Re: [gNewSense-users] gNewSense Servers Safe

[Ted Smith]

On Fri, 2009-01-02 at 11:27 +1030, Karl Goetz wrote:
> On Thu, 01 Jan 2009 16:31:26 -0500
> Matthew Flaschen <address@hidden> wrote:
> 
> > Ted Smith wrote:
> > > On Thu, 2009-01-01 at 17:49 +0800, Koh Choon Lin wrote:
> > >>>> I noted in recent times, servers for distro like Fedora and
> > >>>> Debian were compromised by hackers. Are there some measures
> > >>>> taken for gNewSense after those incidents?
> > >> I actually meant to ask how the servers hosting gNewSense are
> > >> protected to insure against rootkits being inserted into the
> > >> distribution stream.
> > > 
> > > Well, all packages are PGP-signed, the preferred distribution
> > > method of the LiveCDs is BitTorrent (which is un-rootkitable), and
> > > the liveCD's available for direct download are MD5sum'd (and the
> > > MD5sums are PGP-signed).
> > 
> > I agree.  The only things that really matter are:
> > 
> > 1. Using a secure hash (e.g. SHA-256).
> 
> Moving from MD5SUM to SHA???SUM would be < 10 line patch to Builder,
> IIRC.
> kk

That should be done ASAP. MD5 has been broken for a while and now it's
getting to the point of being really ridiculous. It could be there still
for people that are uncomfortable using SHA, but we definitely need to
have options more secure than MD5.

signature.asc
Description: This is a digitally signed message part