Re: kernel.org status: establishing a PGP web of trust
From: Adrian Bunk
Date: Thu Oct 06 2011 - 03:17:05 EST
On Wed, Oct 05, 2011 at 07:47:16PM -0400, Ted Ts'o wrote:
> On Thu, Oct 06, 2011 at 12:25:26AM +0300, Adrian Bunk wrote:
> >
> > Had debsums told me that /bin/bash was modified I would have been quite
> > convinced.
>
> Keep in mind that debsums is trivially easy to circument. That just
> checks against an md5 checksum stored in a text file in
> /var/lib/dpkg/info/*.md5sums. If someone modified /bin/bash it would
> easy enough for them to modify the relevant md5sums file.
I am not so naÃve to assume there was any way to prove my machine is not
compromised.
My first assumption is that my machine is not compromised, and also
that the latest e2fsprogs you uploaded to Debian unstable and that
I installed on my machine does not contain a trojan added by someone
who hijacked your machine or your key.
There is no 100% security, only compromises between security and costs.
> - Ted
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/