OT: Whose packages to use?

[Fairlight]

At Fri, Apr 28, 2006 at 09:19:32AM -0400 or thereabouts, 
suspect Kenneth Brody was observed uttering:
> 
> On the other hand, you also have cases where the main distrib is made
> in Norway or Germany, but you'd much rather download from something a
> bit more local.  Get the MD5s from the horse's mouth, and then download
> from some local "get your free distribs here -- we promise we didn't do
> anything bad to them" site.  (As you said, this falls under the "kept
> on separate servers" category.  But it's not an uncommon scenario.)

Granted--unless the mirror is rsync'd (or otherwise sync'd) from the main
site on a nightly basis and you hit it right after both the main dist -and-
the md5 file are both compromised.

Then you're back to square one because you still had a single point of
failure.  That happened with the Jabber incident--main site was
compromised, everyone mirrored, nobody knew who had sane copies that could
be trusted for several days.  Much fear and uncertainty ensued.

What really wants doing is the md5's being kept on a separate FBSD
system with the immutable bit set.  If someone compromises -that-, to my
understanding they had to have physical access to the system.  I could be
off on that, but I don't think so.  I recall being told you need to drop
down to single-user to set or unset that bit.  Any of the FBSD gurus here
can confirm or deny (please?), I'm sure.

If -that- was implemented, I might actually check the md5's.  As they sit,
I think they're useless as 717$ on a bull.

mark->