Le Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst a écrit :
>
> This education could be done in two steps: first, create a policy and
> link to it from debian-devel-announce; second, make this required
> reading for the NM procedure (similar to the 'DMUP' and 'SC/DFSG'
> questions that NMs need to agree to in a signed mail). In the case of
> Debian, I think it's fair to assume people do not want security
> breaches, which may or may not be the case for other organizations.
Hi all,
I think that it is an excellent idea. Few years ago I had a passwordless
SSH key on Alioth. I shamefully realised my mistake (and hereby deeply
apologise to the admins), but now feel very scared about operations on
the Debian network: am I doing other mistakes like this by ignorance?
During the recent discussion about DSA and RSA keys I realised that
things that were obvious to some are not obvious to me (for instance,
that DSA keys should not be used. I only saw this recommendation in
Debian. There is no such rule at my work place, where SSH
authentification on our workstations is mandatory).
I really agree with Wouter that a simple policy ruling how to not make
beginners mistakes with one's SSH and GPG key, how to not get ones's own
home Debian server hacked (1),… would be a great enhancement to Debian's
security. For the reasons exposed above, I can not propose myself to
write it ;)
(1) I have always been wondering of the following:
- a malicous person gets the list of all DDs,
- identifies those who have a home Debian server,
- selects those who are on a distant timezone or on vacation,
- patiently waits that a DSA for a grave issue is issued,
- gets control of some machines in the delay between DSA publication
and cron installation of the security updates,
- exploits this position to do really bad things afterwards.
Have a nice day,
--
Charles Plessy
Debian Med packaging team,
Tsurumi, Kanagawa, Japan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
