On 16 October 2013 11:12, Marc Haber <mh+debian-de...@zugschlus.de> wrote: > On Tue, 15 Oct 2013 12:54:36 +0200, Dominik George <n...@naturalnet.de> > wrote: >>> Some of the source packages were caught on a gateway anti-virus scanner >>> while >>> downloading. >> >>Using a gateway anti-virus scanner for downloads from the Debian archive >>seems a bit inappropriate, well, paranoid. Checking the signed hashsums >>would seem a lot better to verify the downloads; if Debian's >>infrastructure were compromised so viruses could get in *and* be signed, >>we and you have other problems. > > In many organisations it would be a _huge_ hassle to be allowed to > Download Debian packages directly while bypassing the gateway scanner. > It might even lead to a knee-jerk reaction like "This Debian thingy > keeps setting off our security alerts, let's ban it and use a > supported enterprise distro".
I have to join Marc here and say "me too". In my organisation we actually have those controls in place (antivirus/antimalware) in the Internet gateways and we do not disable them for specific traffic flows unless a detailed risk analysis has been done (and approved). Following a defence-in-depth approach, we don't rely in a single control as Domink proposes (check signed hashsums and you are done) but also inspect any incoming data from the Internet. From my point of view this is not being paranoid, it is implementing best security practices. Regards Javier -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cab9b7ut0vokr53svvasbeugendknegkqcpsmpku2wqahizq...@mail.gmail.com
