Re: [work] Integrity of Debian packages
On Thu, Mar 06, 2003 at 09:21:21PM -0500, Gary MacDougall wrote:
[snip]
> This is silly to blame the FBI. I'd be far more concerned about the
> average knucklehead
> trying to do this maliciously than thinking the FBI would do it... please.
I wasn't that worried about the FBI, being Australian, but what about an
unscrupulous ISP? What about a compromised mirror?
> As I agree that there should be a level of protection on apt-get, or any
> "auto update" system,
> its up to the person doing the update to check the things they're
> updating if they are that
> paranoid. If your really concerned about this, don't apt-get, download
> the deb's and
> eyeball the deb's yourself.
>
[snip]
>
> The article was written in December 2001, two years ago and over 100 IIS
> patches later. In hindsight,
> had the author concentrated on IIS and its lack of security, and pointed
> out that the Internet is slowed
> to a crawl since every IT idiot maintaing IIS won't patch they're
> software or do
> AN AUTO UPDATE!!! It's a contradiction to the original problem being
> stated!!! hahahahaha.
The article may have been written in December 2001, but I don't think
anything has fundamentally changed in the way Debian's packaging operates,
or how packages are rolled out.
[snip]
> This stuff is silly. I'll take my chances with apt-get and know that my
> system is update to date.
I can't take that attitude. I work in a secure environment. I've got to
determine the appropriate level of paranoia to employ for ensuring a
largish Debian infrastructure is kept up to date with legitimate patches.
Andrew
Reply to: