[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package management unsafe?

* Ron Johnson:

> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
> What are people's thoughts on this?

HTTPS doesn't help against non-trusted mirrors.

The difficult question is how to tell an APT source which is not updated
regularly from an APT source that has been rolled back in a replay

Apart from that, this is clearly a PR stunt.  Next, we might see someone
who tries to get into the project, with the intent to upload Trojanized
packages--all in the name of academic research.

Reply to: