At 11:13 26/04/01 +0100, you wrote:
> >>>>> "JW" == Jerry Walsh <jerry at aardvark.ie> writes:
>> JW> The entry in /etc/hosts just means you're prone from DNS
> JW> poisoning - I still wouldn't call it trusted considering
>>ITYM "protected from".
aye, indeed i did.
> JW> there's no actual way of authenticating that the code hasn't
> JW> been tampered with, there's no way of telling its the real
>>The same goes for the packages you download.
>> JW> code you got and not some evil shell script which was put in
> JW> place by some 3l33t h4x0r. It's not signed, it's not verified
> JW> by some sort of checksum, it's EVIL!
>>So, every software package you install is cryptographically signed by
>some trusted third party you have met in the flesh and exchanged keys
I didn't say anything about meeting the authors in the flesh and exchanging
keys with them, i just said there's no authenticity on the thing at all -
there's not even an attempt of it.
99% of the software i install and maintain on my machine (freebsd) is from
the ports which at least have an md5 checksum on each file it downloads i'm
not saying that itself is hugely secure nothing's secure but it just makes
it harder for someone to start doing nasty stuff.
>While I'm not fan of running random shell code as root, I stopped
>foaming about this case once I realised that the packages you install
>are the equivalent; they all have the ability to run code as root.
>You are no more exposed by running the go-gnome.sh than you are by
>installing the packages.
I've used debian once - i don't like but isn't there at least an md5 sum check
done on the packages?
With this go-gnome.sh you pass it directly to a root shell, no checks no
THAT is why it bugs me.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!