Jon Lasser, 2002-08-07
The OpenSSH backdoor demonstrates that the community must get pragmatic about package verification, and fast.
Colapse all |
Post comment
Is it really so inmature?
2002-08-08
Javier Fernandez-Sanguino (1 replies)
Javier Fernandez-Sanguino (1 replies)
Aren't you over-exagerating? The fact that the trojan was discovered almost imediately due to the MD5 checksum checks and did not spread at all (to other operating systems that do use OpenSSH source like any major Linux distributions). Impact of this issue is not even close to the one the TCP-wrappe...
[ more ] [ reply ]
[ more ] [ reply ]
Is it really so inmature?
2002-08-08
Jon (1 replies)
Jon (1 replies)
The point is that MD5sums have been more successful than PGP signatures in detecting trojans, even though the latter are (by far) a technically superior solution. We need something as easy to use as MD5sums (or SSL in the Web browser) but as powerful as PGP signatures.
Note that FreeBSD only caug...
[ more ] [ reply ]
Note that FreeBSD only caug...
[ more ] [ reply ]
Is it really so inmature?
2002-08-11
Not Really Anonymous
Not Really Anonymous
I think what really gets me, is the tone of the article. I think that a better solution is out there to resolve an issue like this. Buuut, I don't think OSS is immature, in fact I think the commercial world is the one who needs to grow up a little.
For example, the continuous fighting of "whats...
[ more ] [ reply ]
For example, the continuous fighting of "whats...
[ more ] [ reply ]
Time Time to Grow UP? NO! Time to quit acting like children! There is a difference.
2002-08-09
Axe-2-Grind
Axe-2-Grind
While I agree and respect all of Jon's tecnical comments through this article, I have strong issues with his opening paragraphs, which had nothing to do with reality when it came to his outstanding views starting at the "Practically Imperfect" heading. Sorry Jon, but reading your article reminded m...
[ more ] [ reply ]
[ more ] [ reply ]
Time for Open-Source to Grow Up
2002-08-09
Anonymous
"To add GNU Privacy Guard or another signature-checking tool to the base operating system will always be controversial to software purists who want to keep Unix just like it was when they first logged onto a PDP/11 in 1979."
purist: n : someone who insists on great precision and correctness
...
[ more ] [ reply ]
Anonymous
"To add GNU Privacy Guard or another signature-checking tool to the base operating system will always be controversial to software purists who want to keep Unix just like it was when they first logged onto a PDP/11 in 1979."
purist: n : someone who insists on great precision and correctness
...
[ more ] [ reply ]
PGP is still the answer
2002-08-10
Sloppy
Sloppy
Whatever you come up with, could just be a degenerate subset of PGP. A web-of-trust system can emulate a hierarchical system; just have the tool come with the distributor's PGP key the same way that, for example, web browsers come with some trusted SSL certs.
No need to invent any new standards,...
[ more ] [ reply ]
No need to invent any new standards,...
[ more ] [ reply ]
Stick to PGP
2002-08-11
Anonymous (2 replies)
Anonymous (2 replies)
I check PGP signatures.
Any responsible sysadmin will validate a package, and PGP is not difficult to use in that regard. Sysadmins who download packages and don't verify them should "grow up".
Honestly, I wouldn't even know how to validate the certificates you talk about. PGP is fairly straig...
[ more ] [ reply ]
Any responsible sysadmin will validate a package, and PGP is not difficult to use in that regard. Sysadmins who download packages and don't verify them should "grow up".
Honestly, I wouldn't even know how to validate the certificates you talk about. PGP is fairly straig...
[ more ] [ reply ]
Stick to PGP
2002-08-14
Anonymous
Anonymous
PGP is easy to check. So are MD5. Any verification is easier than fixing a disaster later. I personally prefer a PGP sig, with the key at some well known location. Anyone who is using the key on the provider site is probably the same person who would reset their root password when the "OS vendor...
[ more ] [ reply ]
[ more ] [ reply ]
Why is SMP a requirement for busy download sites?
2002-08-14
Anonymous
Anonymous
Speaking as someone who has run several big sites. I can see no reason why SMP is a requirement for such sites. RAM, bandwidth and sensible software are required.
Walnut Creeks record from 1998 must surely have been broken by now, but this was done with a *single* pentium pro at 200MHz. (Infact I a...
[ more ] [ reply ]
Walnut Creeks record from 1998 must surely have been broken by now, but this was done with a *single* pentium pro at 200MHz. (Infact I a...
[ more ] [ reply ]
Time for Open-Source to Grow Up
2002-08-16
Anonymous
Anonymous
There already is a tool for sensible admins to verify the software that they download. One of the functions of the Redhat Package Manager is storage and verification of GPG signatures. When I download software from Redhat, I simply type 'rpm -K [packagename.rpm]' and it tells me whether Redhat signe...
[ more ] [ reply ]
[ more ] [ reply ]
Because growing up is a matter of perspective, the big bad world is just as guilty of the same "immature" actions as the Open Source community. I mean, really, society has lived with a backdoor in windows for a while, but no one seems to mind :). ...
[ more ] [ reply ]