[arch-general] Kernel.org compromised. Are Arch users safe?
Since mirrors.kernel.org is one of the main mirrors used in Arch what's the best measureus to take right know? Format the computer and reinstall arch? Uninstall any update since last week?
What ? You make no sense 2011/9/1 Paulo Guedes <paulorenatoguedes@gmail.com>
Since mirrors.kernel.org is one of the main mirrors used in Arch what's the best measureus to take right know? Format the computer and reinstall arch? Uninstall any update since last week?
-- Regards, Alfredo Palhares
On 09/01/2011 03:30 PM, Paulo Guedes wrote:
Since mirrors.kernel.org is one of the main mirrors used in Arch what's the best measureus to take right know? Format the computer and reinstall arch? Uninstall any update since last week?
kernel.org != mirrors.kernel.org just to be clear -- Ionuț
On Thu, Sep 1, 2011 at 2:35 PM, Ionut Biru <ibiru@archlinux.org> wrote:
On 09/01/2011 03:30 PM, Paulo Guedes wrote:
Since mirrors.kernel.org is one of the main mirrors used in Arch what's the best measureus to take right know? Format the computer and reinstall arch? Uninstall any update since last week?
kernel.org != mirrors.kernel.org just to be clear
In any case, the packages on mirrors.kernel.org have been checked, and they are not compromised. -t
Then there isn't any need to worry and everything is safe, right? Thanks. On 1 September 2011 13:47, Tom Gundersen <teg@jklm.no> wrote:
On Thu, Sep 1, 2011 at 2:35 PM, Ionut Biru <ibiru@archlinux.org> wrote:
On 09/01/2011 03:30 PM, Paulo Guedes wrote:
Since mirrors.kernel.org is one of the main mirrors used in Arch what's the best measureus to take right know? Format the computer and reinstall
arch?
Uninstall any update since last week?
kernel.org != mirrors.kernel.org just to be clear
In any case, the packages on mirrors.kernel.org have been checked, and they are not compromised.
-t
On Thu, Sep 1, 2011 at 10:03 AM, Paulo Guedes <paulorenatoguedes@gmail.com> wrote:
Then there isn't any need to worry and everything is safe, right?
As long as the keys used to sign the tar balls arent't compromised, we shouldn't worry. They weren't, according to kernel.org admins. I don't know if Arch kernel maintainers check the signatures, but it is easy do to it now, if needed be. And makepkg from next pacman's release will have an option to check signatures automatically, easing the process even more. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------
On Thu, 1 Sep 2011 14:47:40 +0200, Tom Gundersen wrote:
On Thu, Sep 1, 2011 at 2:35 PM, Ionut Biru <ibiru@archlinux.org> wrote:
On 09/01/2011 03:30 PM, Paulo Guedes wrote:
Since mirrors.kernel.org is one of the main mirrors used in Arch what's the best measureus to take right know? Format the computer and reinstall arch? Uninstall any update since last week?
kernel.org != mirrors.kernel.org just to be clear
In any case, the packages on mirrors.kernel.org have been checked, and they are not compromised.
-t
I cannot find the original mail but only this copy (someone might want to check the signature) http://pastebin.com/BKcmMd47 This states that also the mirrors might have been affected. While we can quite easily ensure that there are no compromised packages atm we don't know if there were some in the past. But this is in no way different than using any other mirror; in general using any Arch mirror is insecure. That's why some smart people are working hard on package signing. Greetings, Pierre -- Pierre Schmitz, https://users.archlinux.de/~pierre
participants (6)
-
Alfredo Palhares
-
Denis A. Altoé Falqueto
-
Ionut Biru
-
Paulo Guedes
-
Pierre Schmitz
-
Tom Gundersen