On Sat, Nov 03, 2007 at 10:41:35AM +0000, Joe wrote: > Andrew Sackville-West wrote: >> On Fri, Nov 02, 2007 at 09:29:51PM +0000, Joe wrote: >>> Microsoft Update and apt-get are probably as close as you get, and I >>> wouldn't bet a large amount of money that either is 100% safe. One day MU >>> will get hacked, and the whole world will collapse. >>> >> wow, that's quite a comparison: Microsoft Update which will secretly >> upgrade stuff on the system even when explicitly told not to versus >> apt-get which must be explicitly told what to do and then asks "are >> you sure?" And I won't even go into the parts where you get to look at >> apt code... >> Frankly I hope MU does get hacked (if it hasn't already) because some >> people need to learn some lessons, not the least of which is MS itself >> for releasing such tragically flawed software to begin with. Note though >> that I do not wish ill upon the poor users of this >> product... merely that the PTB's over there would get a clue (and yes >> I know many of them do have a clue, just not enough or the right ones). > > Ah, I wasn't comparing operational use, fair enough... > just the systems as being > reasonably tamper-proof methods of delivering software from the original > sources to the user. see, there is a significant difference here. MU allows kernel level software upgrades to be loaded into the system without admin intervention or knowledge. So it appears to me that MU is *not* reasonably tamper-proof and is infact designed to be tampered with.. > The vast majority of downloaded software comes from > unidentifiable sources via paths which are relatively easily hacked. The vast majority of whose software? All mine comes from signed archives with keys that I can verify. > > The MU issue is simply one of monoculture, not software quality. I disagree. The whole MU issue is about fundamentally flawed ideas about software. The software produced from a flawed concept (that its okay to have some party arbitrarily install kernel level software remotely without admin interaction) is flawed and not quality software. > If 90% of > the world's PCs used apt-get daily, the repercussions of malware smuggled > into major packages would be just as serious as an MU hack today. Yes, except again, if the apt repositories were compromised, we would still have the option to not bother typing apt-get upgrade (once the news got out, of course. Some would surely still fall...). If someone hacks MU, then that hack can be distributed automatically to every box to be automatically installed even if the admin has turned off the automatic install "feature". BTW, I'm not sure that we're actually arguing here. It maybe that I just don't understand what you're saying :) A
Attachment:
signature.asc
Description: Digital signature