[clug] [OT] all text passwords == secure?

Paul Wayper paulway at mabula.net
Mon Aug 27 05:41:14 MDT 2012

Hash: SHA1

On 27/08/12 13:52, steve jenkin wrote:
> For servers, I blindly trust both Debian and CentOs [non-commercial
> teams without deep resources]

What I do trust about those projects, Debian more than CentOS, but both - and
most other distributions - far more highly than anything in the Windows
sphere, is that they sign packages with a GPG key, and their infrastructure
that generates packages to be signed is secured (reasonably) well.  In the few
instances where there has been evidence that the infrastructure has been
attacked they have changed keys, rebuilt machines and stopped distribution of
anything that might count as a compromised binary.

I'm not trusting myself to look at the source code - I'd get bored and skip
the unobtrusive, boring places that people would hide sneaky stuff.  But I do
trust the other people - the package maintainers and security reviewers and so
forth - to get it right.  There are people that are much more paranoid than I
am using those same packages, and if anything suspicious happened they'd
report it.

Paranoia is all very well but it's a downward spiral.  At some point you have
to trust other people - just choose where carefully.

Have fun,


Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


More information about the linux mailing list