downstream mirrors are effected for n
hours, n to be determined experimentally. If a downstream mirror is
compromised, packages available from it will presumably be contaminated
at least until the next rsync session. If mirroring has been disabled,
Mechanisms available at the delivery end-point to compensate: md5sums
on Release files, gpg-signed packages and debsigs (not yet fully
implemented; see prior discussions, this mailing list).
> And here's one method with potential: You check the signatures from
> security.debian.org and get the binaries from a mirror. The signature
> can even include "approved" mirrors although the proof is in the
> binary so it doesn't really matter *where* it comes from. If the
> hashes+signature match up then you're golden.
Sounds reasonable, at a first glance.
>> I have an honest face. ;->
> [Well since I pray to DJB before bed, I'd of course disagree. :-) ]
Far be it from me to claim your kink isn't OK. ;->
(I hope and assume you're not calling me dishonest.)
Cheers, "Learning Java has been a slow and tortuous process for me. Every
Rick Moen few minutes, I start screaming 'No, you fools!' and have to go
firstname.lastname@example.org read something from _Structure and Interpretation of
Computer Programs_ to de-stress." -- The Cube, www.forum3000.org