On Mon, Jan 3, 2011 at 7:06 PM, Naja Melan <najame...@gmail.com> wrote:
> I totally agree, but from my position as an end user I can only start by > raising the issues I can observe because I am confronted with them. I don't > know the security policies for debian/fedora developers if those even exist > or whether they are being executed properly. I can only raise a point and > draw my conclusions from how serious it is being taken to assess the general > trust I decide to put in a certain product. I should note that I am little more than an interested Debian user. I can't speak for the Debian project. Though I do find the subject interesting enough to pursue discussion. > I suppose they just choose https, as the basis of their security, which > obviously only protects the transporting. The key is signed by two other > keys though but verification suffers from the same limitation as with debian > of course. I believe the underlying issue is assuring the integrity of the software being downloaded from whatever source (keeping in mind how Debian, as well as many other distros, uses mirrors). I can see how HTTPS can be beneficial. But ultimately, I think too much emphasis / trust is being put on HTTPS in this conversation. If you can solve the issue of trusting a signing key, then you are a lot further along with the issue of integrity since it can be applied to more than just MITM attacks. And again - I think MITM is the lesser risk here. The web of trust issue is core to a decentralized system like PGP. The issue, as I see it, is understanding how PGP works and how to make reasonable judgments on when one trusts a key. Having to do this has always been both an advantage and a disadvantage of PGP. It takes some effort. But then, there are times when you can't reasonably get around that. Documentation (and good end user judgment) is probably the way to tackle this. > That is true and good, but these instructions only speak about md5, which > means that the other hashes are probably only used by people who know why > not use md5. That would probably be the easiest thing to address - update documentation to no longer use MD5, even if it is still made available to those who insist on using it. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlkti=+dwd_m2u6s7jobj1mf_p2dbfpqbijidcse...@mail.gmail.com
