Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] autorpm and latest secure files
  • From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
  • Date: Fri, 11 Aug 2000 14:17:05 -0600
  • Message-id: <008001c003d1$1ee75860$6900030a@xxxxxxxxxxxx>
> The solution would be to combine several methods of checking.
> Even if an attacker can compromise the data in a way that one
> algo still fits (MD5 is not 100% secure after all -- how do you
> want to have unique fingerprints for *any* data when you only
> have 128 bits to store them?) a second one (SHA1, RIPEMD160)
> probably fails.

Wrong answer. USE GNUPG. Ok the problem with MD5/SHA1/etc/etc is for each
package I need to get you the package, and the sig securely. With GnuPG I
need to get the key to you securely ONCE, i.e. SuSE ships the keys on the
CD. SuSE cannot ship all the future MD5/SHA1/etc sums on the CD for obvious
reasons.

> And don't believe in "automated security". I feel quite strong
> about that automatic updates won't work without heavy human
> supervision. :) Having your system (potentially) damaged by a
> simple minded program sucking in every update unchecked just
> because "the file was there and I felt like applying it" is not
> fun. When something breaks, *I* want to be the reason why. :>

Security has to be automated as much as possible. What happens when
companies roll out 5000 linux desktops?

-Kurt


< Previous Next >
Follow Ups