On 18/02/08 06:01 -0300, Felipe Figueiredo wrote:
On Sun 17 Feb 2008 17:48:16 Alexander Schmehl wrote:Well, a rogue hacker would need to be quite skilled to add some kind of "bad" package. Let's assume he has created a bad package and got control over a mirrorHow about a simpler attack vector: compromise a devel account, and sneak in a patch to be automatically incorporated to a package. Is this feasible?
I think packages are signed when uploaded, so it's not easy. You also could compromise upstream, abuildd machine or gcc.
I understand that this case would not reflect what the OP asked about, but still.
Why trust software you didn't write yourself at all? regards, Rolf  http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf -- Vorgang zu schwer zu erklären.
Description: Digital signature