Re: Bad press again...

To: debian-security@lists.debian.org
Subject: Re: Bad press again...
From: Rudolf Lohner <Rudolf.Lohner@rz.uni-karlsruhe.de>
Date: Sat, 27 Aug 2005 16:51:22 +0200
Message-id: <[🔎] 200508271651.22957.Rudolf.Lohner@rz.uni-karlsruhe.de>
In-reply-to: <[🔎] 20050827134438.GA25883@cirrus.madduck.net>
References: <[🔎] Pine.LNX.3.96.1050825141607.14907B-100000@Maggie.Linux-Consulting.com> <[🔎] 20050827134020.GA1339@khazad-dum.debian.net> <[🔎] 20050827134438.GA25883@cirrus.madduck.net>

Am Samstag, 27. August 2005 15:44 schrieb martin f krafft:
> No. Imagine exim gets a root exploit and I spoof the DNS to some
> mirror of s.d.o. That mirror will be consistent wrt secure APT, but
> it won't get updates, so admins who don't follow DSAs and run
> apt-get upgrade consciously and carefully are going to be left in
> the naive belief that they are safe because s.d.o doesn't have any
> new stuff.

This scenario could be avoided if s.d.o would authenticate itself.
Is authentication of the server something which has been considered
with secure apt? Even if you mirror all of s.d.o you still do not
have it's certificates.

-- 
Rudolf Lohner  -  Universitaet Karlsruhe (TH)
Rechenzentrum,  Zirkel 2,   D-76128 Karlsruhe
Phone: +49-721-608-6958,   Fax: +49-721-32550
E-Mail:     Rudolf.Lohner@rz.uni-karlsruhe.de
http://www.rz.uni-karlsruhe.de/~Rudolf.Lohner

Reply to:

Follow-Ups:
- Re: Bad press again...
  - From: martin f krafft <madduck@debian.org>

References:
- Re: Bad press again...
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>
- Re: Bad press again...
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Bad press again...
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: Bad press again...
Next by Date: Re: Bad press again...
Previous by thread: Re: Bad press again...
Next by thread: Re: Bad press again...
Index(es):
- Date
- Thread