[clug] [OT] all text passwords == secure?

Robert Edwards bob at cs.anu.edu.au
Mon Aug 27 20:32:12 MDT 2012

On 27/08/12 21:41, Paul Wayper wrote:
> Hash: SHA1
> On 27/08/12 13:52, steve jenkin wrote:
>> For servers, I blindly trust both Debian and CentOs [non-commercial
>> teams without deep resources]
> What I do trust about those projects, Debian more than CentOS, but both - and
> most other distributions - far more highly than anything in the Windows
> sphere, is that they sign packages with a GPG key, and their infrastructure
> that generates packages to be signed is secured (reasonably) well.  In the few
> instances where there has been evidence that the infrastructure has been
> attacked they have changed keys, rebuilt machines and stopped distribution of
> anything that might count as a compromised binary.
> I'm not trusting myself to look at the source code - I'd get bored and skip
> the unobtrusive, boring places that people would hide sneaky stuff.  But I do
> trust the other people - the package maintainers and security reviewers and so
> forth - to get it right.  There are people that are much more paranoid than I
> am using those same packages, and if anything suspicious happened they'd
> report it.
> Paranoia is all very well but it's a downward spiral.  At some point you have
> to trust other people - just choose where carefully.

Two comments:

I largely agree that we do have to trust other people and that we need
to choose where carefully. However, if we don't demonstrate that we are
capable and willing to test that trust, then those we trust may, over
time, try something on. There is a responsibility on our part to "keep
an eye on" (ie. not blindly) what our IC vendors and distro builders are
up to. It's a valid contribution to the community. I think it is more
about auditing and verifying than just not trusting anyone/anything.

Also, Paul, are you "blindly" trusting GPG? How do _you_ know that large
prime numbers really are hard to factor? What if someone did know how
to do it? Would you necessarily trust them to tell everyone?


Bob Edwards.

> Have fun,
> Paul
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> +uQAoIRaIYPF7A/B/sXz9Q9XIflQdcgr
> =9dev

More information about the linux mailing list