Re: Verification of netboot installer and firmware files

[Andrew M.A. Cater]

On Sun, Sep 06, 2015 at 10:20:04AM +0200, Daniel Reichelt wrote:
> Hey there
> 
> I'm wondering if there's a practical way to verify the netboot installer files
> and firmware archives provided via [1]-[3]. I couldn't find anything similar 
> to
> the signed (md5|shaX)sum files provided for the ISOs, nor any lines in the
> official installation guide about verification.
> 

Folk are aware of this: in other threads on other mailing lists, they're 
discussing the
things needed to harden/verify repositories and downloads.

The next iteration of Apt does bring significant enhancements for some of those 
steps

http://wiki.debian.org/Hardening/RepoAndImages may also help - people are aware 
:)



> Am I missing s.th.? Looking forward to suggestions!
> 
> 
> If I'm really the first one to bring this up: IMHO the simplest solution would
> be to gpg-sign the hash lists under [1]/[2] and provide signed hash lists for
> [3] as well.
> 
> 

Not the first

All the best, 

AndyC

> 
> Thanks
> 
> Daniel
> 
> 
> [1] 
> http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/
> [2] http://d-i.debian.org/daily-images/amd64/daily/
> [3] http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/

Re: Package management and security

[Andrew M.A. Cater]

On Fri, Jun 08, 2007 at 09:56:09AM +0200, Frédéric PICA wrote:
> Ok, so apt-get update/upgrade -y in a cron job will work but what about my
> first question ?

Don't do this :(  The pace of change in Debian stable is very slow: as 
you correctly say, fixes are back ported and so on but it is still worth 
a human being checking what is to be upgraded - running this blind from 
a cron job may mean that you miss something important. 

Take the fact that Debian Sarge was updated 7 times over 2 1/2 years - 
the last time being just hours before release of Etch. Point releases 
fix security and serious packaging bugs - each point release probably 
only contained 30 - 50 packages over a period of a few months. apt-get 
update once a week to see how much has changed and whether it is worth 
your while: then update carefully.

> Lets say debian stable has foo-1.0 package.
> I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated
> to foo-1.0.1 for bugfix reason.

This is fairly typical
> Meanwhile the author of foo release version 2, debian stable will not
> upgrade the package because the version 2 add more features, have new
> dependencies, ...

2 will probably be in testing, 1 will continue in stable. Critical fixes
will be backported - if there are critical fixes which cannot be made, 
then it may be that the package will be considered for removal. This was 
one of the grounds for disagreement between Mozilla and Debian which led 
to Iceweasel: Mozilla don't want to support old versions, Debian don't 
want to just randomly change to new ones.

> And now, the author release version 2.1, a critical security fix, there is a
> flaw found from version 1 to 2.
> The debian security team does it's work and first try to backport the
> security fix but that time it's not possible so they have no other choice to
> package version 2.1 in the security channel.

Fixed in testing, backported fix to stable is the rule.

> As version 2.1 has new dependencies requirements wich are not installed,
> apt-get upgrade will not update that package, right ?
> 

Not automatically: quite often, in these situations, maintainers produce 
a package to ease transitions.

> Even if in 99% of the time, this will work great, I can't let this 1%.

Given the scale and pace of change, it's not infeasible to check what 
will be updated and update methodically.

