Re: membership request to the closed linux-distros security mailing list

[Daniel Micay <danielmicay () gmail com>]

On 02/04/15 07:43 PM, Seth Arnold wrote:
> On Fri, Mar 20, 2015 at 02:00:29PM +0100, Sona Sarmadi wrote:
> > On behalf of Enea  Software AB, I would like to request membership to
> > the closed linux-distros security mailing list.
>
> Speaking strictly for myself, I'm still somewhat skeptical; the security
> announce archives http://mail.lists.enea.com/pipermail/security-announce/
> do show some security updates, but (guessing) 15% of the actual patch
> links I tried to follow no longer exist.
>
> Furthermore, the advisories all suggest downloading patches via http and
> offer no mechanism to validate the patches before applying them. Consider
> this recent advisory:
> http://mail.lists.enea.com/pipermail/security-announce/20150326/000064.html
>
> - there's no gpg signature on this advisory
> - there's no cryptographic checksums in the advisory to authenticate
>   the patch even if the advisory were signed
> - there's no ascii-armored signatures in the patches
> - there's no detached signatures at
>   http://linux.enea.com/5.0-beta-m400/patches/
>   or at
>   http://linux.enea.com/4.0/patches/
>
> If downloading patches and applying them by hand is really the
> distribution model Enea has chosen, then it feels like the provenance
> of updates is seriously lacking.
>
> In my opinion, until some more of the security basics are covered,
> joining linux-distros@ is premature.

I guess Ubuntu has to be dropped from the linux-distros then, because
www.ubuntu.com appears to be http-only and the ISO download is entirely
insecure. The security notices are also served insecurely there:

http://www.ubuntu.com/usn/

Am I missing something... ? It doesn't make much sense to criticize this
when you folks are doing the same. I do get the impression that Enea
Linux is handling security poorly (where are all of the other issues?)
but this bothered me.

Attachment: signature.asc
Description: OpenPGP digital signature