On Tue, 30 Aug 2016 23:04:40 +0200, Ralf Mardorf wrote:
>On Tue, 30 Aug 2016 15:31:07 -0500, Yoshi wrote:
>>There is allegedly a recently published security hole in the
>>"Ubuntu/Debian update mechanism" involving authentication and
>>signatures.
>
>What is the source of this vague "information"?
On Tue, 30 Aug 2016 15:31:07 -0500, Yoshi wrote:
>There is allegedly a recently published security hole in the
>"Ubuntu/Debian update mechanism" involving authentication and
>signatures.
What is the source of this vague "information"?
>You are welcome to forward this message as is to anyone else
I was thinking there is one way to slow down but not stop this attack at the
server
level, and it works only if the package is both downloaded over https and
signed:
that is to have the packages and their signing keys on one server and the ssh
keys
on a physically different box, so any attack re
This is REALLY ugly, and suggests keyservers be dedicated machines that
are not co-hosted with anything and don't co-host anything. Until then it
means GCHQ can probably crack Ubuntu's keys if they are hosted in the UK.
This sort of thing makes substituting binaries built from alternate source muc
On 2016-08-30 22:31, Yoshi wrote:
> security hole in the
> "Ubuntu/Debian update mechanism" involving authentication and
> signatures
Got to be reffering to this:
https://www.schneier.com/blog/archives/2016/08/powerful_bit-fl.html
"breaking OpenSSH public-key authentication, and forging GPG sign
To: Ubuntu Studio developers
There is allegedly a recently published security hole in the
"Ubuntu/Debian update mechanism" involving authentication and
signatures. Please relay this info up your development ladders to those
who may know how to approach fixing and closing the hole. And if you
gu