Thanks.

I'm new here. I was not on this list then. However, I just read the thread:

https://lists.debian.org/debian-security/2011/01/msg00002.html

I saw that some of my concerns were mentioned there about obtaining and
verifying installation media, MITM attacks, etc.

I have previously verified installation media via the methods described in
the FAQ, downloading GPG keys, etc. and still
had an issue of having aptitude telling me that all available packages are
from untrusted sources. (This was some years
ago when I had this issue)

I seem to remember being offered security updates for the kernel, OpenSSL,
SSH, etc. where my only option was to download
untrusted packages. I would get warning messages from aptitude about
installing security updates.

Maybe there should be written a document that describes in detail in easy
to understand language what steps to take to
verify keys and verify that apt has not been compromised in an already
installed system. And also verifying that GPG has not
been compromised.

It is the job of the NSA to be able to compromise systems. We should make
that task as difficult as possible at every level
and also be able to easily verify that our system has not been corrupted.

I think having a good guide to checking your installed Debian system would
be of use. Particularly useful would be instructions
to check to see if your system has been compromised by validating all
already installed packages. MS Windows has an option
to check installed Windows components.


Some relevant links that I have previously discovered:

https://wiki.debian.org/Keysigning
https://wiki.debian.org/Keysigning/Coordination
http://www.debian.org/CD/verify
http://www.debian.org/CD/faq/#verify


On Wed, Jul 9, 2014 at 8:11 PM, Michael Stone <mst...@debian.org> wrote:

> On Wed, Jul 09, 2014 at 06:29:09PM -0600, Kitty Cat wrote:
>
>> For years I have been concerned with MITM attacks on Debian mirrors.
>>
>
> We discussed this literally within the past couple of months on this list,
> at length. Have you read the archives, including the posts about how to
> establish a trust path to the ISOs?
>
> Mike Stone
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive: https://lists.debian.org/20140710021124.ga27...@mathom.us
>
>

Reply via email to