[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press again...

Hi martin!

On Sat, 27 Aug 2005, martin f krafft wrote:

> also sprach Henrique de Moraes Holschuh <hmh@debian.org> [2005.08.27.1540 +0200]:
> > > security.debian.org already is a Single Point of Ownership.  I don't
> > > think we need multiple ones, so this is definitely a post-etch thing.
> > 
> > Irrelevant if secure apt is deployed correctly.
> 
> No. Imagine exim gets a root exploit and I spoof the DNS to some

Yes. Deployed correctly means you require time stamping, and you check it
for undue values. Anyone who can connect to mirrors can connect to SNTP
servers, so "what aboud people with bad clocks" doesn't hold as an excuse.

No, apt does not have all this functionality yet, but it is not difficult to
add it for etch.

For this to work, you need a master s.d.o mirror, and automatic signing (so
that you can keep the timestamping as low as a few hours).  This gives you a
mirror network, with the same single "owning" point of failure we have right
now.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: