Re: freshmeat editorial about package management security issues
On Tue, 9 May 2000, jeff covey wrote:
> individuals, does rpm provide a warning like "This package has not
> been prepared by Red Hat. While it's probably fine, we cannot confirm
> that it will work with your system. Continue installation? [Y/n]"?
One thing I hear often about .debs is that we basically are the only
provider [particularly of the base system], all .debs 'work' with your
system.
> I'm not asking about them being altered after the fact; I'm just
> confirming that a procedure is in place to double-check the official
> signed packages to confirm that, for example, a disgruntled employee
We have no official auditing of packages, but before we make a stable
release the packages are put through alot of testing and investigation, it
would be hard for simple attack to get through. Smart Devilish attacks I
think could pass into stable undetected if one of our maintainers decided
to make one.
People do monitor the upload list to make sure that the 'right people' are
uploading the 'right packages' which tends to defuse the worst things
(like libc6 trojans, etc)
> [Debian folks: This is even more of a question for you, since you're
> accepting packages from people from all over, who may only have their
> reputations, not their jobs and the threat of prosecution, hanging
Actually, we go through a fairly intensive ID process before we accept a
package from anyone. If someone does decide to do something nasty we will
know exactly who it was and depending on local laws they may face
prosecution. Look at http://www.debian.org/devel/join/nm-checklist it has
some information about this process.
> Unfortunately, Joe's package also did something else: It replaced
> /bin/rpm with a version that will not install any version of sendmail
Unless you sandbox the install scripts this is impossible to prevent :<
Jason
Reply to: