Re: Package management unsafe?

To: debian-devel@lists.debian.org
Subject: Re: Package management unsafe?
From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
Date: Fri, 11 Jul 2008 14:55:06 +0200
Message-id: <[🔎] 20080711125506.GC16323@uio.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 487753DC.5020802@cox.net>
References: <[🔎] 487753DC.5020802@cox.net>

On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
> 
> What are people's thoughts on this?

It's been known for quite a while. (I asked one of the guys publishing it,
and he was fully aware of that, but felt it was still important to bring
light to it.)

In any case, it's pretty hard to exploit as long as you have security updates
on a different (trusted) server. The best thing you can do is DoS the process
so the user's package management software crashes, or simply never update
your mirror so users don't get updates.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Reply to:

Follow-Ups:
- Re: Package management unsafe?
  - From: "Michael Casadevall" <sonicmctails@gmail.com>
- Re: Package management unsafe?
  - From: Justin Samuel <jsamuel@cs.arizona.edu>

References:
- Package management unsafe?
  - From: Ron Johnson <ron.l.johnson@cox.net>

Prev by Date: Re: Help: Strange 64bit issue
Next by Date: Re: Help: Strange 64bit issue
Previous by thread: Package management unsafe?
Next by thread: Re: Package management unsafe?
Index(es):
- Date
- Thread