[sf-lug] Security of mirrors

Rick Moen rick at linuxmafia.com
Wed Mar 31 10:15:12 PDT 2010


I wrote:

> Are your packages cryptographically signed, and does your package
> manager check the signing key and error out if it's not OK?  If so, then
> as long as you take care to accept only valid signing keys into your
> keyring, it doesn't _matter_ if the mirror is compromised.
            ^^^^^^^^^^^^^^^^^^

I'd better carefully qualify what I'm saying, or quibblers will quickly
emerge:  I mean "it doesn't matter" solely in the sense that the
compromised mirror site cannot be used to send you compromised software.
That doesn't preclude doing you harm in more subtle and indirect ways,
the most obvious of which would be to withhold from the archive vital 
security update packages, as a result of which your systems never
receive important security patches.

This is why the security.debian.org package archive, unlike the regular
Debian package archives, has no mirror network, and is monitored more
carefully than the rest.





More information about the sf-lug mailing list