[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian virus/spy-ware detection and detection technique.



On Mon, Jul 26, 2010 at 08:34:23PM +0700, Sthu Deus wrote:
> Thank You for Your time and answer, Rob:
> 
> > That's about as official
> > as you can get without a Debian release manager being in charge of
> > it, I guess.
> 
> What difference does it make in sense of security?
> 
I've had a busy week.  I think we were talking about Live images of
Debian Testing, right?

These images are made periodically.  I don't know if any particular
schedule is followed.  Security updates can be added via aptitude if you
use "persistence".  Persistence lets you save changes to your live
system to a USB stick, for instance.  (In fact, the whole live system
can run off of a USB stick instead of a CD).  

All this means that security updates are the same for the normal Testing
distro.  Exactly what state that is in currently, I'm not sure.  There
is/was an official security team for Testing, but I know it had a rough
period recently.  I don't think timely security updates for Testing are
guaranteed right now, but I could be wrong.

One thing about the Debian Live systems is that the kernel cannot be
upgraded via apt-get or aptitude.  A new image has to be built in order
to get the latest kernel.

If you are asking about security in the sense of "can I trust these
images", I don't have a clear answer for you.  The author is a Debian
developer.  He has earned some degree of trust in order to get to that
position.  Do his live-helper packages receive scrutiny from the Debian
team before being admitted into the repositories -- scrutiny that his
Live images do not receive because they aren't released through official
Debian channels?  I don't know the answer to that.  If you are concerned
about that, though, you can build your own images using the live-helper
package on your Debian system.  You can even use a Lenny system to build
a Squeeze image if you want.

I know there have been some comments in another thread that you are
being too paranoid.  I get what you're after, though.  GPG calls it
web of trust.  If you can't personally verify that something/somebody is
trustworthy, maybe you can find somebody you trust who can verify for
you.  

I hesitate to profess trust for things that I haven't personally
verified.  I've used a premade Live image before, and nothing bad
happened, but I won't tell you that it is safe because I really don't
know that for sure.  I believe it, but I don't know it.  

"Trust me" is a phrase best left in the closed source world, in my
opinion.

-Rob

Attachment: signature.asc
Description: Digital signature


Reply to: