[sf-lug] Advantages of distro package regimes
Asheesh Laroia
asheesh at asheesh.org
Wed Dec 26 10:37:44 PST 2007
On Wed, 26 Dec 2007, Charles N Wyble wrote:
> Kristian Erik Hermansen wrote:
>>
>>
>> I have witnessed Ubuntu users getting burned by a backdoored APT
>> source on multiple occasions. It happens via IRC help in #ubuntu all
>> the time, and sites such as ubuntuguide.org only further complicate
>> the process. Additionally, just because you added someone's GPG key
>> does not mean you are safe from intrusion! As Rick mentioned, you
>> must be certain that you trust the source. If you don't know the
>> source, and the GPG was added, then you are not secure. It is
>> surprising to me just how many people think that if they don't see
>> that "Unsigned package" warning from DPKG that they are just fine. It
>> couldn't be further from the case. If I were nefarious and I wanted
>> to attack a wide array of Ubuntu resources at ring0, I would not waste
>> time going after the ubuntu.com repositories -- that would be
>> difficult and quickly noticed. I would obviously attack something
>> like Medibuntu. Many people trust that resource and add it, but I
>> guarantee you their security is not up to snuff with Canonical :-) Be
>> warned...
>>
>
> Kristian,
>
> Your comments above imply that you know something about the security of
> medibuntu. If you know of a vulnerability in there systems or processes
> and do not report it to them you are doing a disservice to the
> community. I certainly hope this is not the case?
I know nothing about the particular security or insecurity of Medibuntu or
Automatix's distribution servers, but I'd go one step further and suggest
that attacking Automatix would be better. (-:
(I imagine that Kristian would be willing to say both clauses in the above
sentence.)
-- Asheesh.
--
Living in the complex world of the future is somewhat like having bees
live in your head. But, there they are.
More information about the sf-lug
mailing list