Am Sonntag, 23. Januar 2011, um 20:52:44 schrieb AK:
> Regarding the MD5 sum example and certain released PoCs: producing two
> "random" files with identical MD5 sums is one thing, introducing a
> meaningful backdoor (which means deterministic change) or ten in a
> Debian iso and generating an iso
On Sun, 23 Jan 2011 20:22:34 -0600 Raphael Geissert wrote:
> Michael Gilbert wrote:
> > There is no need to worry about additional load on the mirrors since
> > the only thing that needs to be verifiable are the checksums
> > themselves, and that could easily be hosted on a centralized https
> > s
Michael Gilbert wrote:
> There is no need to worry about additional load on the mirrors since
> the only thing that needs to be verifiable are the checksums
> themselves, and that could easily be hosted on a centralized https
> server separate from the mirror system.
The Debian CDs and the Archive
On Sun, 2011-01-23 at 19:32 -0500, Michael Gilbert wrote:
>
> Also, a discussion could be started with SPI to see if they are
> willing to purchase a CA cert. That would at least allow users with
> implicit trust in the CA system to get a nice fuzzy feeling when they
> see the lock icon when down
On Sun, Jan 23, 2011 at 12:34 PM, AK wrote:
> Hi all,
>
> a small disclaimer first, I am not affiliated with debian in any way, I
> am, as the original author would have put it a user. I would like to
> play devil's advocate in a few of the quite interesting points that Naja
> raises:
>
> 1) Why is
Quoting Naja Melan (najame...@gmail.com):
> Some weeks ago I decided to have a look at debian and quite soon ran into
> questions and problems considering the security of debian. I would like to
> share some of those questions, remarks in this mail in the hope of
> stimulating a discussion[...]
I
In <4d3c66a0.80...@gmail.com>, AK wrote:
>3) Regarding policies, I think that unfortunately Debian has a bad
>record (cough, cough, openSSL PRNG circa 2008)
The patch file that introduced that security issue can be broken into two
parts that don't overlap: (a) the part that fixed the "policy viol
Thanks for the reply and the links Robert.
I agree with your point on SSL/TLS not being as computationally
expensive as it used to be, however (as you correctly state) it can be
more of an issue regarding management/resources, as well as red tape.
Regarding Google's statement with SSL/TLS cost be
On Sun, 2011-01-23 at 19:34 +0200, AK wrote:
> a small disclaimer first, I am not affiliated with debian in any way,
> I am, as the original author would have put it a user.
The same goes for me, so I suppose my remarks should be taken with a
comparably-sized grain of salt. :) That said:
> 1)
On dim., 2011-01-23 at 17:35 +0100, Naja Melan wrote:
> Some weeks ago I decided to have a look at debian and quite soon ran into
> questions and problems considering the security of debian. I would like to
> share some of those questions, remarks in this mail in the hope of
> stimulating a discuss
Hi all,
a small disclaimer first, I am not affiliated with debian in any way, I
am, as the original author would have put it a user. I would like to
play devil's advocate in a few of the quite interesting points that Naja
raises:
1) Why is *getting* debian over plain HTTP such a big issue? Assumi
Hi,
quite some people around me use debian with view of creating secure
encrypted systems. Consider for example in france boum.org, who have
published a book about computer security which advises people to use debian.
Those people turn to me with questions about how safe things are and want
advice
12 matches
Mail list logo
