[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package management unsafe?

On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
> What are people's thoughts on this?

It's been known for quite a while. (I asked one of the guys publishing it,
and he was fully aware of that, but felt it was still important to bring
light to it.)

In any case, it's pretty hard to exploit as long as you have security updates
on a different (trusted) server. The best thing you can do is DoS the process
so the user's package management software crashes, or simply never update
your mirror so users don't get updates.

/* Steinar */
Homepage: http://www.sesse.net/

Reply to: