Re: kernel.org compromised
Yeah, yeah. We've beaten that horse to death, and our side lost. I also advocate that all debs should be signed, but that was not the will of the ftp-masters the last time the issue was up for discussion. Thats wrong. Since 03 Aug 2008 at least. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340306#33 (If dpkg-sig is THE way to go is a different topic, but it's a way that was there. The maintainers of dpkg-sig don't seem to be interested anymore, but thats not a fault of (current) ftpmasters) -- bye, Joerg (23:02) liw I should take a photograph of my stapler, the maker of which is RAPESCO -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/878vq5oqfh@gkar.ganneff.de
Re: kernel.org compromised
* Joerg Jaspert (jo...@debian.org) [110903 12:44]: Yeah, yeah. We've beaten that horse to death, and our side lost. I also advocate that all debs should be signed, but that was not the will of the ftp-masters the last time the issue was up for discussion. Thats wrong. Since 03 Aug 2008 at least. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340306#33 This means that dpkg-sig needs to be completly re-written, even though it was working quite well (before it was blocked by ftp-masters). Not exactly what I would consider helpful, but well. Anyways, I don't think discussing this topic more will gain us anything. (And also the question of signing .deb-packages is completly orthogonal from authentication of the downloaded packages files which works, and which is necessary for protection from taken over hosts like kernel.org this time). Andi -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110903112210.gl15...@mails.so.argh.org
Re: kernel.org compromised
On Thu, Sep 01, 2011 at 06:05:01PM -0300, Henrique de Moraes Holschuh wrote: Our kernels are not a problem. The Debian mirror in mirrors.kernel.org, on the other hand... While the apt signature will protect users downloading packages through the package manager, users that get binary packages directly are not protected. The connection is not authenticated, so it makes no difference if you get modified stuff or if it is modified in transit. Bastian -- Totally illogical, there was no chance. -- Spock, The Galileo Seven, stardate 2822.3 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110902094857.ga14...@wavehammer.waldi.eu.org
Re: kernel.org compromised
On Fri, 02 Sep 2011, Bastian Blank wrote: On Thu, Sep 01, 2011 at 06:05:01PM -0300, Henrique de Moraes Holschuh wrote: Our kernels are not a problem. The Debian mirror in mirrors.kernel.org, on the other hand... While the apt signature will protect users downloading packages through the package manager, users that get binary packages directly are not protected. The connection is not authenticated, so it makes no difference if you get modified stuff or if it is modified in transit. Yeah, yeah. We've beaten that horse to death, and our side lost. I also advocate that all debs should be signed, but that was not the will of the ftp-masters the last time the issue was up for discussion. So what if data could also be changed on transit: that's still a lot less likely than it being changed in-place on a compromised system, so it really doesn't make the case for verifying the data in mirrors.k.o any weaker. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110902131512.ga4...@khazad-dum.debian.net
Re: kernel.org compromised
On 2011-09-02, Henrique de Moraes Holschuh h...@debian.org wrote: On Fri, 02 Sep 2011, Bastian Blank wrote: On Thu, Sep 01, 2011 at 06:05:01PM -0300, Henrique de Moraes Holschuh wrote: Our kernels are not a problem. The Debian mirror in mirrors.kernel.org, on the other hand... While the apt signature will protect users downloading packages through the package manager, users that get binary packages directly are not protected. The connection is not authenticated, so it makes no difference if you get modified stuff or if it is modified in transit. Yeah, yeah. We've beaten that horse to death, and our side lost. I also advocate that all debs should be signed, but that was not the will of the ftp-masters the last time the issue was up for discussion. And we should get the archive signing key into a HSM. Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnj61olv.nu6.tr...@kelgar.0x539.de
Re: kernel.org compromised
On Fri, 02 Sep 2011, Philipp Kern wrote: On 2011-09-02, Henrique de Moraes Holschuh h...@debian.org wrote: On Fri, 02 Sep 2011, Bastian Blank wrote: On Thu, Sep 01, 2011 at 06:05:01PM -0300, Henrique de Moraes Holschuh wrote: Our kernels are not a problem. The Debian mirror in mirrors.kernel.org, on the other hand... While the apt signature will protect users downloading packages through the package manager, users that get binary packages directly are not protected. The connection is not authenticated, so it makes no difference if you get modified stuff or if it is modified in transit. Yeah, yeah. We've beaten that horse to death, and our side lost. I also advocate that all debs should be signed, but that was not the will of the ftp-masters the last time the issue was up for discussion. And we should get the archive signing key into a HSM. We actually could if we wanted to, it is not that expensive. Whether it would really help overall security or not is something that is not obvious. Good two-factor autentication for logins would be a better first step, though. As long as we ask the Fedora guys how well it is working for them, first... -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110902164443.gb4...@khazad-dum.debian.net
kernel.org compromised
Hi. CCing this to d-d, as it's perhaps of more general interest: There was apparently a security break in on kernel.org https://www.kernel.org/#news Any knowledge how far Debian's kernels and sources are concerned by this? Do you guys take them from git, or from the kernel.org tar balls. How do you verify their integrity? Cheers, Chris. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2308dfb73039245ca2160f4ce24e0...@imap.dd24.net
Re: kernel.org compromised
On Thu, Sep 01, 2011 at 11:56:27AM +, Christoph Anton Mitterer wrote: Hi. CCing this to d-d, as it's perhaps of more general interest: There was apparently a security break in on kernel.org https://www.kernel.org/#news I am well aware of this as a kernel.org user. Any knowledge how far Debian's kernels and sources are concerned by this? Do you guys take them from git, or from the kernel.org tar balls. From git. How do you verify their integrity? I check that new tags are signed by the same key as before. Those keys are kept on the signers' own systems, not on kernel.org. So I am confident that our upstream sources were not modified by the intruder. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110901150352.ge2...@decadent.org.uk
Re: kernel.org compromised
On Thu, 1 Sep 2011 16:03:52 +0100, Ben Hutchings b...@decadent.org.uk wrote: There was apparently a security break in on kernel.org https://www.kernel.org/#news I am well aware of this as a kernel.org user. Is suspected this ;) ... Any knowledge how far Debian's kernels and sources are concerned by this? Do you guys take them from git, or from the kernel.org tar balls. From git. Great thanks... just wanted to know that we're all still secure :) Chris. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/833808b2689ab573e978c36f33f8d...@imap.dd24.net
Re: kernel.org compromised
(debian-kernel dropped from CC, since our kernels have already been reported to be safe elsewhere in the thread). On Thu, 01 Sep 2011, Christoph Anton Mitterer wrote: Any knowledge how far Debian's kernels and sources are concerned by this? Do you guys take them from git, or from the kernel.org tar balls. How do you verify their integrity? Our kernels are not a problem. The Debian mirror in mirrors.kernel.org, on the other hand... While the apt signature will protect users downloading packages through the package manager, users that get binary packages directly are not protected. Source packages are signed, but you have to check the signature _and_ make sure it was signed by a DD/DM. I am not sure what the kernel.org admin team will do to resync the mirrors. A rsync -c followed by a normal pulse would do it, but it is going to be _painful_ to both mirrors.kernel.org AND its upstream mirror, not to mention slow. Do we have a automated way to signature-check every binary and source package in a repository against the hashes in the signed release files? -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110901210501.gc12...@khazad-dum.debian.net