Hosting Provided By

Re: Recent updates

From: Alexander Schmehl <tolimar(at)debian.org>
Date: Sun Feb 17 2008 - 15:48:16 EST

Hi!

Jim Popovitch <yahoo@jimpop.com> [080217 20:43]:

> > Subscribe to debian-announce:
> > http://lists.debian.org/debian-announce/debian-announce-2008/msg00000.html
> I hope you are teasing, or perhaps you didn't see my first sentence
> where I stated that I had not seen any other news about this. I have
> been subscribed to d-a, as well as d-s, and d-i, and d-v..... the
> problem was the updates hit the mirrors before the announcement hit
> the wire.

Yes, as the last couple of announcement did. The problem is, that if we announce a new release before it is send to the mirrors, mirrors are hit very hard hindering the sync of our mirror network.

So in general we first push upgrade to the mirrors, and then sent out announcements.

> Normally this wouldn't be much of an issue, but the formal signed
> announcement is the only way for most of us to know that the updates
> are legit and not a nefarious action by some rogue hacker.

Well, a rogue hacker would need to be quite skilled to add some kind of "bad" package.

Let's assume he has created a bad package and got control over a mirror (since he can't upload the package himself that's the only way to include it). Of course he could add his package to the Debian archive he has on that mirror, but since packages and releases are signed with gpg he couldn't benefit from that, since as soon as someone tries to install his bad package, package management would detect the wrong signature.

Yours sincerely,
Alexander

-- 
http://learn.to/quote/http://www.catb.org/~esr/faqs/smart-questions.html

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

application/pgp-signature attachment: Digital signature

Received on Sun Feb 17 15:48:59 2008

Do you need help?

This message: [ Message body ]
Next message: Jim Popovitch: "Re: Recent updates"
Previous message: Jim Popovitch: "Re: Recent updates"
In reply to: Jim Popovitch: "Re: Recent updates"
Next in thread: Jim Popovitch: "Re: Recent updates"
Reply: Jim Popovitch: "Re: Recent updates"
Reply: Felipe Figueiredo: "Re: Recent updates"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:55:57 EDT