Re: [gNewSense-users] gNewSense Servers Safe

[Karl Goetz]

On Thu, 01 Jan 2009 20:18:05 -0500
Ted Smith <address@hidden> wrote:

> On Fri, 2009-01-02 at 11:27 +1030, Karl Goetz wrote:
> > On Thu, 01 Jan 2009 16:31:26 -0500
> > Matthew Flaschen <address@hidden> wrote:
> > 
> > > Ted Smith wrote:
> > > > On Thu, 2009-01-01 at 17:49 +0800, Koh Choon Lin wrote:
> > > >>>> I noted in recent times, servers for distro like Fedora and
> > > >>>> Debian were compromised by hackers. Are there some measures
> > > >>>> taken for gNewSense after those incidents?
> > > >> I actually meant to ask how the servers hosting gNewSense are
> > > >> protected to insure against rootkits being inserted into the
> > > >> distribution stream.
> > > > 
> > > > Well, all packages are PGP-signed, the preferred distribution
> > > > method of the LiveCDs is BitTorrent (which is un-rootkitable),
> > > > and the liveCD's available for direct download are MD5sum'd
> > > > (and the MD5sums are PGP-signed).
> > > 
> > > I agree.  The only things that really matter are:
> > > 
> > > 1. Using a secure hash (e.g. SHA-256).
> > 
> > Moving from MD5SUM to SHA???SUM would be < 10 line patch to Builder,
> > IIRC.
> > kk
> 
> That should be done ASAP. MD5 has been broken for a while and now it's
> getting to the point of being really ridiculous. It could be there
> still for people that are uncomfortable using SHA, but we definitely
> need to have options more secure than MD5.

I'm sure Brian will accept patches.
kk

-- 
Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian user / gNewSense contributor
http://www.kgoetz.id.au
No, I won't join your social networking group