OSNews

Being always interested in online security, and frustrated with all the poor security nowadays, one of the the first things that comes to my mind when reading about new package management schemes is: how secure it might be? Or is the security of Conary related more to each individual implementation and a distribution?

Now that we have secure apt-get (Debian, Ubuntu) and other such relatively secure package managment solutions, I'm just not willing to compromise and go back to less secure solutions again. (However, OpenBSD might be a bit too much for me as a daily desktop OS though...)

Yeah, well, maybe I might be a bit paranoid to take this point of view here... - but ever heard about rootkits, spam, viruses, spambots, crackers etc...? At least I would like things to be a bit better than what they are, wouldn't you? Improving package managemnt security is one part of the bigger picture in IT security. And yeah, I do know that even a bit less secure package management systems than, for example, secure apt, may well be secure enough especially for ordinary desktop users. But - why bother to use and support anything less secure if you do have more secure (and even quite easy to use) options, and why take any extra risks?

So, does Conary, Foresight and/or rPath address potential security issues in package management in any way? Do they use signature checks (repositories, packages) or something like that? Or is security a concern for them at all?

(Edit: corrected a few typos etc.)

Edited 2007-03-06 20:00