[ILUG] packaging risks and the reputation of linux
lbedford at lbedford.org
Tue Oct 8 11:07:03 IST 2002
>It occurs to me that all of the linux distributions (from here on, replace
>"linux" with "GNU/Linux" if you want), whether debian or redhat or whatever,
>seem to be making a big assumption that could bite them later.
>Right now we all run stuff as root to install packages, whether by way of RPM,
>APT, or whatever. We don't do anything (md5sum is still a number that could
>be quietly replaced) to verify the source of the package.
>So Joe Random Hacker could, if they wanted, quietly add a couple of commands
>to the stuff run during installation to introduce a hole onto the system
>being used for installation. They wouldn't have to try to target official
>distribution sites (ftp.redhat.com or whatever), though that would be
>helpful. Instead, pick random mirror sites and give it a try.
all the redhat rpm's are gpg signed. I think the same is either happening or
has happened with debian.
Can't speak for any other distros. I know Apple had the same problem
6 months ago
and they've started signing their packages too.
More information about the ILUG