Re: [ubuntu-studio-devel] Important: Ubuntu/Debian Security Hole
On Tue, 30 Aug 2016 23:04:40 +0200, Ralf Mardorf wrote: >On Tue, 30 Aug 2016 15:31:07 -0500, Yoshi wrote: >>There is allegedly a recently published security hole in the >>"Ubuntu/Debian update mechanism" involving authentication and >>signatures. > >What is the source of this vague "information"? > >>You are welcome to forward this message as is to anyone else in the >>Ubuntu Development community, but I won't be speculating on nor >>elaborating about the issue. I'm not a programmer, so I wouldn't know >>how to talk about it anyhow. > >You already started talking about it. PS: On Wed, 31 Aug 2016 08:11:12 +0200, Set Hallstrom wrote: >Got to be reffering to this: >https://www.schneier.com/blog/archives/2016/08/powerful_bit-fl.html See https://lists.ubuntu.com/archives/ubuntu-users/2016-August/287193.html On Wed, 31 Aug 2016 03:11:29 -0400, lukefro...@hushmail.com wrote: >For me this adds still more packages to what I have to build from >source, starting with the kernel. If the signing per se would be the real issue, then it wouldn't matter if you check the source by it's key https://www.kernel.org/signature.html or a binary package by it's key. Regards, Ralf -- ubuntu-studio-devel mailing list ubuntu-studio-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel
Re: [ubuntu-studio-devel] Important: Ubuntu/Debian Security Hole
On Tue, 30 Aug 2016 15:31:07 -0500, Yoshi wrote: >There is allegedly a recently published security hole in the >"Ubuntu/Debian update mechanism" involving authentication and >signatures. What is the source of this vague "information"? >You are welcome to forward this message as is to anyone else in the >Ubuntu Development community, but I won't be speculating on nor >elaborating about the issue. I'm not a programmer, so I wouldn't know >how to talk about it anyhow. You already started talking about it. -- ubuntu-studio-devel mailing list ubuntu-studio-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel
Re: [ubuntu-studio-devel] Important: Ubuntu/Debian Security Hole
I was thinking there is one way to slow down but not stop this attack at the server level, and it works only if the package is both downloaded over https and signed: that is to have the packages and their signing keys on one server and the ssh keys on a physically different box, so any attack requires simultanious attacks on two machines. Any chance an account as big as Ubuntu on a cloud service would get this simply because they were too big for one box(node)? On 8/31/2016 at 9:20 AM, "Ralf Mardorf" wrote: > >On Tue, 30 Aug 2016 23:04:40 +0200, Ralf Mardorf wrote: >>On Tue, 30 Aug 2016 15:31:07 -0500, Yoshi wrote: >>>There is allegedly a recently published security hole in the >>>"Ubuntu/Debian update mechanism" involving authentication and >>>signatures. >> >>What is the source of this vague "information"? >> >>>You are welcome to forward this message as is to anyone else in >the >>>Ubuntu Development community, but I won't be speculating on nor >>>elaborating about the issue. I'm not a programmer, so I >wouldn't know >>>how to talk about it anyhow. >> >>You already started talking about it. > >PS: > >On Wed, 31 Aug 2016 08:11:12 +0200, Set Hallstrom wrote: >>Got to be reffering to this: >>https://www.schneier.com/blog/archives/2016/08/powerful_bit- >fl.html > >See > https://lists.ubuntu.com/archives/ubuntu-users/2016- >August/287193.html > >On Wed, 31 Aug 2016 03:11:29 -0400, lukefro...@hushmail.com wrote: >>For me this adds still more packages to what I have to build from >>source, starting with the kernel. > >If the signing per se would be the real issue, then it wouldn't >matter >if you check the source by it's key > https://www.kernel.org/signature.html >or a binary package by it's key. > >Regards, >Ralf -- ubuntu-studio-devel mailing list ubuntu-studio-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel
Re: [ubuntu-studio-devel] Important: Ubuntu/Debian Security Hole
This is REALLY ugly, and suggests keyservers be dedicated machines that are not co-hosted with anything and don't co-host anything. Until then it means GCHQ can probably crack Ubuntu's keys if they are hosted in the UK. This sort of thing makes substituting binaries built from alternate source much easier and far safer when an attacker knows nobody can check them. The "cloud" never has been safe and never can be safe, there will always be another mode of attack. Keyservers are so sensitive they should be dedicated machines in locations that are either never left unguarded or at least protected by tamper-evident physical seals(tell-tales). For me this adds still more packages to what I have to build from source, starting with the kernel. I'm not making any new encryption keys on recently downloaded binary kernels in light of this. On 8/31/2016 at 2:11 AM, "Set Hallstrom" wrote: > >On 2016-08-30 22:31, Yoshi wrote: >> security hole in the >> "Ubuntu/Debian update mechanism" involving authentication and >> signatures > >Got to be reffering to this: >https://www.schneier.com/blog/archives/2016/08/powerful_bit-fl.html > >"breaking OpenSSH public-key authentication, and forging GPG >signatures >from trusted keys" > >Sounds like hard times for security experts and the web of trust. >:( > >-- >Set Hallstrom aka sakrecoer -- ubuntu-studio-devel mailing list ubuntu-studio-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel