I was thinking about the multiplication of debian mirrors lately and the security implication of having a mirror rooted by some evil doers...
How is it actually managed? I had this crazy idea that goes something like this:
When you first install debian, you do it from a safe source (let's say a CD like OpenBSD or a mirror you _really_ trust). All the packages come with the public key of the maintainer and all package are signed by the package maintainer. Therefore, if someone roots a mirror and change a package you'll get a message like SSH would give:
the key for package "bla" doesnt match, do you want to accept the new key? Therefore you could spot crackers and if the key change was legitimate, you could go to a list of mirrors where you could verify that the maintainer really did change.. (like debian.org/package/pub.key whatever, and verify the key signature)...
So, does anyone have any idea about how it works and how it should work?:)
hehe even though i'm answering to a joke, i just want to point out that music is not like a coke, you dont just take a sip and decide if you like it or not, good music has to be understood and listened to many times (Of course those bands are not in the top 10:-)
People know it's a crime, the point is that i think the problem is more profound.
Instead of living in a society where we all try to steal each other we should try and create more social cohesion so to share more and be aware of others. But yes, i m an idealist:-)
i have the feeling that we realy are stuck between 2 diferent moments in history.. We re at a point where we can easily copy and distribute everything and anything that is not a physical object but we can't "easily" recreate a good copy of it at home:
- A book can be pirated but then reprinting it in a good format so i can read it easily on the bus is not quite there yet.
- Songs can be copied but then you have to burn them and make a standard CDDA (ok this one is getting easier but..)
- DVDs can be d/led and then you have to know how to make a udf/dvd-video file system etc not very easy for my grand-ma...
What i think would be needed, is a development of standard "printers" for those different kind of medias where you could go on the authors web page, pay 3$ directly to him (as that is what i think is going back to them if not less) and pay 2$ yourself to have the material (blank medias etc) printed on your device. This way consumers could than be able to buy tangible goods from there home and have a perfect copy. Of course we'd need more bandwidth and all, i'm just throwing ideas here:-)
This does not adresses piracy in any way, but the point being that lazy people who stays home to pirate would probably be happy to fork 3$ instead of looking around for hours to find a pirated copy of the matrix... The market will have to change, they will have to sell a product in every damn way possible on the day it's realeased... Like that you wont see "cam" version of movies and the like.
If i dont want to pay 10$ to go see the movie on at the theather than let me pay 5$ to d/l it the DVD! please?:)
Slashdot Mirror
Good to know that some people are preparing for the next genocide...
</sarcasm>
..the States, which has one of the highest prison occupation rate, now need to put 12 year old girls in jail... come on!
But i'm sure that somewhere along the food chain of battery developers, oil companies are slowing things down as always...
:-)
But how will the keyring package be signed/verified?
I was thinking about the multiplication of debian mirrors lately and the security implication of having a mirror rooted by some evil doers...
:)
How is it actually managed?
I had this crazy idea that goes something like this:
When you first install debian, you do it from a safe source (let's say a CD like OpenBSD or a mirror you _really_ trust). All the packages come with the public key of the maintainer and all package are signed by the package maintainer.
Therefore, if someone roots a mirror and change a package you'll get a message like SSH would give:
the key for package "bla" doesnt match, do you want to accept the new key?
Therefore you could spot crackers and if the key change was legitimate, you could go to a list of mirrors where you could verify that the maintainer really did change.. (like debian.org/package/pub.key whatever, and verify the key signature)...
So, does anyone have any idea about how it works and how it should work?
something from phrack: Traffic lights
Can these 3 CDs be used to program? (does it include gcc and all? and ssh server etc...?)
Are they going to be releasing 9.2 as a single DVD? :-)
That would rock to just have to pop in 1 DVD and go to bed
and their brother are now using IE to create huge botnets and make revenues from stupid users...
;-)
I'm sure some of them are going to sue MS for not letting them own a leaving
vserver maybe this will help :-)
Well, you can always use GRsecurity if you're willing to take the performance hit (maybe 3% :).
decentralizing the DNS system... or at least promoting alternatives 8)
http://www.opennic.unrated.net/ would be a good start.
We may have a big surprise then... well, either that or they think it'll help twart piracy issue...:)
I'm not sure that PDF is a completely free format ? is it?
1.11 TB? ;-)
If 18 minutes takes up 3.5TB this means that your MTBF is around 5m42s
http://www.levenez.com/unix/history.html
:-)
here is the source for that (acyclic?) graph
3.6.1p2-7 is out ... :)
Anyone has an idea of where to fetch a 3.6.1p2-6 + fix or something? :)
hehe even though i'm answering to a joke, i just want to point out that music is not like a coke, you dont just take a sip and decide if you like it or not, good music has to be understood and listened to many times :-)
(Of course those bands are not in the top 10
We can finally write "signature sniffers" hehe..
When are we going to start playing core wars on the net ? (Worm killers and worms killers killers and ...;)
according to netcraft, if linux means 2 things, it is RedHat and Debian :)
People know it's a crime, the point is that i think the problem is more profound.
:-)
Instead of living in a society where we all try to steal each other we should try and create more social cohesion so to share more and be aware of others. But yes, i m an idealist
piracy prevention will never be full proof and the more complicated they are, the more fun they will look to break...
We need to educate people not put them in prison.
i have the feeling that we realy are stuck between 2 diferent moments in history.. We re at a point where we can easily copy and distribute everything and anything that is not a physical object but we can't "easily" recreate a good copy of it at home:
..)
:-)
:)
- A book can be pirated but then reprinting it in a good format so i can read it easily on the bus is not quite there yet.
- Songs can be copied but then you have to burn them and make a standard CDDA (ok this one is getting easier but
- DVDs can be d/led and then you have to know how to make a udf/dvd-video file system etc not very easy for my grand-ma...
What i think would be needed, is a development of standard "printers" for those different kind of medias where you could go on the authors web page, pay 3$ directly to him (as that is what i think is going back to them if not less) and pay 2$ yourself to have the material (blank medias etc) printed on your device.
This way consumers could than be able to buy tangible goods from there home and have a perfect copy.
Of course we'd need more bandwidth and all, i'm just throwing ideas here
This does not adresses piracy in any way, but the point being that lazy people who stays home to pirate would probably be happy to fork 3$ instead of looking around for hours to find a pirated copy of the matrix...
The market will have to change, they will have to sell a product in every damn way possible on the day it's realeased... Like that you wont see "cam" version of movies and the like.
If i dont want to pay 10$ to go see the movie on at the theather than let me pay 5$ to d/l it the DVD! please?