On Tue, Sep 20, 2016, 14:58 Steve Kinney <[1]admin@pilobilus.net>
   wrote:

     -----BEGIN PGP SIGNED MESSAGE-----
     Hash: SHA1
     On 09/20/2016 02:19 PM, Georgi Guninski wrote:
     > On Tue, Sep 20, 2016 at 12:38:43PM -0400, Steve Kinney wrote:
     >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
     >>
     >> On the downside, it makes denying that you wrote something all
     >> but impossible - "somebody stole my signing key and its pass
     >> phrase" is not what someone who is trying to avoid embarrassment
     >> would like to say.
     >>
     >
     > lol, tell this to the gpg's guys and gals, who completely
     > compromised the El Gamal's signing keys
     Oh dear.  That implies that the DEB and RPM package managers are
     blown
     wide open, as both use GPG for integrity checks.  At least this
     explains why everybody gets rooted all the time.
     We gonna have to compile and install from source signed by the
     devel... um, heh heh, signed with what?  Houston, come in?  Anybody
     down there?

   No. The Debian maintainers revoked all their ElGamal signing keys. It
   was a big fuck up, but it's been dealt with. The problem is the larger
   issue of writing secure software and building services/processes that
   depend on that software. There needs to be more defense in depth, where
   a single broken primitive can't compromise the whole chain. Signing
   commits, publishing them in multiple independent places, reproducible
   builds, extensive test suites. Of course, this is all unglamorous work
   that's hard to get volunteers to do unless they're really passionate
   about end-to-end security, i.e. the hard, dirty stuff that requires
   interacting with other humans, as opposed to individual security
   primitives which tend to be more standalone and thus easier for someone
   to work on in their spare time.

     > and to debian, who memset() what they read from /dev/random.
     Sounds like a personal issue to me...
     > search the interwebz for references.
     TL;DR
     teh intertubes has too big, probably over 9000
     -----BEGIN PGP SIGNATURE-----
     Version: GnuPG v2.0.22 (GNU/Linux)
     iQEcBAEBAgAGBQJX4bDnAAoJEECU6c5XzmuqPqcIALe915KwejZB6uNapRyaR2bh
     UvCO/Obw+qiBlVBXn5kJJPUWWmF0pi8H3q1q+THWbuGJUnXojzFR3lpQYIf/z5Iz
     QqdSQr0mbbA4ffRncpBXwtMH9Yh//NHSHxJ4wimg4RmDuunNgJyLosWvXCaFSZaC
     mlKuf71P8CsL5Yxx/5ze9APa7B8FFygL/Z7PMaT7WtVGD3rUh++E0hBmB8DEEYjG
     PlPfI5oeoAuTQpDEOv0aH8Hn4mIPhPhR7OP3Dz6TSvki6sYkDb0HPlR6WxANiVO3
     K1GVYTMydR1xAlB4wpHsRJPdZ5nhWAnCb3fFRFqRunHmEbi74WTMFarC7hyFhjE=
     =P36O
     -----END PGP SIGNATURE-----

References

   1. mailto:admin@pilobilus.net