LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Ximian on Debian Potato

[ILUG] Ximian on Debian Potato

Jerry Walsh jerry at aardvark.ie
Thu Apr 26 11:38:14 IST 2001 

At 11:13 26/04/01 +0100, you wrote:
> >>>>> "JW" == Jerry Walsh <jerry at aardvark.ie> writes:
>
>     JW> The entry in /etc/hosts just means you're prone from DNS
>     JW> poisoning - I still wouldn't call it trusted considering
>
>ITYM "protected from".

aye, indeed i did.


>     JW> there's no actual way of authenticating that the code hasn't
>     JW> been tampered with, there's no way of telling its the real
>
>The same goes for the packages you download.
>
>     JW> code you got and not some evil shell script which was put in
>     JW> place by some 3l33t h4x0r. It's not signed, it's not verified
>     JW> by some sort of checksum, it's EVIL!
>
>So, every software package you install is cryptographically signed by
>some trusted third party you have met in the flesh and exchanged keys
>with?

I didn't say anything about meeting the authors in the flesh and exchanging
keys with them, i just said there's no authenticity on the thing at all -
there's not even an attempt of it.

99% of the software i install and maintain on my machine (freebsd) is from
the ports which at least have an md5 checksum on each file it downloads i'm
not saying that itself is hugely secure nothing's secure but it just makes
it harder for someone to start doing nasty stuff.

>While I'm not fan of running random shell code as root, I stopped
>foaming about this case once I realised that the packages you install
>are the equivalent; they all have the ability to run code as root.

They do..

>You are no more exposed by running the go-gnome.sh than you are by
>installing the packages.

I've used debian once - i don't like but isn't there at least an md5 sum check
done on the packages?

With this go-gnome.sh you pass it directly to a root shell, no checks no 
nothing
THAT is why it bugs me.

Jerry.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell