[sf-lug] Advantages of distro package regimes

[Charles N Wyble]

Kristian Erik Hermansen wrote:
>
>
> I have witnessed Ubuntu users getting burned by a backdoored APT
> source on multiple occasions.  It happens via IRC help in #ubuntu all
> the time, and sites such as ubuntuguide.org only further complicate
> the process.  Additionally, just because you added someone's GPG key
> does not mean you are safe from intrusion!  As Rick mentioned, you
> must be certain that you trust the source.  If you don't know the
> source, and the GPG was added, then you are not secure.  It is
> surprising to me just how many people think that if they don't see
> that "Unsigned package" warning from DPKG that they are just fine.  It
> couldn't be further from the case.  If I were nefarious and I wanted
> to attack a wide array of Ubuntu resources at ring0, I would not waste
> time going after the ubuntu.com repositories -- that would be
> difficult and quickly noticed.  I would obviously attack something
> like Medibuntu.  Many people trust that resource and add it, but I
> guarantee you their security is not up to snuff with Canonical :-)  Be
> warned...
>   

Kristian,

Your comments above imply that you know something about the security of 
medibuntu. If you know of a vulnerability in there systems or processes 
and do not report it to them you are doing a disservice to the 
community. I certainly hope this is not the case?

I agree with the other points regarding unsigned warnings and 
repositories etc.