[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security - trust etc.. (Was: Reading e-mails on text mode)


On Tue, 22 Aug 2000, hogan wrote:

> I go to this site, download the .deb's .. How can I be sure they're not
> malicious.

You can't.  Period.  Same goes for source.  Same goes for commercial
binaries.  Same goes for any code you haven't read (or had someone you
thoroughly trust read).

To illustrate this point there's a perl module somewhere (don't remember
the module or what it does..something to do with Apache/web anyway) that,
when you run 'perl Makefile.PL', it runs through some stuff and then spits
out something about preparing to do 'rm -rf /'.  Naturally it doesn't
actually do it, but it follows with a message about the importance of
confirming the trustworthiness of *any* code you install on your system.

> Or maybe for those who develop homicidal tendancies when asked, "Are you
> sure?" :) :) a log of what the program did? (Now I know very little 'bout
> Linux - I'm still learning.. Would a journalling FS such as ReiserFS help in
> this regard?) Is something like tripwire (that I've read a few little
> bits'n'pieces about) what I need to give me a little reassurance that I'm not
> completely placing my machine into the hands of a stranger?

Tripwire will give you an idea of what files change, so you can be sure
that (for example) installing a mail reader is not replacing /bin/login or
something like that.  That doesn't prevent that same mail reader from
mailing off some crucial piece of data or some security info to some
cracker database somewhere, though.

> I mean I generally get the feeling people around this and other linux related
> mailing lists that people really want to help, but I can't help but think that
> all of this is placing a lot of trust in people one will never meet and may
> indeed never communicate with.

In the case of official debian packages (downloaded from the 'main'
section of an official Debian mirror (non-free and contrib may not apply,
but then they might...I don't know)) you can be reasonably sure that what
you see is what you get.  Debian has a pretty strict policy regarding
becoming an official developer.  You're pretty much certain that the
package is in fact built from the code it is claimed to have been built
from and that the maintainer is who they claim to be.

In the case of unofficial packages like the Pine packages on my mirror,
you can check Washington university's FTP site for some MD5 checksums or
whatever for their code, then read through the diff (much less code than
reading all of Pine!) and build your own package from this source to
confirm for yourself that Pine is safe.  Of course, that's assuming you
trust UW.

In short, there are no guarantees.  At some point you have to take it on
faith that somebody honest has read the code that you're


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv


Reply to: