Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:
Chicago, IL, USA, IL 01/27
Chicago, IL USA, IL 10/19

Regularly scheduled events

Sunday Safety Dance

View
8 Replies. 1 pages. Viewing page 1.
< Newer [ 1 ] Older >

8. Re: Sunday Safety Dance Dec 16, 2017, 07:13 TheVocalMinority
 
Sorry didn't have time to follow up on this during the week.

Host is irrelevant, updates are signed by Debian private key and will not install if hash does not match. It can be overridden but I don't think this will be the default in the auto update because that would be nuts.
 
VM
Reply Quote Edit Delete Report
 
7. Re: Sunday Safety Dance Dec 12, 2017, 02:16 eRe4s3r
 
TheVocalMinority wrote on Dec 11, 2017, 10:08:
eRe4s3r wrote on Dec 10, 2017, 19:09:
The problem with automatic updates in Debian 10 is that to consciously allow that you have to trust the hosters behind the package updates. And I seriously do not. This isn't a hardened infrastructure like Windows Update (the one thing that MS did not fuck up, even though it fucked WU up in many other ways). This is some automatically compiled stuff non-supervised and without any oversight. You can literally count the days till this is hacked.

I'm not quite sure what you are talking about here but I suspect you have no idea how Debian updates work. I'm no expert but I know the updates are signed and I'm also pretty sure Debian packages generally consist of pre-compiled binaries these days not code (other than the packages that actually give you the code for the binary packages).

Uh.... what has anything you said to do with hosting providers? You know where Debian hosts updates? You might wanna look that up, before you trust this system, or any OS auto update system, that is.

WU would be equally impossible to trust if MS actually hosted their updates anywhere but their own datacenters and servers.
 
Avatar 54727
 
Reply Quote Edit Delete Report
 
6. Re: Sunday Safety Dance Dec 11, 2017, 10:08 TheVocalMinority
 
eRe4s3r wrote on Dec 10, 2017, 19:09:
The problem with automatic updates in Debian 10 is that to consciously allow that you have to trust the hosters behind the package updates. And I seriously do not. This isn't a hardened infrastructure like Windows Update (the one thing that MS did not fuck up, even though it fucked WU up in many other ways). This is some automatically compiled stuff non-supervised and without any oversight. You can literally count the days till this is hacked.

I'm not quite sure what you are talking about here but I suspect you have no idea how Debian updates work. I'm no expert but I know the updates are signed and I'm also pretty sure Debian packages generally consist of pre-compiled binaries these days not code (other than the packages that actually give you the code for the binary packages).
 
VM
Reply Quote Edit Delete Report
 
5. Re: Sunday Safety Dance Dec 10, 2017, 22:00 Burrito of Peace
 
eRe4s3r wrote on Dec 10, 2017, 19:09:
The problem with automatic updates in Debian 10 is that to consciously allow that you have to trust the hosters behind the package updates. And I seriously do not.

I would rather hammer myself in the balls repeatedly with a ten pound sledgehammer than use automatic updates...let alone Debian.
 
Reply Quote Edit Delete Report
 
4. Re: Sunday Safety Dance Dec 10, 2017, 21:25 jdreyer
 
RedEye9 wrote on Dec 10, 2017, 16:09:
I doubt linux folks are gonna be too excited with auto mode.

Maybe not, but I bet the AirBnB renters will be excited with auto mode.

Until the cops catch them, at least.
 
Avatar 22024
 
Stay a while, and listen.
Reply Quote Edit Delete Report
 
3. Re: Sunday Safety Dance Dec 10, 2017, 19:09 eRe4s3r
 
The problem with automatic updates in Debian 10 is that to consciously allow that you have to trust the hosters behind the package updates. And I seriously do not. This isn't a hardened infrastructure like Windows Update (the one thing that MS did not fuck up, even though it fucked WU up in many other ways). This is some automatically compiled stuff non-supervised and without any oversight. You can literally count the days till this is hacked.

Also about the "safe"
the developer could build a smartphone app that could silently break into any existing VT20i safe in seconds, as long as Bluetooth was turned on.

At this point that can't even be called a safe, it's a metal box.

Also the company is REALLY called Vault Tek? Lmao

Well, you get what you pay for.. with Vault Tech you often get more than you want too.
 
Avatar 54727
 
Reply Quote Edit Delete Report
 
2. Re: Sunday Safety Dance Dec 10, 2017, 17:16 yuastnav
 
I dunno, anyone can uninstall this package if they don't like it. Though in my 14 or so years of using Debian I've never encountered a problem with a security update on a stable system so that decision doesn't actually sound too bad.  
Reply Quote Edit Delete Report
 
1. Re: Sunday Safety Dance Dec 10, 2017, 16:09 RedEye9
 
I doubt linux folks are gonna be too excited with auto mode.  
Avatar 58135
 
https://www.newyorker.com/humor/borowitz-report
Reply Quote Edit Delete Report
 
8 Replies. 1 pages. Viewing page 1.
< Newer [ 1 ] Older >


footer

Blue's News logo