Re: ftp.gnu.org cracked
[ Moving to debian-security ]
On Mon, Aug 18, 2003 at 12:35:44PM +1000, Russell Coker wrote:
> On Mon, 18 Aug 2003 12:51, Robert Millan wrote:
> > 2) Any unsigned sources in ftp.gnu.org could have been trojaned during
> > the March-July period, and most of GNU packages have their corresponding
> > packages in the Debian archive. It is clear there's a risk that the Debian
> > archive could have been compromised.
>
> The current evidence suggests that this has not happened. However there is a
> risk of a trojan having been put in an application that has new versions
> released often which resulted in the trojaned version being over-written in
> the normal course of operations. Also there is the possibility that a
> trojaned version was put online and then the original was restored by the
> attacker, I think that this is unlikely as restoring the original version
> would probably be more likely to get them caught.
Then the question is, how are we going to cope with that risk? The minimal
action that comes to my mind is an alert in -devel-announce, any other
ideas around?
> > What do you suggest to do? First, can this dicussion be disclosed? (e.g:
> > into debian-security). Then how can we deal with these two problems? Would
> > an alert message to -devel-announce suffice?
>
> The hack of the GNU server is no secret, and neither is our reliance on GNU
> software. I think that anyone who knows anything about Debian can work out
> the issues for themselves. Therefore trying to keep this secret gains us
> nothing and only gives a risk of more concern. I suggest publicising
> everything.
ok. moved this thread to debian-security.
--
Robert Millan
"[..] but the delight and pride of Aule is in the deed of making, and in the
thing made, and neither in possession nor in his own mastery; wherefore he
gives and hoards not, and is free from care, passing ever on to some new work."
-- J.R.R.T, Ainulindale (Silmarillion)
Reply to: