[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: concrete steps for improving apt downloading security and privacy



Thanks, but if you will notice, I have that link already listed at the bottom of my message.

Also, you should not respond directly to people unless they specifically ask you to do so. I did not ask.


On Wed, Jul 9, 2014 at 11:52 PM, Reid Sutherland <reid@vianet.ca> wrote:
https://www.debian.org/

Go to CD ISO Images, then Verify.



On Jul 10, 2014, at 12:24 AM, Kitty Cat <realizar.la.paz@gmail.com> wrote:

> Thanks.
>
> I'm new here. I was not on this list then. However, I just read the thread:
>
> https://lists.debian.org/debian-security/2011/01/msg00002.html
>
> I saw that some of my concerns were mentioned there about obtaining and verifying installation media, MITM attacks, etc.
>
> I have previously verified installation media via the methods described in the FAQ, downloading GPG keys, etc. and still
> had an issue of having aptitude telling me that all available packages are from untrusted sources. (This was some years
> ago when I had this issue)
>
> I seem to remember being offered security updates for the kernel, OpenSSL, SSH, etc. where my only option was to download
> untrusted packages. I would get warning messages from aptitude about installing security updates.
>
> Maybe there should be written a document that describes in detail in easy to understand language what steps to take to
> verify keys and verify that apt has not been compromised in an already installed system. And also verifying that GPG has not
> been compromised.
>
> It is the job of the NSA to be able to compromise systems. We should make that task as difficult as possible at every level
> and also be able to easily verify that our system has not been corrupted.
>
> I think having a good guide to checking your installed Debian system would be of use. Particularly useful would be instructions
> to check to see if your system has been compromised by validating all already installed packages. MS Windows has an option
> to check installed Windows components.
>
>
> Some relevant links that I have previously discovered:
>
> https://wiki.debian.org/Keysigning
> https://wiki.debian.org/Keysigning/Coordination
> http://www.debian.org/CD/verify
> http://www.debian.org/CD/faq/#verify
>
>
> On Wed, Jul 9, 2014 at 8:11 PM, Michael Stone <mstone@debian.org> wrote:
> On Wed, Jul 09, 2014 at 06:29:09PM -0600, Kitty Cat wrote:
> For years I have been concerned with MITM attacks on Debian mirrors.
>
> We discussed this literally within the past couple of months on this list, at length. Have you read the archives, including the posts about how to establish a trust path to the ISOs?
>
> Mike Stone
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 20140710021124.GA27544@mathom.us" target="_blank">https://lists.debian.org/20140710021124.GA27544@mathom.us
>
>



Reply to: