Re: Unofficial binary Debian packages considered insecure?

To: debian-user@lists.debian.org
Subject: Re: Unofficial binary Debian packages considered insecure?
From: Brian Nelson <pyro@debian.org>
Date: Sat, 29 May 2004 01:43:42 -0300
Message-id: <[🔎] 871xl3sv0h.fsf@scabbers.bignachos.com>
In-reply-to: <[🔎] 7w8yfcqq8i.fsf@i19.ruc.dk> (Niels L. Ellegaard's message of "28 May 2004 21:57:33 +0200")
References: <[🔎] 7w8yfcqq8i.fsf@i19.ruc.dk>

gnalle@ruc.dk (Niels L. Ellegaard) writes:

> I have been looking at a few of the the sites that offer unofficial
> debian packages, and I am somewhat confused about the security issues.
> I am not a great Linux guru, so I wonder how easy it would be to hide
> a rootkit in a binary package and submit it to apt-get.org or
> backports.org. 

Utterly trivial.

> Is this a serious risk or am I just being paranoid?

It's the reason why Debian has a maintainer application process,
requires new maintainer gpg keys to be signed by existing developers,
and requires all uploads to be gpg signed by a key in the Debian
keyring.  Of course this doesn't prevent a Debian developer from doing
evil things, but it makes it possible to track and permanently ban
whoever did the evil things.

-- 
You win again, gravity!

Reply to:

Follow-Ups:
- Re: Unofficial binary Debian packages considered insecure?
  - From: Paul Johnson <baloo@ursine.ca>
- Re: Unofficial binary Debian packages considered insecure?
  - From: John Hasler <john@dhh.gt.org>

References:
- Unofficial binary Debian packages considered insecure?
  - From: gnalle@ruc.dk (Niels L. Ellegaard)

Prev by Date: Re: X fails to find my vidio card
Next by Date: How are you?
Previous by thread: Re: Unofficial binary Debian packages considered insecure?
Next by thread: Re: Unofficial binary Debian packages considered insecure?
Index(es):
- Date
- Thread