Tugger the SLUGger!SLUG Mailing List Archives

[SLUG] Security of auto updates; was Debian/Mandrake

Roland Turner wrote:
> > Second is related to this I'm still tossing up between Mandrake and Debian..
> wrong so rarely as to not matter. The only obvious trap is that if you
> wish to install a package, you don't download it yourself. Instead just
> type 'apt-get install packagename' and let Debian the rest. If you do go
> ahead and download the .deb archive, you'll find yourself needing to get
> more intimate with the package management system than you might wish.

Have been following this as I intend to swap to Debian from
RedHat on my Alpha.
One thing that the above raises is security during an
internet install. I have used rpm update but only to
download rpms as a normal user and after disconnecting logon
as root and do the install/update. I have grave doubts about
having an app running as root or suid root while downloading
stuff and installing from the net. 

What are the security implications, is rpm update or apt
get-install written in such a way to not pose a problem, am
I being too paranoid?

Michael Lake
University of Technology, Sydney
Email: mailto:Mike.Lake@xxxxxxxxxx Ph: 02 9514 1724 Fx: 02
9514 1628 
URL: http://www.science.uts.edu.au/~michael-lake/
Linux enthusiast, active caver and interested in anything