On Tue, Jun 09, 2009 at 03:23:42PM -0400, Daniel Kahn Gillmor wrote: > however, most gnu/linux distributions do. If you want a centralized > software aggregator who cryptographically signs off on packages at their > own distribution step, you should install debian or ubuntu (i know they > do this, through secure apt) or fedora or gentoo (i'm pretty sure they > do). I can't speak for other distros. For Gentoo, if you use the official rsync mirrors (rsync.gentoo.org) instead of the community mirrors (rsync$N.$CC.gentoo.org), you get one additional layer of protection, but I'd say that our overall signing rate isn't as high as I'd like it to be. It varies between 40-80% of packages as changes are made over time.
> The usual caveats apply, of course: trusting the distro is often the > same as trusting the weakest link in the chain -- the most sloppy > developer with commit privileges to the distro, or the most sloppy > upstream developer, or the least-secured machinery in the chain between > you and the original developer who wrote the code. For many distributions, the mirrors are a severe weak point at them moment: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/ The replay is of note, because it does not require defeating a signature, but only sending old data to prospective attack targets instead of the latest version. The CCS2008 and ;login: February 2009 reports are the best ones to read. The status of Gentoo signing plans are linked from there (disclaimer: I'm the driving force behind them). -- Robin Hugh Johnson Gentoo Linux Developer & Infra Guy E-Mail : [email protected] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
pgp95hpQ944YJ.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
