1 |
Robert Buchholz wrote: |
2 |
> Hi Peter, |
3 |
> |
4 |
> On Saturday, 17. May 2008, Peter Schneider-Kamp wrote: |
5 |
> |
6 |
>> the recently publicized SSL weak key generation for debian-based systems |
7 |
>> (c.f. http://www.debian.org/security/key-rollover/) |
8 |
>> has lead our university computing center to retract our |
9 |
>> Gentoo-generated SSL keys based on an advisory from the German |
10 |
>> DFN cert :-( |
11 |
>> |
12 |
> |
13 |
> I could not find where these advisories are published on their site, I |
14 |
> guess they are not publicly distributed. |
15 |
> |
16 |
> |
17 |
> |
18 |
> To think that any distribution is affected, simply |
19 |
> because they do not publicly state they are not, is a bad habit. |
20 |
> |
21 |
> |
22 |
> |
23 |
< ....... > |
24 |
|
25 |
> Regards, |
26 |
> Robert // Gentoo Security |
27 |
> |
28 |
|
29 |
It's something of a "lesser of two evils" situation. In the absence of |
30 |
evidence either way, the only habit that would be worse is assuming that |
31 |
any distribution is not affected, simply because they do not publicly |
32 |
state that they are. Having said that, it's good to know that |
33 |
apparently Gentoo is not impacted. |