[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unofficial binary Debian packages considered insecure?

gnalle@ruc.dk (Niels L. Ellegaard) writes:

> I have been looking at a few of the the sites that offer unofficial
> debian packages, and I am somewhat confused about the security issues.
> I am not a great Linux guru, so I wonder how easy it would be to hide
> a rootkit in a binary package and submit it to apt-get.org or
> backports.org. 

Utterly trivial.

> Is this a serious risk or am I just being paranoid?

It's the reason why Debian has a maintainer application process,
requires new maintainer gpg keys to be signed by existing developers,
and requires all uploads to be gpg signed by a key in the Debian
keyring.  Of course this doesn't prevent a Debian developer from doing
evil things, but it makes it possible to track and permanently ban
whoever did the evil things.

You win again, gravity!

Reply to: