ImperialViolet

Suggested reading: Notes ... (31 May 2002)

Suggested reading: Notes from the BPDG (fuckware) meeting, BBC article about the new EUP rules on data protection and privacy, Another BBC article about the large fall in street crime in Lambeth (following a relaxing of cannabis laws)

A little while ago, it was found that irssi was backdoored at the source level (someone cracked server and altered the source). Now it's been found that fragrouter suffered the same thing (search BUGTRAQ archives). Two points from this: in the short term we need a little more crypto and in the longer term we need to fix the god-awful UNIX security model.

Irssi has started signing releases at least, but personally I still can't believe that Debian doesn't. It's really not rocket-science and the code support is there (deb-sigs). The general argument is that the number of Debian developers means there are too many keys that could be compromised. Guess what? It's still better than nothing. (As an aside, Debian still doesn't have incremental updates to the Packages file - Debian sucks in too many ways).

In the long term we need to do something about the UNIX security model. The research has been done - that isn't a problem. But I'm lazy. I might quite like to play with more secure systems, but they are marked out by being unusable. Of course, I'm not working to create an EROS distribution or anything so I don't really have the right to complain. Maybe something like this [via Wes] will stay us in the short term.