On Tue, 30 Aug 2016 23:04:40 +0200, Ralf Mardorf wrote:
>On Tue, 30 Aug 2016 15:31:07 -0500, Yoshi wrote:
>>There is allegedly a recently published security hole in the
>>"Ubuntu/Debian update mechanism" involving authentication and
>>signatures.
>
>What is the source of this vague
On Tue, 30 Aug 2016 15:31:07 -0500, Yoshi wrote:
>There is allegedly a recently published security hole in the
>"Ubuntu/Debian update mechanism" involving authentication and
>signatures.
What is the source of this vague "information"?
>You are welcome to forward this message as is to anyone else
I was thinking there is one way to slow down but not stop this attack at the
server
level, and it works only if the package is both downloaded over https and
signed:
that is to have the packages and their signing keys on one server and the ssh
keys
on a physically different box, so any attack
This is REALLY ugly, and suggests keyservers be dedicated machines that
are not co-hosted with anything and don't co-host anything. Until then it
means GCHQ can probably crack Ubuntu's keys if they are hosted in the UK.
This sort of thing makes substituting binaries built from alternate source
On 2016-08-30 22:31, Yoshi wrote:
> security hole in the
> "Ubuntu/Debian update mechanism" involving authentication and
> signatures
Got to be reffering to this:
https://www.schneier.com/blog/archives/2016/08/powerful_bit-fl.html
"breaking OpenSSH public-key authentication, and forging GPG