> I could let this 1% risk only if I have a way to be warned, the server
> sending me automatically a mail for example, but I think there is no way to
> do that because there is no way to interface ourself with apt (no plugin
> system at that time)
> 
> I am right ?
> 
> FP
> 
> 2007/6/7, Riku Valli <[EMAIL PROTECTED]>:
> >
> >Frédéric PICA wrote:
> >> Thanks for your answer,
> >>
> >> So I need to do an apt-get dist-upgrade in my cron job to be sure to
> >> always have the latest security fixes ?
> >> What's the risk to have a needed package uninstalled by that way ?
> >>
> >> My goal is to have the latest security fixes for a server, but I have
> >> to be sure that dist-upgrade will not broke my server by removing
> >> needed pacakges, for example mod_php for apache or things like that.
> >>
> >> FP
> >>
> >> 2007/6/7, Riku Valli <[EMAIL PROTECTED]
> >> >:
> >>
> >> Frédéric PICA wrote:
> >> > Greets,
> >> >
> >> > I saw in 'man apt-get' that using apt-get upgrade does not
> >> install new
> >> > packages or remove an already installed package.
> >> > Is it possible that I did'nt get the latest security fixes using
> >> > apt-get upgade in a cron job ?
> >> > I think particularly about security fixes that can't be
> >retro-ported
> >> > to the debian stable version and needs to upgrade the package to
> >the
> >> > latest author available version, what's going on if the package
> >> > dependencies changes ? Does the security patched will be installed
> >> > with it's new dependencies anyway or does the package will not be
> >> > upgraded ?
> >> >
> >> > Thanks for your help,
> >> > FP
> >> >
> >> >
> >> Hi
> >>
> >> apt-get upgrade only upgrade your packages for newer version. When
> >> package is upgraded this way at it need new extra packages, then
> >> upgrade
> >> can't upgrade your package. You must install it.
> >>
> >>
> >> -- Riku
> >>
> >>
> >Hi
> >
> >In normal case when you used Debian stable. You made only update/upgrade
> >and possible need switch -y (assume yes for every question). At stable
> >debencies normally never changes. This dist-upgrade is (at stable) only
> >used when you updated Debian releases from older to newer.
> >
> >Older stable there was only one kernel upgrade which needed manually
> >intervention.
> >
> >Maybe this is better explained man aptitude, see below.
> >
> >  upgrade
> >   Upgrades installed packages to their most recent version.
> >Installed
> >   packages will not be removed unless 

Re: My machine was hacked - possibly via sshd?

[Andrew M.A. Cater]

On Tue, Mar 29, 2005 at 05:08:32PM -0500, Noah Meyerhans wrote:
> On Wed, Mar 30, 2005 at 07:16:31AM +1000, David Pastern wrote:
> > And this, in reality, is why Woody is so old.  I cannot imagine any
> > other distro providing such an old kernel.
> 
> You've got cause and effect mixed up.  Debian is not outdated *because*
> we support ancient versions of software.  We support ancient versions of
> software because we are outdated.  No distribution provides support for
> their development branch before their stable branch.
> 
It may be noticed that other distributions are switching to a longer
release cycle for "commercial/enterprise" products. Mandrake is to
switch to one release a year (and they don't commit to support for old
releases for more than about a year), Novell/SUSE are moving to an 18
month release cycle and five year support, Red Hat are moving to 18
month/two year cycle and seven year support. Given the effort that it
takes to support something through even two years of hardware change -
Debian is actually doing "the right thing" for support by releasing on
its current release cycle and the big distributions will soon start to 
feel the pain of extended support cycles as well.  Debian point
releases when they come fix security and other issues. Potato had seven
- one a couple of weeks before the new release. Woody has had four and a
  fifth is in preparation. 
  
  Our main concerns are a.) Our users b.) Free
  software c.) Producing the best distribution we can d.) Across a range
  of hardware in support of a. and b. leading to c.

You want fast moving latest/greatest - switch your apt-get to
sid/unstable. You want tested software that is reasonably up to date -
switch to sarge/testing (soon sarge/stable).  [Testing changes on a
fairly regular basis] You want rock solid
software you don't want to touch for six months - switch to woody/stable.
It really is that simple. 

You can use pinning to pull in some packages from testing to stable or 
whatever if you really must.

Just IMHO

Andy



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux clients in network - experiences?

[Andrew M.A. Cater]

On Sat, Mar 20, 2004 at 03:41:20AM +0100, Adrian 'Dagurashibanipal' von Bidder 
wrote:
> Yo!
> 
> So far, my experience was with administrating smallish servers and mostly 
> stand-alone clients. The future shines bright, however, and I may soon be in 
> a position to do much more than that.  But, lacking experience, I now need 
> some advice.
> 
> Environment: typical office environment, no or few 'special' applications. 
> 20-50 clients. Friendly $BOSS who hates M$, also, there's not much to migrate 
> as this is pretty much start from scratch. (So it's quite an engineer's 
> dream). Security is *very* important.
> 
> as 'apt-get install foo'.
> 
> Office: 
> I guess OpenOffice (or perhaps StarOffice) is more or less the default here. 
> Perhaps some find that koffice or the gnome counterparts can realistically be 
> considered (for people who will receive word/excel/pp documents from their 
> customers etc.)?
OpenOffice.org
gnumeric
magicpoint?? - presentations
scribus?? - PDF

