On Sun, Jun 8, 2008 at 7:00 PM, Jacob Appelbaum <[EMAIL PROTECTED]> wrote: > Your thoughts on this subject are really fascinating. Because while I > agree that the idea of "security by obscurity" as the only line of > defense is flawed, you're making assumptions and value judgments that > seem beyond your abilities. I question your security knowledge and > capabilities.
Yeah, yeah. Whatever dude. > [snip, snip] > Have you found some actual security issue with the mirror? Are the > packages tampered with? Are the signatures invalid? No, I haven't found an actual security issue with the mirror. And I don't believe in waiting for someone to raise a security issue to determine the actual security of a system. Surely you would agree that there are acceptable minimums. I do think that it would be prudent for the Debian Security and Mirror teams to know the specifics about their mirror ops. And I say that as former v.d.o mirror op, where my experience revealed little concern over mirror operators. The mirror in this instance seems to fall into one of two cases: 1) Security by Obscurity plus possible unknown foo. 2) Bored opers having fun. I would think that neither of those cases immediately passes muster with concerned security minded folks. And, just because you are OK with it, it doesn't mean I have to be. ;-) -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
