It occurs to me that all of the linux distributions (from here on, replace
"linux" with "GNU/Linux" if you want), whether debian or redhat or whatever,
seem to be making a big assumption that could bite them later.
Right now we all run stuff as root to install packages, whether by way of RPM,
APT, or whatever. We don't do anything (md5sum is still a number that could
be quietly replaced) to verify the source of the package.
So Joe Random Hacker could, if they wanted, quietly add a couple of commands
to the stuff run during installation to introduce a hole onto the system
being used for installation. They wouldn't have to try to target official
distribution sites (ftp.redhat.com or whatever), though that would be
helpful. Instead, pick random mirror sites and give it a try.
As a workaround, the various distributions could use a GPG singature to verify
correctness of the file. Since the distributor's secret key is required to
create that signature, it would add a pretty significant step that would have
to be taken to make it possible to replace both a rpm or apt file and its
accompanying signature.
Just tossing this idea out to see what others think of it; comments are
welcome. :)
B
--
Brendan Kehoe brendan at zen.orghttp://www.zen.org/~brendan/
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
