[PLUG] Is a Linux Distro compromised?

Russell Senior russell at personaltelco.net
Mon Oct 7 23:00:58 UTC 2019 

The gnarly problem with cryptographic signatures is making sure that the
public keys you are using to verify are the correct ones, since usually the
way you get the public keys are the same way you get the signatures and the
blobs they protect. You need some reliable out-of-band way of gaining
confidence you have the correct public keys. Keybase.io is an interesting
method. Key signing parties are a way of gaining confidence in your
"neighbors" keys, and you can kind of bootstrap your way through the
web-of-trust to gaining confidence in more distant keys.

On Mon, Oct 7, 2019 at 3:41 PM <alan at clueserver.org> wrote:

>
>
> > You could download distribution .iso as well as its sha256sum. Then you
> > run: sha256sum fileName.iso and compare them.
> >
> > All distributions I know are additionally signed and will complain/abort
> > when the signature does not match.
> >
> > That is, of course, only useful if the distribution itself is not
> > compromised. In case it is truly compromised, including signing and
> sha256
> > infrastructure, I do not think you can do much about it.
>
> They would have to gain possession of the package signing key. All of the
> packages and updates are signed, as well as checksummed in the package
> list being downloaded.
>
> If you expect it is compromised then you can compare the source in the
> package to the source in the upstream repository.
>
>
>
> >
> > On Mon, Oct 7, 2019, 17:42 Mike C. <mconnors1 at gmail.com> wrote:
> >
> >> How would one know or determine if their beloved Linux distro of choice
> >> is
> >> hacked, altered or otherwise compromised?
> >>
> >> And not from years of using it with applying security updates or just
> >> willy-nilly throwing apps on it for fun but from the source when you
> >> download it.
> >>
> >> Say I want to build my own distro, how do I verify that I'm getting the
> >> authentic / original kernel to start with?
> >>
> >> If I'm downloading a distro, how would I do the same verification?
> >>
> >> Is this something that we just rely on the general Linux community to do
> >> monitor and report on?
> >>
> >> Or is there something that's accomplished through hash algorithms and
> >> digital signatures that your average Linux user can verify themselves?
> >>
> >> I hope I'm making some sense here.
> >>
> >> Thank you,
> >>
> >> Mike
> >> _______________________________________________
> >> PLUG mailing list
> >> PLUG at pdxlinux.org
> >> http://lists.pdxlinux.org/mailman/listinfo/plug
> >>
> > _______________________________________________
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
>
>
> Q: Why do programmers confuse Halloween and Christmas?
> A: Because OCT 31 == DEC 25.
>
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list