Re: Compromising Debian Repositories

To: intrigeri <intrigeri@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: Compromising Debian Repositories
From: Paul Henning <vxbinaca@gmail.com>
Date: Mon, 5 Aug 2013 17:07:20 -0400
Message-id: <[🔎] CAGGn4UHQHH2dW992VhF2f4iYAd+6Z8zXTGVERP=ZWGCWmytU7Q@mail.gmail.com>
In-reply-to: <[🔎] 85k3k0tuv2.fsf@boum.org>
References: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com> <[🔎] 51FCCA78.5080604@riseup.net> <[🔎] 20130803101706.GA363@dingens.org> <[🔎] 51FCDDAA.3080208@riseup.net> <[🔎] 20130803112956.GA5775@dingens.org> <[🔎] 51FDC4C1.7050307@riseup.net> <[🔎] 85li4hx5b0.fsf@boum.org> <[🔎] 51FE0CF8.9090702@stranner.org> <[🔎] b31dba54-fd0c-11e2-a173-001cc0cda50c@msgid.mathom.us> <[🔎] CAKhc=u4DAm-UeMqpb5ow2kr37Wpr9ZmUAPpo1AuJwCZj7hPLdA@mail.gmail.com> <[🔎] 51FEC685.3020803@riseup.net> <[🔎] 85k3k0tuv2.fsf@boum.org>

intrigeri wrote:

>Does anyone involved plan to work on improving things, and then we're
discussing where it would be best to focus their energy?

Yes, kick Kurt Roeckx from his admin privileges to start. It's the easiest most basic thing you can do. Zero tolerance for crippling software like he did and it should go for everyone, lest you want another scandal. He still maintains the critical package that he was either threatened or paid - probably the latter - to cripple the entropy on by the NSA, and they've had a war on randomness for a long time now. It should have been done in 2008 when it was discovered after 3 years (that long? perhaps other heads should roll too). Don't let him resign just remove his auth and leave his collected things in a box by the door. And not just for OpenSSL, he contributes to ntp as well. Banish them, theres a line of talented good people who are in line to replace them.

On Mon, Aug 5, 2013 at 4:17 AM, intrigeri <intrigeri@debian.org> wrote:

Hi,

I need a reality check, as it's unclear to me what are the goals of
this discussion.

Does anyone involved plan to work on improving things, and then we're
discussing where it would be best to focus their energy? If that's the
case, then I suggest we try to design solutions with baby steps that
can realistically be implemented on the short term.

Or is the goal simply to assess the security of our current
infrastructure in various threat models? If that's the case, then how
about clearly writing these threat models so that we can then reason
on the same basis?

Or is the goal something entirely different that I missed?

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 85k3k0tuv2.fsf@boum.org" target="_blank">http://lists.debian.org/[🔎] 85k3k0tuv2.fsf@boum.org

Reply to:

Follow-Ups:
- Re: Compromising Debian Repositories
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: Compromising Debian Repositories
  - From: Rick Moen <rick@linuxmafia.com>
- Re: Compromising Debian Repositories
  - From: Holger Levsen <holger@layer-acht.org>
- Re: Compromising Debian Repositories
  - From: Jonathan Wiltshire <jmw@debian.org>

References:
- Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: Volker Birk <vb@pibit.ch>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: Volker Birk <vb@pibit.ch>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: intrigeri <intrigeri@debian.org>
- Re: Compromising Debian Repositories
  - From: Heimo Stranner <heimo@stranner.org>
- Re: Compromising Debian Repositories
  - From: Michael Stone <mstone@debian.org>
- Re: Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: intrigeri <intrigeri@debian.org>

Prev by Date: Re: Compromising Debian Repositories
Next by Date: Re: Compromising Debian Repositories
Previous by thread: Re: Compromising Debian Repositories
Next by thread: Re: Compromising Debian Repositories
Index(es):
- Date
- Thread