[linux-elitists] Rooted kernel.org hosts (was: PJ takes her victory lap)

Rick Moen rick at linuxmafia.com
Wed Aug 31 20:57:00 PDT 2011

Quoting Greg KH (greg at kroah.com):

> Yes, the design of git makes it almost impossible to tamper with, and
> the tarballs can be regenerated from any git tree to verify the
> integrity of them.  You can do this yourself if you want to ensure this.

I wasn't worried about the tarballs' integrity (not to mention being
unworried about sha1 collisions), because enough people check the
published .sign files and have ongoing acquaintance with the Linux
Kernel Archives OpenPGP key.

Some years back, much virtual ink was spent over various details of
package signing in Debian Project (among other places).  Absolute
punctilio would require distribution of signing keys to all and sundry.  
However, in practice, there's a crowdsourcing effect one benefits from:
Even if you yourself are not fully equipped to vet a critical signature,
enough people are that a forgery is going to get quickly detected, in
typical circumstances.

There have been five prior compromises in about the past decade of 
major upstream open source developer sites in the last decade:  TCP
Wrappers/util-linux, Sendmail, SquirrelMail, ProFTPD, vsftpd.  In every
case, code-signing prevented believable compromising of the codebases
published on them.  Either trojans weren't even attempted, or trojans
were immediately caught because they were suspiciously unsigned or their
signatures didn't validate.

(I have details as part of
http://linuxmafia.com/~rick/faq/index.php?page=virus .)

More information about the linux-elitists mailing list