[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

On 30.05.2014 21:35, Jeremie Marguerie wrote:
To "protect" openssh-server you would need to prevent modification of its dependency. But the PPA could just install a program that overrides the openssh-server manually (without doing that from APT). In this case, unless you run debsums you wouldn't notice it.
Any package can do whatever it wants, for example, in postinst script which is run as root. Unless every piece of software from PPA is totaly sandboxed somehow, loopholes are inevitable
if arbitrary code should be run during installation/upgrade/removal.
Denis Nikolaenko

Reply to: