On Fri, Sep 16, 2016 at 1:18 PM, Georgi Guninski <guninski@guninski.com> wrote:
Is Debian _still_ vulnerable to automatic updates, it used to be?: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820698;msg=5 Debian's Firefox/iceweasel in a VM still give warnings about autoupdates of addons when started from terminal (otherwise they are not visible ;) )
Here's FreeBSD's take on the issue... https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html Nevermind that they still [1] don't have their release iso's and everything else fully reproduceable and cryptographically traceable back to their source repository, in part because their silly choice of repo (svn) isn't capable of establishing cryptographic provenance over, and distribution of, the source, so unlike signable trees git or monotone there's a big gaping disconnect there. Though they are making good progress on reproduceability. Oh, and OpenBSD still uses cvs for code authenticity, lol. Don't mistake this to mean that Linux distroland and model is anything close to secure either. It's probably much worse. [1] They claim signed / hashed isos and packages, and server / filesystem / commiter / sysadmin security / integrity are backtraceable and sufficient. And that monotonically increasing numeric commit revID's and 'workflow' prevent using something like git. I claim baloney.