[sf-lug] Advantages of distro package regimes

Asheesh Laroia asheesh at asheesh.org
Wed Dec 26 10:37:44 PST 2007

On Wed, 26 Dec 2007, Charles N Wyble wrote:

> Kristian Erik Hermansen wrote:
>> I have witnessed Ubuntu users getting burned by a backdoored APT
>> source on multiple occasions.  It happens via IRC help in #ubuntu all
>> the time, and sites such as ubuntuguide.org only further complicate
>> the process.  Additionally, just because you added someone's GPG key
>> does not mean you are safe from intrusion!  As Rick mentioned, you
>> must be certain that you trust the source.  If you don't know the
>> source, and the GPG was added, then you are not secure.  It is
>> surprising to me just how many people think that if they don't see
>> that "Unsigned package" warning from DPKG that they are just fine.  It
>> couldn't be further from the case.  If I were nefarious and I wanted
>> to attack a wide array of Ubuntu resources at ring0, I would not waste
>> time going after the ubuntu.com repositories -- that would be
>> difficult and quickly noticed.  I would obviously attack something
>> like Medibuntu.  Many people trust that resource and add it, but I
>> guarantee you their security is not up to snuff with Canonical :-)  Be
>> warned...
> Kristian,
> Your comments above imply that you know something about the security of
> medibuntu. If you know of a vulnerability in there systems or processes
> and do not report it to them you are doing a disservice to the
> community. I certainly hope this is not the case?

I know nothing about the particular security or insecurity of Medibuntu or 
Automatix's distribution servers, but I'd go one step further and suggest 
that attacking Automatix would be better. (-:

(I imagine that Kristian would be willing to say both clauses in the above 

-- Asheesh.

Living in the complex world of the future is somewhat like having bees
live in your head.  But, there they are.

More information about the sf-lug mailing list