Hosting Provided By

Re: Recent updates

From: Rolf Kutz <rk(at)vzsze.de>
Date: Mon Feb 18 2008 - 04:43:20 EST

On 18/02/08 06:01 -0300, Felipe Figueiredo wrote:
>On Sun 17 Feb 2008 17:48:16 Alexander Schmehl wrote:
>
>
>> Well, a rogue hacker would need to be quite skilled to add some kind of
>> "bad" package.
>>
>> Let's assume he has created a bad package and got control over a mirror
>
>How about a simpler attack vector: compromise a devel account, and sneak in a
>patch to be automatically incorporated to a package. Is this feasible?

I think packages are signed when uploaded, so it's not easy. You also could compromise upstream, a buildd machine or gcc.

>I understand that this case would not reflect what the OP asked about, but
>still.

Why trust software you didn't write yourself at all[0]?

regards, Rolf

[0] http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

-- 
Vorgang zu schwer zu erklären.

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

application/pgp-signature attachment: Digital signature

Received on Mon Feb 18 05:05:06 2008

This message: [ Message body ]
Next message: Alexander Schmehl: "Re: Recent updates"
Previous message: Felipe Figueiredo: "Re: Recent updates"
In reply to: Felipe Figueiredo: "Re: Recent updates"
Next in thread: Alexander Schmehl: "Re: Recent updates"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:56:00 EDT

Do you need help?