SLUG Mailing List Archives
Re: [SLUG] Security of auto updates; was Debian/Mandrake
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Security of auto updates; was Debian/Mandrake
- From: Roland Turner <raz@xxxxxxxxxxxxxx>
- Date: Mon Aug 14 14:22:38 2000
- Organization: -
Michael Lake wrote:
> What are the security implications, is rpm update or apt
> get-install written in such a way to not pose a problem, am
> I being too paranoid?
The honest answer is "I don't know". I do know that Debian packages are
signed, so it is possible to confirm that the packages that are being
downloaded are signed by trusted developers (or at least, that the
intruder who signed them also managed to get him/herself onto the debian
keyring, either for real, or on the substitute one that you were tricked
into installing). I don't know whether this is actually being checked.
In any event, it would probably easier for an intruder to insert bad
code into a program that runs as root and have it included into Debian,
than to spoof your download.
I suspect that this is part of a broad trust issue that depends upon
reputation (thus Debian's strong requriements on identifying
developers). When (if) the first exploit of this type is reported, the
mechanisms will be strengthened to meet the threat, as is typical.