On Fri, Sep 16, 2016 at 1:18 PM, Georgi Guninski <gunin...@guninski.com> wrote:
> Is Debian _still_ vulnerable to automatic updates, it used to be?:
> Debian's Firefox/iceweasel in a VM still give warnings about autoupdates of
> when started from terminal (otherwise they are not visible ;) )
Here's FreeBSD's take on the issue...
Nevermind that they still  don't have their release iso's and everything
else fully reproduceable and cryptographically traceable back to
their source repository, in part because their silly choice of repo (svn)
isn't capable of establishing cryptographic provenance over, and distribution
of, the source, so unlike signable trees git or monotone there's a big gaping
disconnect there. Though they are making good progress on reproduceability.
Oh, and OpenBSD still uses cvs for code authenticity, lol.
Don't mistake this to mean that Linux distroland and model is anything
close to secure either. It's probably much worse.
 They claim signed / hashed isos and packages, and
server / filesystem / commiter / sysadmin security / integrity
are backtraceable and sufficient. And that monotonically increasing
numeric commit revID's and 'workflow' prevent using something like git.
I claim baloney.