[ubuntu-studio-devel] Important: Ubuntu/Debian Security Hole
lukefromdc at hushmail.com
lukefromdc at hushmail.com
Wed Aug 31 07:11:29 UTC 2016
This is REALLY ugly, and suggests keyservers be dedicated machines that
are not co-hosted with anything and don't co-host anything. Until then it
means GCHQ can probably crack Ubuntu's keys if they are hosted in the UK.
This sort of thing makes substituting binaries built from alternate source much
easier and far safer when an attacker knows nobody can check them. The
"cloud" never has been safe and never can be safe, there will always be another
mode of attack. Keyservers are so sensitive they should be dedicated machines
in locations that are either never left unguarded or at least protected by tamper-evident
physical seals(tell-tales).
For me this adds still more packages to what I have to build from source, starting
with the kernel. I'm not making any new encryption keys on recently downloaded
binary kernels in light of this.
On 8/31/2016 at 2:11 AM, "Set Hallstrom" <set at ubuntustudio.org> wrote:
>
>On 2016-08-30 22:31, Yoshi wrote:
>> security hole in the
>> "Ubuntu/Debian update mechanism" involving authentication and
>> signatures
>
>Got to be reffering to this:
>https://www.schneier.com/blog/archives/2016/08/powerful_bit-fl.html
>
>"breaking OpenSSH public-key authentication, and forging GPG
>signatures
>from trusted keys"
>
>Sounds like hard times for security experts and the web of trust.
>:(
>
>--
>Set Hallstrom aka sakrecoer
More information about the ubuntu-studio-devel
mailing list