Date: Fri, 03 Apr 2015 01:09:39 -0400 From: Daniel Micay <danielmicay@...il.com> To: oss-security@...ts.openwall.com Subject: Re: membership request to the closed linux-distros security mailing list On 02/04/15 07:43 PM, Seth Arnold wrote: > On Fri, Mar 20, 2015 at 02:00:29PM +0100, Sona Sarmadi wrote: >> On behalf of Enea Software AB, I would like to request membership to >> the closed linux-distros security mailing list. > > Speaking strictly for myself, I'm still somewhat skeptical; the security > announce archives http://mail.lists.enea.com/pipermail/security-announce/ > do show some security updates, but (guessing) 15% of the actual patch > links I tried to follow no longer exist. > > Furthermore, the advisories all suggest downloading patches via http and > offer no mechanism to validate the patches before applying them. Consider > this recent advisory: > http://mail.lists.enea.com/pipermail/security-announce/20150326/000064.html > > - there's no gpg signature on this advisory > - there's no cryptographic checksums in the advisory to authenticate > the patch even if the advisory were signed > - there's no ascii-armored signatures in the patches > - there's no detached signatures at > http://linux.enea.com/5.0-beta-m400/patches/ > or at > http://linux.enea.com/4.0/patches/ > > If downloading patches and applying them by hand is really the > distribution model Enea has chosen, then it feels like the provenance > of updates is seriously lacking. > > In my opinion, until some more of the security basics are covered, > joining linux-distros@ is premature. I guess Ubuntu has to be dropped from the linux-distros then, because www.ubuntu.com appears to be http-only and the ISO download is entirely insecure. The security notices are also served insecurely there: http://www.ubuntu.com/usn/ Am I missing something... ? It doesn't make much sense to criticize this when you folks are doing the same. I do get the impression that Enea Linux is handling security poorly (where are all of the other issues?) but this bothered me. Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