On Fri, Nov 28, 2003 at 04:14:19AM -0800, Karsten M. Self wrote: > I'll disagree with Martin's comment that the server compromise didn't > constitute a security issue despite the lack of an archive compromise. > For someone well versed in Debian procedures, it might have been > plausible that the archives themselves weren't compromised. For a > typical user, I don't think this was the case. For the typical user's > management or clients, it's very likely _not_ the case, and a timely > positive statement of status would be very, very helpful. > > Security affecting Debian servers _potentially_ affects Debian packages. > As it was, I cleared my locale package cache and stopped updates on > hearing about the compromise. It wasn't for another few hours that I > was aware that the archive was reportedly _not_ compromised. > > In the absense of any information, the security status of Debian project > packages in the event of a known or rumored server compromise is at best > unknown.
It wasn't clear to me that the packages that I had downloaded were safe, and it even wasn't clear after reading that the archives were safe. I suggest some phrase like "packages in the debian archive" or just "debian packages." The reason is that "archive" usually means something covering (ancient) history. I initially thought it referred to the mailing list archives. If I'd thought harder, I might have thought it referred to past debian packages (which I think are provided via snapshot.debian.org?? I've never used them). Perhaps I should have known better, but since the confusion seems pretty easy, and pretty easy to fix, I suggest fixing it if we should ever have such an unfortunate incident again. Thanks to all those who worked so hard to detect, and then correct, this problem. Ross Boylan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
