[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gNewSense-users] gNewSense Servers Safe
From: |
Ted Smith |
Subject: |
Re: [gNewSense-users] gNewSense Servers Safe |
Date: |
Thu, 01 Jan 2009 21:33:59 -0500 |
On Fri, 2009-01-02 at 12:03 +1030, Karl Goetz wrote:
> On Thu, 01 Jan 2009 20:18:05 -0500
> Ted Smith <address@hidden> wrote:
>
> > On Fri, 2009-01-02 at 11:27 +1030, Karl Goetz wrote:
> > > On Thu, 01 Jan 2009 16:31:26 -0500
> > > Matthew Flaschen <address@hidden> wrote:
> > >
> > > > Ted Smith wrote:
> > > > > On Thu, 2009-01-01 at 17:49 +0800, Koh Choon Lin wrote:
> > > > >>>> I noted in recent times, servers for distro like Fedora and
> > > > >>>> Debian were compromised by hackers. Are there some measures
> > > > >>>> taken for gNewSense after those incidents?
> > > > >> I actually meant to ask how the servers hosting gNewSense are
> > > > >> protected to insure against rootkits being inserted into the
> > > > >> distribution stream.
> > > > >
> > > > > Well, all packages are PGP-signed, the preferred distribution
> > > > > method of the LiveCDs is BitTorrent (which is un-rootkitable),
> > > > > and the liveCD's available for direct download are MD5sum'd
> > > > > (and the MD5sums are PGP-signed).
> > > >
> > > > I agree. The only things that really matter are:
> > > >
> > > > 1. Using a secure hash (e.g. SHA-256).
> > >
> > > Moving from MD5SUM to SHA???SUM would be < 10 line patch to Builder,
> > > IIRC.
> > > kk
> >
> > That should be done ASAP. MD5 has been broken for a while and now it's
> > getting to the point of being really ridiculous. It could be there
> > still for people that are uncomfortable using SHA, but we definitely
> > need to have options more secure than MD5.
>
> I'm sure Brian will accept patches.
> kk
>
Ah, Matthew _just_ beat me (his email got to my inbox just as I started
typing this). So I'm adding his gpg line to my patch.
The attached diff against the svn adds a config array SUMLIST and a
scalar SUMFILE for the list of *sum programs to use and the file to put
the output in. This lets us update as future hash algorithms break
without going through and replacing "md5sum" every time. :)
While I can't test this myself (I don't have enough disk space to run
builder and not enough builder knowledge to just run the part of it), I
have tested my code alone and it works (as it should, since it's fairly
simple).
I've set SUMLIST to include md5sum, shasum, and sha512sum.
multisum.patch
Description: Text Data
signature.asc
Description: This is a digitally signed message part
- Re: [gNewSense-users] gNewSense Servers Safe, Koh Choon Lin, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Paul O'Malley - gnu's not unix -, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Ted Smith, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Matthew Flaschen, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Karl Goetz, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Ted Smith, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Karl Goetz, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Matthew Flaschen, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe,
Ted Smith <=
- Re: [gNewSense-users] gNewSense Servers Safe, Matthew Flaschen, 2009/01/01
- Message not available
- Re: [gNewSense-users] gNewSense Servers Safe, Ted Smith, 2009/01/02