Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Security of auto updates; was Debian/Mandrake


On Mon, Aug 14, 2000 at 12:40:38PM +1000, Michael Lake wrote:
> Roland Turner wrote:
> > > Second is related to this I'm still tossing up between Mandrake and Debian..
> ....
> > wrong so rarely as to not matter. The only obvious trap is that if you
> > wish to install a package, you don't download it yourself. Instead just
> > type 'apt-get install packagename' and let Debian the rest. If you do go
> > ahead and download the .deb archive, you'll find yourself needing to get
> > more intimate with the package management system than you might wish.
> 
> One thing that the above raises is security during an
> internet install. I have used rpm update but only to
> download rpms as a normal user and after disconnecting logon
> as root and do the install/update. I have grave doubts about

apt-get can be configured to only download the files and not installed them.

This it does as root however. However apt-get can also print the URIs (see
the man page for specifics) so that you can download things via whatever
means.

I don't perceive a security risk in downloading as it is basically slapping
bits you got from a socket onto a file.

As I've stated previous, currently Debian doesn't validate signatures it
only does an md5 checksum on files. Should an attacker modify the original
archive then they can easily send bogus packages to you (by modifying the
packages file).

Anand