On Tue, Feb 20, 2007 at 05:53:15PM +0100, Kees Jongenburger wrote: > On 2/20/07, Marius Gedminas <[EMAIL PROTECTED]> wrote: > >On Tue, Feb 20, 2007 at 01:19:56PM +0100, Kees Jongenburger wrote: > >> On 2/20/07, Marius Gedminas <[EMAIL PROTECTED]> wrote: > >> >I wonder how many people install OpenSSH/Dropbear and then leave...... > >> > >> I wonder how many people thrust the openssh deb :p > > > >If you have reasons not to trust it, please elaborate. > > Hello Marius, I would feel more comfortable if I knew the > package was built from on a maemo server.
It comes from repository.maemo.org. > Nobody can really thrust > binary packages anyway. Not only that but we also need to thrust the > location where the openssh.install file is located. in this case > http://mg.pov.lt/770/openssh.install and we need to hope that no other > repository contains a forged openssh pacakge. enough reasons IMHO to > say that the system is not very secure. That's a good point, but it is not specific to OpenSSH. Any package you install on your 770/N800 can add a backdoor. The solution is package signing. Apt has infrastructure for that. The application manager ignores missing signatures, I think. Also, how do you decide whose keys to trust? Marius Gedminas -- BASIC: A programming language. Related to certain social diseases in that those who have it will not admit it in polite company.
signature.asc
Description: Digital signature
_______________________________________________ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
