[conspire] Re: Why to use packages if you can -- and reasons you might not

Rick Moen rick at linuxmafia.com
Sat Jan 15 10:01:45 PST 2005

At the risk of doing the subject to death, there's one other wrinkle I
wanted to mention:

> In taking on this role, Bob assumes several obligations:
> 1.  To make damned sure that whatever he packages is really Alice's 
>     work, rather than a trojaned imitation that someone snuck into
>     her ftp directory after site-compromising her ftp server.[1]

There's one _additional_ advantage of sticking to your distributions
package-retrieval system (thus getting Bob's packages), rather than 
manually fetching Alice's shiny-new upstream tarballs:

A typical distribution has checking built in, to ensure that packages
retrieved over the Internet (using apt-get, YUM, urpmi, YOU, etc.) 
are cryptographically signed on some level by an authorised package
releaser delegated to watch over the distribution's package system.
That guy's supposed to be guarding his signing key jealously, and 
your distribution supposedly should be able to recognise that key, and
reject other keys (or absence of a key) as invalid through some keyring
installed with your installation media.

Like all else, that isn't foolproof, but makes it much more likely that
what you fetch hasn't been had a fake substituted for it on the fly.

Grabbing Alice's tarball means you've bypassed those protections, and
could be handed a fake if either the DNS or an intermediate router is 
in hostile hands.  Eliminating that possibility requires extra checking;
using Bob's package instead removes that need.

More information about the conspire mailing list