> 
> 'Collaborative work'
>  - evolution is quite mature - but iirc it required a MS Outlook server for 
> the calendar application to work for groups. Is this still true?
I think that's not necessarily true.  Evolution is a no brainer for 
anyone used to Outlook, IMHO.
>  - wiki: which one? Focus on usability by people who have no idea what this 
> is.
> 
Any - but give them the chance to settle on the other stuff first :)
> Business software:
>  - financial: sqlledger? How good is it really? How advanced is the thing in 
There is a Canadian "thing" but I can't remember what its called.
>  - ticketing: phpgroupware has one. request-tracker is quite good. double 
> choco latte and bugzilla are available, too. I guess I'll just go with 
> request-tracker since I know that a bit. Might be abused as a crm with a bit 
> tweaking, I guess.
> 
> Server/network set up
>  - unix account management: I suspect NIS is not really an option in a 
> security conscious environment (just hearsay, though, I'll look at it). 
> Kerberos? With pam there should be no problem with integration. Others?
LDAP of some sort, potentially
>  - networked filesystem. NFS is certainly not the right tool here. 
> AFS/Coda/Intermezzo? Or Lustre? Others? For this and the above, it would be 
> nice if laptops could be integrated more or less nicely. Also, if the data 
> would be encrypted on the wire this would be an added bonus.
Work out what you need to share. NFS may do: Samba exporting shared
directories may do. Don't predicate everything on one enormous shared
file system - the larger it is, the harder it is to do backups :)
>  - authentication: I favor USB tokens (since ssh/pgp secret keys could be 
> stored there, too). $BOSS wants fingerprint auth. What solutions do exist (I 
> see there's an ITP out for libpam-usb. What about Linux-supported 
> fingerprinting systems? Laptops?)
>  - firewalls/routers: build my own, or buy? (I see an endless debate coming 
> here :-)
Build: iptables should do almost anything you need. If you really need
wireless, then a commercially made small router/switch/access point
might be useful.  Stripped down Debian is a good start here anyway.
> 
> Hardware:
>  - Dual head: what is available with good Linux support? How much tweaking 
> does Debian (think sarge) need (KDE? Gnome?)? (Ok, this will change every few 
> months, so I'll need to do that research again when this actually comes).
Matrox ?? [Flightgear flight simulator :) ]
>  - ok, this would be on the server side: RAID and hotswapping. I personally 
> like software raid since I can swap controllers without problems. The 
> software RAID HOWTO says it's possible with SCSI hardware, impossible to do 
> reliably with IDE. This still true? (SATA?)
SATA supported well as of 2.4.25.  Avoid cheap IDE raid cards. Expensive
IDE raid cards are fine. Linux software raid now possible on any disk
AFAIK. Hotswapping may always be more problematic
> 
> Misc:
>  - What experience do you have with setting the default locale to something 
> like de_CH.UTF-8? Personally, I have quite a good impressions, but my primary 
> tools are kmail, xterm, vi and konqueror - I rarely use any office 
> applications. There will mostly be ???, perhaps a few slavic characters. No 
> right-to-left, cyrillic, chinese or korean except in spam mail.
>  - what is the color of my briefs?
> 
> Ok, enough for a few weeks, I guess :-)
> Thanks already for those who take the time. 
> 
> Greetings
> -- vbi
> 
> -- 
> Will the information superhighway have any rest stops?

Not an expert - just my first thoughts.

Andy

Re: Linux clients in network - experiences?

