Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
On Fri, Nov 28, 2003 at 04:14:19AM -0800, Karsten M. Self wrote:
> I'll disagree with Martin's comment that the server compromise didn't
> constitute a security issue despite the lack of an archive compromise.
> For someone well versed in Debian procedures, it might have been
> plausible that the archives themselves weren't compromised. For a
> typical user, I don't think this was the case. For the typical user's
> management or clients, it's very likely _not_ the case, and a timely
> positive statement of status would be very, very helpful.
>
> Security affecting Debian servers _potentially_ affects Debian packages.
> As it was, I cleared my locale package cache and stopped updates on
> hearing about the compromise. It wasn't for another few hours that I
> was aware that the archive was reportedly _not_ compromised.
>
> In the absense of any information, the security status of Debian project
> packages in the event of a known or rumored server compromise is at best
> unknown.
It wasn't clear to me that the packages that I had downloaded were
safe, and it even wasn't clear after reading that the archives were
safe. I suggest some phrase like "packages in the debian archive" or
just "debian packages."
The reason is that "archive" usually means something covering
(ancient) history. I initially thought it referred to the mailing
list archives. If I'd thought harder, I might have thought it
referred to past debian packages (which I think are provided via
snapshot.debian.org?? I've never used them).
Perhaps I should have known better, but since the confusion seems
pretty easy, and pretty easy to fix, I suggest fixing it if we should
ever have such an unfortunate incident again.
Thanks to all those who worked so hard to detect, and then correct,
this problem.
Ross Boylan
Reply to: