[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gNewSense-users] gNewSense Servers Safe
From: |
Matthew Flaschen |
Subject: |
Re: [gNewSense-users] gNewSense Servers Safe |
Date: |
Thu, 01 Jan 2009 21:23:43 -0500 |
User-agent: |
Thunderbird 2.0.0.18 (X11/20081125) |
Karl Goetz wrote:
> On Thu, 01 Jan 2009 20:18:05 -0500
> Ted Smith <address@hidden> wrote:
>
>> On Fri, 2009-01-02 at 11:27 +1030, Karl Goetz wrote:
>>> On Thu, 01 Jan 2009 16:31:26 -0500
>>> Matthew Flaschen <address@hidden> wrote:
>>>
>>>> Ted Smith wrote:
>>>>> On Thu, 2009-01-01 at 17:49 +0800, Koh Choon Lin wrote:
>>>>>>>> I noted in recent times, servers for distro like Fedora and
>>>>>>>> Debian were compromised by hackers. Are there some measures
>>>>>>>> taken for gNewSense after those incidents?
>>>>>> I actually meant to ask how the servers hosting gNewSense are
>>>>>> protected to insure against rootkits being inserted into the
>>>>>> distribution stream.
>>>>> Well, all packages are PGP-signed, the preferred distribution
>>>>> method of the LiveCDs is BitTorrent (which is un-rootkitable),
>>>>> and the liveCD's available for direct download are MD5sum'd
>>>>> (and the MD5sums are PGP-signed).
>>>> I agree. The only things that really matter are:
>>>>
>>>> 1. Using a secure hash (e.g. SHA-256).
>>> Moving from MD5SUM to SHA???SUM would be < 10 line patch to Builder,
>>> IIRC.
>>> kk
>> That should be done ASAP. MD5 has been broken for a while and now it's
>> getting to the point of being really ridiculous. It could be there
>> still for people that are uncomfortable using SHA, but we definitely
>> need to have options more secure than MD5.
>
> I'm sure Brian will accept patches.
> kk
Okay, patch attached. It uses sha256sum in place of md5sum, and changes
the file name to SHA256SUMS accordingly. Also, it uses a detached GPG
signature, which I think is better because it is less redundant; the
command also uses --output to avoid a mv.
Matt Flaschen
Index: stage-cd
===================================================================
--- stage-cd (revision 222)
+++ stage-cd (working copy)
@@ -30,9 +30,8 @@
tar -cf $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar
$DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION
cd $REPODST/cdimage
mv $LIVECDDIR-src/$DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar .
- sed -i "/ $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar$/d"
MD5SUMS
- md5sum $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar >> MD5SUMS
+ sed -i "/ $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar$/d"
SHA256SUMS
+ sha256sum $DISTRONAME_L-cdsource-$RELEASE-$LIVECD_VERSION.tar >>
SHA256SUMS
fi
cd $REPODST/cdimage
-gpg -u $SIGNINGKEY --clearsign MD5SUMS
-mv MD5SUMS.asc MD5SUMS.gpg
+gpg -u $SIGNINGKEY --detach-sign --armor --output SHA256SUMS.gpg SHA256SUMS
Index: gen-livecd
===================================================================
--- gen-livecd (revision 222)
+++ gen-livecd (working copy)
@@ -190,5 +190,5 @@
# Here we stage the cd image
cd $REPODST/cdimage
btmakemetafile.bittornado http://torrent.$DOMAIN:6969/announce --announce_list
"$BITTORRENT_ANNOUNCE_LIST"
$LIVECD_ISO_PREFIX-livecd-$RELEASE-$LIVECD_VERSION.iso
-sed -i "/ $LIVECD_ISO_PREFIX-livecd-$LIVECD_VERSION.iso$/d" MD5SUMS || true #
Might not exist yet
-md5sum $LIVECD_ISO_PREFIX-livecd-$RELEASE-$LIVECD_VERSION.iso >> MD5SUMS
+sed -i "/ $LIVECD_ISO_PREFIX-livecd-$LIVECD_VERSION.iso$/d" SHA256SUMS || true
# Might not exist yet
+sha256sum $LIVECD_ISO_PREFIX-livecd-$RELEASE-$LIVECD_VERSION.iso >> SHA256SUMS
- Re: [gNewSense-users] gNewSense Servers Safe, Koh Choon Lin, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Paul O'Malley - gnu's not unix -, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Ted Smith, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Matthew Flaschen, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Karl Goetz, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Ted Smith, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Karl Goetz, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe,
Matthew Flaschen <=
- Re: [gNewSense-users] gNewSense Servers Safe, Ted Smith, 2009/01/01
- Re: [gNewSense-users] gNewSense Servers Safe, Matthew Flaschen, 2009/01/01
- Message not available
- Re: [gNewSense-users] gNewSense Servers Safe, Ted Smith, 2009/01/02