Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Permalink for comment 400021
To read all comments associated with this story, please click here.
RE[3]: Bottom Line
by lemur2 on Thu 17th Dec 2009 00:57 UTC in reply to "RE[2]: Bottom Line"
Member since:

As soon as you execute ANY executable code, you are putting full control of your computer into the hands of anyone who had the ability to modify that code before it got to you. I'm assuming you mean debian when you said package managers have an impeccable record, and I would totally agree with that. But that doesn't change that you are putting control of your computer into the hands of whoever has the ability to add or modify a package in a debian repo when you run it.

It is a matter of trust, and a question of degree.

No, I mean all distribution repositories. That is to say, those repositories of packages that are maintained by some distribution or another.

Debian has these, as does Fedora, Arch, Ubuntu, Mandriva, OpenSuse, Slackware ... almost any distribution. (Some smaller distributions leach off other repositories. For example, sidux uses the Debian sid repositories).

All of these have an impeccable record.

Debian and Ubuntu repositories include about 25,000 packages. "Smaller" distributions, such as Arch, will typically have only about 5,000 packages. This is largely a matter of the manpower available to maintain the repositories in each case.

As far as trust goes ... it is most decidely in the self-interest of the distribution to maintain the highest quality of its repositories. This is what the people involved themselves use for their own systems, and the quality of the distribution's repositories is what the entire reputation of the distribution hangs on.

As for whether or not you can trust the system ... well, having an impeccable record over many years for thousands of packages speaks a lot to that topic, wouldn't you say?

Edited 2009-12-17 01:00 UTC

Reply Parent Score: 2