On 2021-07-02 01:24:09 +0000 (+0000), Paul Wise wrote: > On Thu, Jul 1, 2021 at 1:27 PM Jeremy Stanley wrote: > > > There's nothing especially wrong about using signed-by, but > > it's not the security fix some people seem to believe. In short, > > *any* package you install can run arbitrary commands as the root > > user on your system during installation. Only ever install packages > > from sources you implicitly trust, since the people who control > > those packages also essentially control your system. > > For sophisticated users it isn't very hard to verify that packages > don't do anything malicious as root. `apt install --download-only`, > `dpkg-deb --raw-extract`, read the maintainer scripts and check which > files are installed into the package. [...] On each machine where you install it, unless you confirm the checksum hasn't changed from one to the next. Also each and every time you upgrade it. And it goes without saying, if you're worried about this, don't enable unattended upgrades for anything from that repository. -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature