Security
Hi,
I have been following the "horrifying
suggestion" thread on the lists and what you say about
the go-gnome script makes perfectly good sense. Has
anyone talked to Helixcode about the problem? In most
distributions all the script does is download the
installer and in Debian it just adds an extra line in
sources file. Telling the user to edit sources file
and add the extra line and then doing and apt-get
seems to me to be as simple as what they are asking
the user to do. There is no percentage in using the
go-gnome script at all apart from giving
misconceptions to the user about user friendliness.
And now there are so many sites giving installation
scripts to be executed as root user. Eazel makes you
download an installer script for rpm based systems for
installing nautilus PR2 and there are many more
companies like that. Can anything be done to somehow
make these people understand and use some security
measures in the process of installing software.
Then again there is a problem of trusted sites
versus non trusted when it comes to apt-get. Like
argued in the case of the go-gnome script any web site
can make a newbie add a line in the sources.list file
saying that doing a "apt-get task-whatever" will do
wonders for his system and in the process install a
trojan in this process. Is there anything like a
digitally signed .deb which distinguishes between a
trusted and non trusted sites and prevents the above.
There was a post in the message board some time ago
about RPM checking PGP keys. But I don't think that is
a default behaviour of RPM. Does RPM check for
signatures on all the files it is going to intall? I
think such a behaviour has to be made default for all
the packaging systems since more and more people are
migrating to linux and not everybody knows the risk
involved when working as root user.
Vijay.
__________________________________________________
Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one Place.
http://shopping.yahoo.com/
Reply to: