|
|
|
|
|
|
by ajross
4228 days ago
|
|
|
Er, huh? You're mixing two arguments here. You're talking about the difficulty of authenticating the root of trust (very hard) and trying to use it to address the issue of installing authenticated software (a long-solved problem). I'm aware of no situations where linux distro mirrors have been compromised with code that will install on live systems. Again, the key is set up on the clients at install time, you can't drop compromised software on them via package install without stealing the signing keys. The whole point here is that the "run the shell script off hte web" skips the whole root-of-trust issue, and suffers for it. It must stop, guys. |
|
|