On Thu, 01 Jan 2009 20:18:05 -0500 Ted Smith <[email protected]> wrote:
> On Fri, 2009-01-02 at 11:27 +1030, Karl Goetz wrote: > > On Thu, 01 Jan 2009 16:31:26 -0500 > > Matthew Flaschen <[email protected]> wrote: > > > > > Ted Smith wrote: > > > > On Thu, 2009-01-01 at 17:49 +0800, Koh Choon Lin wrote: > > > >>>> I noted in recent times, servers for distro like Fedora and > > > >>>> Debian were compromised by hackers. Are there some measures > > > >>>> taken for gNewSense after those incidents? > > > >> I actually meant to ask how the servers hosting gNewSense are > > > >> protected to insure against rootkits being inserted into the > > > >> distribution stream. > > > > > > > > Well, all packages are PGP-signed, the preferred distribution > > > > method of the LiveCDs is BitTorrent (which is un-rootkitable), > > > > and the liveCD's available for direct download are MD5sum'd > > > > (and the MD5sums are PGP-signed). > > > > > > I agree. The only things that really matter are: > > > > > > 1. Using a secure hash (e.g. SHA-256). > > > > Moving from MD5SUM to SHA???SUM would be < 10 line patch to Builder, > > IIRC. > > kk > > That should be done ASAP. MD5 has been broken for a while and now it's > getting to the point of being really ridiculous. It could be there > still for people that are uncomfortable using SHA, but we definitely > need to have options more secure than MD5. I'm sure Brian will accept patches. kk -- Karl Goetz, (Kamping_Kaiser / VK5FOSS) Debian user / gNewSense contributor http://www.kgoetz.id.au No, I won't join your social networking group _______________________________________________ gNewSense-users mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/gnewsense-users
