This is REALLY ugly, and suggests keyservers be dedicated machines that are not co-hosted with anything and don't co-host anything. Until then it means GCHQ can probably crack Ubuntu's keys if they are hosted in the UK.
This sort of thing makes substituting binaries built from alternate source much easier and far safer when an attacker knows nobody can check them. The "cloud" never has been safe and never can be safe, there will always be another mode of attack. Keyservers are so sensitive they should be dedicated machines in locations that are either never left unguarded or at least protected by tamper-evident physical seals(tell-tales). For me this adds still more packages to what I have to build from source, starting with the kernel. I'm not making any new encryption keys on recently downloaded binary kernels in light of this. On 8/31/2016 at 2:11 AM, "Set Hallstrom" <[email protected]> wrote: > >On 2016-08-30 22:31, Yoshi wrote: >> security hole in the >> "Ubuntu/Debian update mechanism" involving authentication and >> signatures > >Got to be reffering to this: >https://www.schneier.com/blog/archives/2016/08/powerful_bit-fl.html > >"breaking OpenSSH public-key authentication, and forging GPG >signatures >from trusted keys" > >Sounds like hard times for security experts and the web of trust. >:( > >-- >Set Hallstrom aka sakrecoer -- ubuntu-studio-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel
