Hi martin! On Sat, 27 Aug 2005, martin f krafft wrote:
> also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2005.08.27.1540 > +0200]: > > > security.debian.org already is a Single Point of Ownership. I don't > > > think we need multiple ones, so this is definitely a post-etch thing. > > > > Irrelevant if secure apt is deployed correctly. > > No. Imagine exim gets a root exploit and I spoof the DNS to some Yes. Deployed correctly means you require time stamping, and you check it for undue values. Anyone who can connect to mirrors can connect to SNTP servers, so "what aboud people with bad clocks" doesn't hold as an excuse. No, apt does not have all this functionality yet, but it is not difficult to add it for etch. For this to work, you need a master s.d.o mirror, and automatic signing (so that you can keep the timestamping as low as a few hours). This gives you a mirror network, with the same single "owning" point of failure we have right now. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
