Re: third-party packages adding apt sources

To: debian-project@lists.debian.org
Subject: Re: third-party packages adding apt sources
From: Adam Borowski <kilobyte@angband.pl>
Date: Sat, 21 May 2016 14:32:19 +0200
Message-id: <[🔎] 20160521123219.GA9429@angband.pl>
In-reply-to: <[🔎] CAKTje6Fh0196zgfYzgakOi56mWEGgj82ib1xmVdjNGF1mznR3Q@mail.gmail.com>
References: <[🔎] 573DD944.3010208@pocock.pro> <[🔎] CAKTje6Fh0196zgfYzgakOi56mWEGgj82ib1xmVdjNGF1mznR3Q@mail.gmail.com>

On Sat, May 21, 2016 at 01:47:41PM +0800, Paul Wise wrote:
> On Thu, May 19, 2016 at 11:18 PM, Daniel Pocock wrote:
> 
> > More and more frequently I'm encountering systems where third-party
> > repositories have been added into /etc/apt/sources.list or
> > /etc/apt/sources.list.d, usually put there by some .deb package that a
> > user installed from some third party site.
> 
> This discussion reminds me of this wiki page:
> 
> https://wiki.debian.org/UntrustedDebs

This looks wrong to me: a vast majority of machines these days have a single
user, thus pwning root gives you little additional gain.

So, for running untrusted code you should execute it solely in a special
environment of some kind.  And if you're not executing those binaries
directly, what's the point in putting them into the standard paths?

-- 
An imaginary friend squared is a real enemy.

Reply to:

Follow-Ups:
- Re: third-party packages adding apt sources
  - From: Paul Wise <pabs@debian.org>

References:
- third-party packages adding apt sources
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: third-party packages adding apt sources
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: third-party packages adding apt sources
Next by Date: Upcoming oldstable point release (7.11)
Previous by thread: Re: third-party packages adding apt sources
Next by thread: Re: third-party packages adding apt sources
Index(es):
- Date
- Thread