Re: Packages that download/install unsecured files
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christoph Anton Mitterer schrieb:
> Hi.
>
> Some time ago, I've wrote several bug reports to packages, that download
> files from some non-apt-secured sources of the web, and install them.
>
> I got more or less positive feedback from maintainers that happily
> accepted my suggestions, to those who thought they were crap and not
> necessary ;)
>
>
> Some days ago Tom Feiner opened #546945 (and CC'ed) me, which proved me
> that I'm not the only one concerned about this issues.
>
>
> So I thought it might be worth to bring them up for discussion here.
Maybe we should also think about the downloaded files itself.
A firmware for Linux or a plugin for firefox could do realy bad things.
In the case of geoip it is just a data file (like a .svg etc) with no
attacking vector. The attacker could only inject a corrupted database
and geoip will throw errors/false positions.
Is this realy a vector for it?
- --
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
E-Mail: pmatthaei@debian.org
patrick@linux-dev.org
Comment:
Always if we think we are right,
we were maybe wrong.
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkqyj/QACgkQ2XA5inpabMcu2QCcDPhC6W99H+VCyQNbfE5FItiE
MXgAoJko/JL4r7yXSIpnmgrLZKWpMqoI
=mQ9S
-----END PGP SIGNATURE-----
Reply to: