[sf-lug] Advantages of distro package regimes (was: flash 9 on Gutsy ubuntu 32 bit)

Kristian Erik Hermansen kristian.hermansen at gmail.com
Wed Dec 26 10:20:50 PST 2007


On Dec 26, 2007 1:04 PM, Rick Moen <rick at linuxmafia.com> wrote:
> However, end-users who deliberately go outside their distros' package
> regimes to install new goodies are very likely to get burned:  What you
> install may well not be what you think it is.  You may install corrupt
> software -- are you _sure_ the Adobe flash binary installer with the
> unverifiable md5sum is really from Adobe? -- and you may give unknown
> distant bad guys control of your machine.
>
> So, I'd advise not doing that -- and, in particular, not installing
> "cool little Web apps" available only as tarballs you have no reason to
> trust, written by unfamiliar people you have no reason to think know
> what they're doing.

I have witnessed Ubuntu users getting burned by a backdoored APT
source on multiple occasions.  It happens via IRC help in #ubuntu all
the time, and sites such as ubuntuguide.org only further complicate
the process.  Additionally, just because you added someone's GPG key
does not mean you are safe from intrusion!  As Rick mentioned, you
must be certain that you trust the source.  If you don't know the
source, and the GPG was added, then you are not secure.  It is
surprising to me just how many people think that if they don't see
that "Unsigned package" warning from DPKG that they are just fine.  It
couldn't be further from the case.  If I were nefarious and I wanted
to attack a wide array of Ubuntu resources at ring0, I would not waste
time going after the ubuntu.com repositories -- that would be
difficult and quickly noticed.  I would obviously attack something
like Medibuntu.  Many people trust that resource and add it, but I
guarantee you their security is not up to snuff with Canonical :-)  Be
warned...
-- 
Kristian Erik Hermansen
"I have no special talent. I am only passionately curious."




More information about the sf-lug mailing list