[Andrew M.A. Cater]

On Sat, Mar 20, 2004 at 03:41:20AM +0100, Adrian 'Dagurashibanipal' von Bidder wrote:
> Yo!
> 
> So far, my experience was with administrating smallish servers and mostly 
> stand-alone clients. The future shines bright, however, and I may soon be in 
> a position to do much more than that.  But, lacking experience, I now need 
> some advice.
> 
> Environment: typical office environment, no or few 'special' applications. 
> 20-50 clients. Friendly $BOSS who hates M$, also, there's not much to migrate 
> as this is pretty much start from scratch. (So it's quite an engineer's 
> dream). Security is *very* important.
> 
> as 'apt-get install foo'.
> 
> Office: 
> I guess OpenOffice (or perhaps StarOffice) is more or less the default here. 
> Perhaps some find that koffice or the gnome counterparts can realistically be 
> considered (for people who will receive word/excel/pp documents from their 
> customers etc.)?
OpenOffice.org
gnumeric
magicpoint?? - presentations
scribus?? - PDF

> 
> 'Collaborative work'
>  - evolution is quite mature - but iirc it required a MS Outlook server for 
> the calendar application to work for groups. Is this still true?
I think that's not necessarily true.  Evolution is a no brainer for 
anyone used to Outlook, IMHO.
>  - wiki: which one? Focus on usability by people who have no idea what this 
> is.
> 
Any - but give them the chance to settle on the other stuff first :)
> Business software:
>  - financial: sqlledger? How good is it really? How advanced is the thing in 
There is a Canadian "thing" but I can't remember what its called.
>  - ticketing: phpgroupware has one. request-tracker is quite good. double 
> choco latte and bugzilla are available, too. I guess I'll just go with 
> request-tracker since I know that a bit. Might be abused as a crm with a bit 
> tweaking, I guess.
> 
> Server/network set up
>  - unix account management: I suspect NIS is not really an option in a 
> security conscious environment (just hearsay, though, I'll look at it). 
> Kerberos? With pam there should be no problem with integration. Others?
LDAP of some sort, potentially
>  - networked filesystem. NFS is certainly not the right tool here. 
> AFS/Coda/Intermezzo? Or Lustre? Others? For this and the above, it would be 
> nice if laptops could be integrated more or less nicely. Also, if the data 
> would be encrypted on the wire this would be an added bonus.
Work out what you need to share. NFS may do: Samba exporting shared
directories may do. Don't predicate everything on one enormous shared
file system - the larger it is, the harder it is to do backups :)
>  - authentication: I favor USB tokens (since ssh/pgp secret keys could be 
> stored there, too). $BOSS wants fingerprint auth. What solutions do exist (I 
> see there's an ITP out for libpam-usb. What about Linux-supported 
> fingerprinting systems? Laptops?)
>  - firewalls/routers: build my own, or buy? (I see an endless debate coming 
> here :-)
Build: iptables should do almost anything you need. If you really need
wireless, then a commercially made small router/switch/access point
might be useful.  Stripped down Debian is a good start here anyway.
> 
> Hardware:
>  - Dual head: what is available with good Linux support? How much tweaking 
> does Debian (think sarge) need (KDE? Gnome?)? (Ok, this will change every few 
> months, so I'll need to do that research again when this actually comes).
Matrox ?? [Flightgear flight simulator :) ]
>  - ok, this would be on the server side: RAID and hotswapping. I personally 
> like software raid since I can swap controllers without problems. The 
> software RAID HOWTO says it's possible with SCSI hardware, impossible to do 
> reliably with IDE. This still true? (SATA?)
SATA supported well as of 2.4.25.  Avoid cheap IDE raid cards. Expensive
IDE raid cards are fine. Linux software raid now possible on any disk
AFAIK. Hotswapping may always be more problematic
> 
> Misc:
>  - What experience do you have with setting the default locale to something 
> like de_CH.UTF-8? Personally, I have quite a good impressions, but my primary 
> tools are kmail, xterm, vi and konqueror - I rarely use any office 
> applications. There will mostly be ???, perhaps a few slavic characters. No 
> right-to-left, cyrillic, chinese or korean except in spam mail.
>  - what is the color of my briefs?
> 
> Ok, enough for a few weeks, I guess :-)
> Thanks already for those who take the time. 
> 
> Greetings
> -- vbi
> 
> -- 
> Will the information superhighway have any rest stops?

Not an expert - just my first thoughts.

Andy


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]