Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Permalink for comment 400005
To read all comments associated with this story, please click here.
RE[2]: Bottom Line
by google_ninja on Wed 16th Dec 2009 22:56 UTC in reply to "RE: Bottom Line"
Member since:

f anything, this incident just underlines the points: that one simply cannot trust downloading from websites, no matter how seemingly reputable; and that one should always use the package manager, and ONLY the package manager, to install applications and utilities for Linux systems.

Thats not really true.

As soon as you execute ANY executable code, you are putting full control of your computer into the hands of anyone who had the ability to modify that code before it got to you. I'm assuming you mean debian when you said package managers have an impeccable record, and I would totally agree with that. But that doesn't change that you are putting control of your computer into the hands of whoever has the ability to add or modify a package in a debian repo when you run it.

It is a matter of trust, and a question of degree.

In contrast, downloading binary blobs from websites and putting them on one's system is a way of life for Windows users. Mac users are possibly part way between these two extremes.

Mac users are in the same boat as windows users.

Reply Parent Score: 4