>It occurs to me that all of the linux distributions (from here on, replace
>"linux" with "GNU/Linux" if you want), whether debian or redhat or whatever,
>seem to be making a big assumption that could bite them later.
>>Right now we all run stuff as root to install packages, whether by way of RPM,
>APT, or whatever. We don't do anything (md5sum is still a number that could
>be quietly replaced) to verify the source of the package.
>>So Joe Random Hacker could, if they wanted, quietly add a couple of commands
>to the stuff run during installation to introduce a hole onto the system
>being used for installation. They wouldn't have to try to target official
>distribution sites (ftp.redhat.com or whatever), though that would be
>helpful. Instead, pick random mirror sites and give it a try.
all the redhat rpm's are gpg signed. I think the same is either happening or
has happened with debian.
Can't speak for any other distros. I know Apple had the same problem
6 months ago
and they've started signing their packages too.
L.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
