On Mon, 27 Mar 2017, Thibaut Paumard wrote: > Thanks for the pointer. Just out of curiosity, do you intend on using > the blends framework for the pkg-security team?
This is not part of any current plan but I have no objection if someone wants to do the required work. > If you have pointers about those best security practices, I'll gladly > take them. I'm not a penetration tester myself. But a good starting point is to not use "http" at all on connections that you do not trust and also using tools to ensure that you get the same https certificate that you use to get over a secure connection. > Quickly Googling "pkg-security" and "Debian security" did not reveal a > prominent central place for this sort of information. Although not > Debian-specific, a starting point at debian.org for raising awareness > for our users would be nice. If the pkg-security team could take it on > its shoulders... The pkg-security team is about packaging tools, not about this, sorry. https://wiki.debian.org/Teams/pkg-security Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/