Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

To: debian-user@lists.debian.org
Subject: Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Tue, 23 Feb 2016 17:48:30 +0100
Message-id: <[🔎] 28056577349218164432@scdbackup.webframe.org>
In-reply-to: <[🔎] 20160223154944.GA2439184@phare.normalesup.org>
References: <[🔎] 20160223154944.GA2439184@phare.normalesup.org>

Hi,

Nicolas George wrote:
> Signing a bunch of hashes is a beginner's mistake,

You have unsurpassable objections against variants which might not
much weaken the strength of PGP ?
Not even willing to consider the constraints of such variants ?

I assume this was discussed among DDs and they weighed their options.

> I rely on Debian packagers to be on the watch.

Despite leading developers making "beginner's mistakes" ?

Well, Debian allows me to package my own upstream.
My sponsor looks at the Debian specific aspects of packaging,
not at my source code. (Dominique, please correct me if i'm wrong.)

There are dozens of package updates every day. Have a look at the
"Needs-Build" list of the SH4 ghost fleet:
  https://buildd.debian.org/status/architecture.php?a=sh4&suite=sid
(Yamato and Tirpitz are on cruise, currently. Huso is stuck in pack ice.
 First tries of packages with known short build times seem the be
 preferred. libburn passes after only a few hours.)

Given the fact how hard it is to find a dedicated DD or DM for new
upstream packages, i cannot imagine that many such packages get a
special security audit by Debian.
Look at the archives of debian-mentors mailing list. The heroes there
criticise many oddities and software release sins. But in the 5 months
since i am watching, i saw not a single objection because of upstream
source code flaws. (And there are many, i am sure. Just count mine.)

> I blame you for giving advice without knowing the problem.

Please google "fdupes".

> Ever heard of cache?

200 GB ? I only have 16 GB RAM.

> > (The polynomials should at least not be multiples of each other.)

> The polynomials must be irreducible to yield a correct CRC32.
> That rules out them being multiples of each other.

So you found a widening of my "at least".
(May i criticise in reply the fuzzyness of the term "correct" ?)

> If the files are large, I would suggest to use a sparse hash function,

Does this advise count as pot-kettle-black incident ?
After all you make assumptions about the files' content similarities
or the lack thereof.

Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
  - From: Nicolas George <george@nsup.org>

References:
- Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
  - From: Nicolas George <george@nsup.org>

Prev by Date: Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
Next by Date: Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
Previous by thread: Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
Next by thread: Re: Warning Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
Index(es):
- Date
- Thread