Re: [work] Integrity of Debian packages

[Andrew Pollock <debian-lists@andrew.net.au>]

On Thu, Mar 06, 2003 at 09:21:21PM -0500, Gary MacDougall wrote:

[snip]

> This is silly to blame the FBI.  I'd be far more concerned about the 
> average knucklehead
> trying to do this maliciously than thinking the FBI would do it... please.

I wasn't that worried about the FBI, being Australian, but what about an
unscrupulous ISP? What about a compromised mirror?

> As I agree that there should be a level of protection on apt-get, or any 
> "auto update" system,
> its up to the person doing the update to check the things they're 
> updating if they are that
> paranoid.  If your really concerned about this, don't apt-get, download 
> the deb's and
> eyeball the deb's yourself.
> 

[snip]

> 
> The article was written in December 2001, two years ago and over 100 IIS 
> patches later.  In hindsight,
> had the author concentrated on IIS and its lack of security, and pointed 
> out that the Internet is slowed
> to a crawl since every IT idiot maintaing IIS won't patch they're 
> software or do
> AN AUTO UPDATE!!!  It's a contradiction to the original problem being 
> stated!!! hahahahaha.

The article may have been written in December 2001, but I don't think 
anything has fundamentally changed in the way Debian's packaging operates, 
or how packages are rolled out.

[snip]

> This stuff is silly.  I'll take my chances with apt-get and know that my 
> system is update to date.

I can't take that attitude. I work in a secure environment. I've got to
determine the appropriate level of paranoia to employ for ensuring a
largish Debian infrastructure is kept up to date with legitimate patches.

Andrew