Pinboard (jm)
https://pinboard.in/u:jm/public/
recent bookmarks from jmAttacks against GPG signed APT repositories - Packagecloud Blog2018-05-15T11:34:39+00:00
https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-repositories/
jm
It is a common misconception that simply signing your packages and repository metadata with GPG is enough to create a secure APT repository. This is false. Many of the attacks outlined in the paper and this blog post are effective against GPG-signed APT repositories. GPG signing Debian packages themselves does nothing, as explained below. The easiest way to prevent the attacks covered below is to always serve your APT repository over TLS; no exceptions.
This is excellent research. My faith in GPG sigs on packages is well shaken.]]>apt security debian packaging gpg pgp packages dpkg apt-get opshttps://pinboard.in/https://pinboard.in/u:jm/b:debf14b06bb5/Red Hat on rkt vs Docker2015-05-10T19:56:51+00:00
http://rhelblog.redhat.com/2015/05/05/rkt-appc-and-docker-a-take-on-the-linux-container-upstream/
jmThis is like watching a train-wreck in slow motion on Groundhog Day. We, in the broader Linux and open source community, have been down this path multiple times over the past fifteen years, specifically with package formats. While there needs to be room for experimentation, having two incompatible specs driven by two startups trying to differentiate and in direct competition is *not* a good thing. It would be better for the community and for everyone who depends on our collective efforts if CoreOS and Docker collaborated on a standardized common spec, image format, and distribution protocol. To this end, we at Red Hat will continue to contribute to both initiatives with the goal of driving convergence.]]>rkt docker appc coreos red-hat dpkg rpm linux packaging collaboration open-sourcehttps://pinboard.in/https://pinboard.in/u:jm/b:2c98c2525622/