Debian cd supporting ext4.
in [Debian]
|
From: Ron Johnson on 24 Jul 2010 15:30 On 07/24/2010 01:50 AM, Sthu Deus wrote: > Thank You for Your time and answer, Andrei: > >> Yes it is. That's why I suggested the kmuto installer. > > Is there any reference fro Debian web site to the kmuto site - I have > found one reference from searching machine but the link was not found on > the Debian site. How I can know that the ISO images that are available > on the developers site are Debian project acknowledged this day? > > Sorry for stubbornness on my side. > You can't have your cake and eat it too. Modern kernels won't be supported by debian-security. Deal with it. -- Seek truth from facts. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C4B3D42.8020105(a)cox.net
From: Florian Kulzer on 24 Jul 2010 18:40 On Sat, Jul 24, 2010 at 14:21:38 -0500, Ron Johnson wrote: > On 07/24/2010 01:50 AM, Sthu Deus wrote: > >Thank You for Your time and answer, Andrei: > > > >>Yes it is. That's why I suggested the kmuto installer. > > > >Is there any reference fro Debian web site to the kmuto site - I have > >found one reference from searching machine but the link was not found on > >the Debian site. How I can know that the ISO images that are available > >on the developers site are Debian project acknowledged this day? > > > >Sorry for stubbornness on my side. > > > You can't have your cake and eat it too. > > Modern kernels won't be supported by debian-security. Deal with it. Furthermore, he is asking the wrong question if he wants real security. If one downloads via an insecure protocol (http, ftp) then it does not matter if the URL points to debian.org, kmuto.jp or rootkits-r-us.com, because one is unprotected against a man-in-the-middle attack in any case. Thinking that searching for a reference to the kmuto installer on debian.org has anything to do with security is a dangerous illusion. The question that should be asked is: "How can I verify the checksums of the kmuto images with cryptographic signatures that can be traced back to a trusted key from the debian keyring?" (Unfortunately I do not know the answer; I cannot find any signature whatsoever for the checksums.) -- Regards, | Florian | -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100724222128.GA8025(a)isar.localhost
From: Boyd Stephen Smith Jr. on 24 Jul 2010 21:00 On Saturday 24 July 2010 17:21:28 Florian Kulzer wrote: > Furthermore, he is asking the wrong question if he wants real security. > If one downloads via an insecure protocol (http, ftp) then it does not > matter if the URL points to debian.org, kmuto.jp or rootkits-r-us.com, > because one is unprotected against a man-in-the-middle attack in any > case. That's not true. Long ago, the "secure-apt" project took this issue into account. The Packages file is GPG signed and this signature is verified during each (aptitude update), even during installation. (Although, I have seen some install methods subvert this check...) The Packages file contains multiple cryptographically-secure hashes of each binary package available from that archive/repository and (at least) one of these hashes is verified after download but before installation. The Sources file is similarly signed and provides hashes for the source packages available from that archive/repository. The official installation media are each singed and hashed in a cryptographically-secure manner, but you have to verify those manually. > The question that should be asked is: "How can I verify the checksums of > the kmuto images with cryptographic signatures that can be traced back > to a trusted key from the debian keyring?" (Unfortunately I do not know > the answer; I cannot find any signature whatsoever for the checksums.) Good question. I don't know how to verify the installation media. Assuming it uses the standard apt and normal repositories, all the packages installed during installation will be verified, and the archive/repository must be signed by a GPG key in the installation media's apt keyring. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss(a)iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
From: Andrei Popescu on 25 Jul 2010 03:50 On Sb, 24 iul 10, 19:51:53, Boyd Stephen Smith Jr. wrote: > > Good question. I don't know how to verify the installation media. Assuming > it uses the standard apt and normal repositories, all the packages installed > during installation will be verified, and the archive/repository must be > signed by a GPG key in the installation media's apt keyring. Exactly. Nothing prevents the builder of the image to include a different keyring on the media ;) Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
From: Florian Kulzer on 25 Jul 2010 05:30
On Sat, Jul 24, 2010 at 19:51:53 -0500, Boyd Stephen Smith Jr. wrote: > On Saturday 24 July 2010 17:21:28 Florian Kulzer wrote: > > Furthermore, he is asking the wrong question if he wants real security. > > If one downloads via an insecure protocol (http, ftp) then it does not > > matter if the URL points to debian.org, kmuto.jp or rootkits-r-us.com, > > because one is unprotected against a man-in-the-middle attack in any > > case. > > That's not true. Why not? > Long ago, the "secure-apt" project took this issue into account. The Packages > file is GPG signed and this signature is verified during each (aptitude > update), even during installation. (Although, I have seen some install > methods subvert this check...) > > The Packages file contains multiple cryptographically-secure hashes of each > binary package available from that archive/repository and (at least) one of > these hashes is verified after download but before installation. > > The Sources file is similarly signed and provides hashes for the source > packages available from that archive/repository. I do not think that these facts contradict my statement that http and ftp downloads in and of themselves cannot be trusted, no mater what the URL is. I did not claim that it is impossible to have a mechanism for verifying downloads, nor did I imply that Debian does not implement such a safeguard in its package management. > The official installation media are each singed and hashed in a > cryptographically-secure manner, but you have to verify those manually. That was my point; if there is a valid signature of a trusted key then it does not matter how the installation image was obtained. (This assumes that nobody knowns an efficient algorithm to factor large numbers or to create hash collisions after making arbitrary changes to the original image.) -- Regards, | Florian | -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100725090540.GA6956(a)isar.localhost |