[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Recent updates

On 18/02/08 06:01 -0300, Felipe Figueiredo wrote:
On Sun 17 Feb 2008 17:48:16 Alexander Schmehl wrote:

Well, a rogue hacker would need to be quite skilled to add some kind of
"bad" package.

Let's assume he has created a bad package and got control over a mirror

How about a simpler attack vector: compromise a devel account, and sneak in a patch to be automatically incorporated to a package. Is this feasible?

I think packages are signed when uploaded, so it's
not easy. You also could compromise upstream, a
buildd machine or gcc.
I understand that this case would not reflect what the OP asked about, but still.

Why trust software you didn't write yourself at

regards, Rolf

[0] http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Vorgang zu schwer zu erklären.

Attachment: signature.asc
Description: Digital signature

Reply to: