On Mon, Sep 22, 2003 at 07:56:06AM +0200, Florian Weimer wrote: > On Sun, Sep 21, 2003 at 01:15:37PM -0400, Matt Zimmerman wrote: > > > Can you elaborate on the reasons why you feel that Debian is not > > suitable for the recipients of these recommendations? > > If you install stable and activate convenient security updates via > apt-get, you rely on the integrity of the network (and > security.debian.org, but that's hard to avoid). Things are even worse if > you add sources.list lines for regular updates (or even unstable) because > now, mirrors are used and you trust them. As a result, there are a few > machines which, when compromised, threaten the integrity of at least some > of our Debian machines (not quite single points of ownership, but they > come close).
A great deal of work has been done in this area. See http://bugs.debian.org/203741 for information. It would be great if you would like to help with this. > Of course, there is always the signed DSA with the md5sums, but checking > this data is rather inconvenient. These documents are intentionally structured so that they are straightforward to parse; the HTML advisories are already generated semi-automatically. > Default mailcap handling leaves something to be desired, too. Can you be more specific? Are there bugs filed? -- - mdz
