[ubuntu-studio-devel] Important: Ubuntu/Debian Security Hole

[lukefromdc at hushmail.com]

I was thinking there is one way to slow down but not stop this attack at the server
level, and it works only if the package is both downloaded over https and signed:
that is to have the packages and their signing keys on one server and the ssh keys
on a physically different box, so any attack requires simultanious attacks on two 
machines. Any chance an account as big as Ubuntu on a cloud service would get
this simply because they were too big for one box(node)? 

On 8/31/2016 at 9:20 AM, "Ralf Mardorf" <ralf.mardorf at rocketmail.com> wrote:
>
>On Tue, 30 Aug 2016 23:04:40 +0200, Ralf Mardorf wrote:
>>On Tue, 30 Aug 2016 15:31:07 -0500, Yoshi wrote:
>>>There is allegedly a recently published security hole in the
>>>"Ubuntu/Debian update mechanism" involving authentication and
>>>signatures.  
>>
>>What is the source of this vague "information"?
>>
>>>You are welcome to forward this message as is to anyone else in 
>the
>>>Ubuntu Development community, but I won't be speculating on nor
>>>elaborating about the issue.  I'm not a programmer, so I 
>wouldn't know
>>>how to talk about it anyhow.  
>>
>>You already started talking about it.
>
>PS:
>
>On Wed, 31 Aug 2016 08:11:12 +0200, Set Hallstrom wrote:
>>Got to be reffering to this:
>>https://www.schneier.com/blog/archives/2016/08/powerful_bit-
>fl.html
>
>See
>  https://lists.ubuntu.com/archives/ubuntu-users/2016-
>August/287193.html
>
>On Wed, 31 Aug 2016 03:11:29 -0400, lukefromdc at hushmail.com wrote:
>>For me this adds still more packages to what I have to build from
>>source, starting with the kernel.
>
>If the signing per se would be the real issue, then it wouldn't 
>matter
>if you check the source by it's key
>  https://www.kernel.org/signature.html
>or a binary package by it's key.
>
>Regards,
>Ralf