Re: Unofficial binary Debian packages considered insecure?
gnalle@ruc.dk (Niels L. Ellegaard) writes:
> I have been looking at a few of the the sites that offer unofficial
> debian packages, and I am somewhat confused about the security issues.
> I am not a great Linux guru, so I wonder how easy it would be to hide
> a rootkit in a binary package and submit it to apt-get.org or
> backports.org.
Utterly trivial.
> Is this a serious risk or am I just being paranoid?
It's the reason why Debian has a maintainer application process,
requires new maintainer gpg keys to be signed by existing developers,
and requires all uploads to be gpg signed by a key in the Debian
keyring. Of course this doesn't prevent a Debian developer from doing
evil things, but it makes it possible to track and permanently ban
whoever did the evil things.
--
You win again, gravity!
Reply to: