[sf-lug] (forw) Re: (forw) Re: Something new on Distrowatch and Ubuntu variants.

Bobbie Sellers bliss-sf4ever at dslextreme.com
Mon Apr 26 21:55:05 PDT 2021

On 4/26/21 8:15 PM, Rick Moen wrote:
> Bobbie wrote:
>> Assuming the stupid hackers have put a trojan in the iso file, and
>> added the checksum for the bad iso file, what is to keep them from
>> falsifying the signature as well?
> The fact that you have established a meaningful trust path to do so.
> You acquired the development team PGP signing key in a way that gives
> you meaningful grounds for belief that it is genuine, if only because,
> say, it's now 2021 and you got the keyring directly from what you
> believed to be the developer site in 2015, six years ago, it has been
> unchanged in the developer's Web pages and source code repository all
> the time since then, and you have reasonable faith that over six years
> some alert person would have noticed the fake signing key.
> This is not playing-around imitation of the outer appearance of
> security, Bobbie.  This is _actual_, serious security.  The details have
> been gone over by experts in extreme detail with a skeptical eye.
> If you decide "Well, it can't actually be serious", then you lose -- and
> so does anyone who makes the mistake of trusting your ISOs (without
> verification).
>> For many long years signatures were not available and my iso files
>> generally worked.
> Bullshit.
> Only extremely rare distro ISOs have failed to provide release
> sigatures, e.g., Linux Mint at first was that lax.  They learned the
> hard way that this was a really bad idea.

     Well when I started downloading iso files and creating installation and
live boot disks there were no signature availabe.
> Bobbie, kindly do not try to convince me of things that are
> spectacularly wrong about Linux distributions.  I've been at this for a
> very, very long time, and unlike you have actually been part of a team
> of distro maintainers.

     I never saw signatures for DSL.
>> I have seen viruses on Windows and boot viruses on Amiga.  On Windows
>> I caught them with ClamAV from one or another of the numerous
>> distributions I used to run.  When I first got acquainted with Linux I
>> tried out lots of distributions.  On the Amiga with an Amiga specific
>> anti-Virus software which I downloaded and there were no checksums
>> much less signatures at all in those days.  The virus arrived on the
>> bootblock of an 'on floppy disk' magazine.  I informed the publisher
>> and he corrected the problem.
> That's very nice, but utterly irrelevant and misses the point.
> You would not be able to detect a trojaned distro ISO using AV software
> (in general), for reasons that should be obvious.  Moreover, it's far
> simpler to just validate PGP signatures, which also actually works.
> I'm not going to keep debunking irrelevancies, Bobbie.  If you wish to
> keep spewing justifications for an outright negligent blunder, that is
> your problem, not mine, and I am not going to work my finers to the
> bone trying to teach someone who is refusing to listen.
>> A downloaded Iso may match checksums and signatures and still be
>> unusable due to corrupted install scripts and I have been dealing with
>> such over the past few months.
> This _obviously_ is by definition irrelevant to the discussion.  Neither
> checksums nor developer release signatures aspire to ensure that the
> contents of a distribution is un-buggy, merely that the download is
> uncorrupted in transit and is genuinely what the developer(s) released.
> You already knew that, so why are you wasting everyone's time blowing
> smoke that you know is completely irrelevant?
>> Oh and if members are nervous about the iso files and image files I
>> download then they can get the checksum and the signature files and
>> check the isos themselve.
> They can indeed compensate after the fact for your negligence and lack
> of due diligence.
> I merely called your attention to your negligence and lack of due
> diligence.
>> Have a good afternoon all who are reading...
> But you carelessly sent it offlist in private mail.  Again.
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> SF-LUG is at http://www.sf-lug.org/

More information about the sf-lug mailing list