[arch-general] Kernel.org compromised. Are Arch users safe?
Pierre Schmitz
pierre at archlinux.de
Thu Sep 1 13:45:27 EDT 2011
On Thu, 1 Sep 2011 14:47:40 +0200, Tom Gundersen wrote:
> On Thu, Sep 1, 2011 at 2:35 PM, Ionut Biru <ibiru at archlinux.org> wrote:
>> On 09/01/2011 03:30 PM, Paulo Guedes wrote:
>>>
>>> Since mirrors.kernel.org is one of the main mirrors used in Arch what's
>>> the
>>> best measureus to take right know? Format the computer and reinstall arch?
>>> Uninstall any update since last week?
>>
>> kernel.org != mirrors.kernel.org just to be clear
>
> In any case, the packages on mirrors.kernel.org have been checked, and
> they are not compromised.
>
> -t
I cannot find the original mail but only this copy (someone might want
to check the signature) http://pastebin.com/BKcmMd47 This states that
also the mirrors might have been affected.
While we can quite easily ensure that there are no compromised packages
atm we don't know if there were some in the past. But this is in no way
different than using any other mirror; in general using any Arch mirror
is insecure. That's why some smart people are working hard on package
signing.
Greetings,
Pierre
--
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the arch-general
mailing list