[H-GEN] security update mailing lists?

[Russell Stuart]

On 13/07/2006 5:37 PM, Greg Black wrote:
> There's just one thing that makes me worry about this kind of
> advice and, since today is in fact a day when a Debian server
> was compromised, this seems like a good time to mention it:  you
> need to know that the place you get your updates from has only
> got "good" updates, not compromised software.  There's really no
> way for normal users to be able to be confident about that.
> 
> What's the solution?  Probably the only guaranteed solution is
> to ensure you only use perfectly secure computers.  These are
> created by removing the power permanently.

You are right in that there is no absolute solution.
However all Debian packages (binary and source) are
digitally signed.  This prevents a simple "infection"
of a binary - assuming it has been implemented
correctly by Debian.  There was some issue with it at
one stage, as I recall.

Bugs aside, even signing doesn't prevent compromised
keys from uploading narfarious programs.  However, once
their existence has been uncovered it becomes trivial
to nail the offending key to the wall as an example
to others.  It is not a perfect solution, but it keeps
the problem down to a manageable level - as in hasn't
happened yet.  Good enough for me.