Re: Debian mirrors and MITM
On 30.05.2014 21:35, Jeremie Marguerie wrote:
To "protect" openssh-server you would need to prevent modification of
its dependency. But the PPA could just install a program that
overrides the openssh-server manually (without doing that from APT).
In this case, unless you run debsums you wouldn't notice it.
Any package can do whatever it wants, for example, in postinst script
which is run as root.
Unless every piece of software from PPA is totaly sandboxed somehow,
loopholes are inevitable
if arbitrary code should be run during installation/upgrade/removal.