[lug] Package manager vulnerabilities [was Re: Pencast of Trent Hein - Practical Security]

Sean Reifschneider jafo at tummy.com
Thu Oct 22 02:17:24 MDT 2009


On 10/21/2009 08:45 PM, David L. Anselmi wrote:
> I don't know about the current mirror policy.  Perhaps that was before 
> they started distributing the archive keyring (only a year or two).  Now 

Correct, they have fixed it "recently" (a couple of years ago sounds
right).  It was just annoying that "all the other" distros had signed
packages, and they acknowledged that it was a problem in that they didn't
condone mirroring of security packages, but the hole was still there for
exploiting in non-security base packages.

It's all fixed now, all the way around.  Which is very nice.  It was just
annoying at the time.

Yay for cryptographic signatures.  Now if we could just have them on DNS.
DLAV to the rescue...

Sean
-- 
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20091022/6acf9f99/attachment.pgp>


More information about the LUG mailing list