Re: insecurity/threat of rpm, urpmi, apt-get installs?

From: Tim Haynes (usenet-20041014_at_stirfried.vegetable.org.uk)
Date: 10/14/04

• Next message: Beowulf: "Re: insecurity/threat of rpm, urpmi, apt-get installs?"
• Previous message: Tim Haynes: "Re: What is a VPN?"
• In reply to: Beowulf: "Re: insecurity/threat of rpm, urpmi, apt-get installs?"
• Next in thread: Beowulf: "Re: insecurity/threat of rpm, urpmi, apt-get installs?"
• Reply: Beowulf: "Re: insecurity/threat of rpm, urpmi, apt-get installs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 14 Oct 2004 18:01:03 +0100

Beowulf <beowulf@nowhere.net> writes:

[snip]
> I have to say almost all the packages I have installed via urpmi have had
> bad signatures, and i just go ahead and install them, not understanding
> why they have bad signatures. Have I been installing spyware or hacked
> binaries, or is such an event common and harmless? Without urpmi (apt-get
> equivalent) I end up in dependency hell, but with urpmi I end up
> installing bad signature rpms/libs; seems a no-win situation.

You certainly don't know that you haven't been installing bad things.

If you did get valid signatures for all your packages, you'd know that the
packages were as trustworthy as that signature - ie that you trusted the
signature as being indicative of redhat/mandrake/whoever's approval in the
first place, hoping that it hasn't been cracked or leaked since you first
established trust in it.

If you had only installed packages with correct signatures, you would have
had a *much* lower probability of anything having been wrong.

~Tim

-- 
Headlights flash in the darkness       |piglet@stirfried.vegetable.org.uk
Memories twist in the rain             |http://pig.sty.nu/Pictures/composition/

---

• Next message: Beowulf: "Re: insecurity/threat of rpm, urpmi, apt-get installs?"
• Previous message: Tim Haynes: "Re: What is a VPN?"
• In reply to: Beowulf: "Re: insecurity/threat of rpm, urpmi, apt-get installs?"
• Next in thread: Beowulf: "Re: insecurity/threat of rpm, urpmi, apt-get installs?"
• Reply: Beowulf: "Re: insecurity/threat of rpm, urpmi, apt-get installs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: RPM is cheating! ... > batch of RPMs to deal with. ... installing stuff that gave problems, ... The easiest way is to use Mandrake's excellent urpmi ... You can just use the packages on the Mandrakes disks. ... (comp.os.linux.misc) Re: insecurity/threat of rpm, urpmi, apt-get installs? ... I have to say almost all the packages I have installed via urpmi have had ... Have I been installing spyware or hacked ... installing bad signature rpms/libs; seems a no-win situation. ... (comp.os.linux.security) Re: Where is Phobos P430 QFE X1034A Driver ... The following packages are available: ... Installing Phobos P430 Adapter Driver for 32 bit PCI QuadPort ... devfsadm: driver failed to attach: pqfe ... (comp.sys.sun.admin) Re: Why no R in Fedora (was Statistical Package (like Minitab) for Linux) ... > The fedora rpm provided at the CRAN site contains very few add-on ... > packages would provide a large amount of functionality. ... > Users can easily install.packageson top of this more stuff from CRAN. ... > I always seem to end up installing a few packages eg. lineno, ... (Fedora) Re: Linux/Python Issues ... It doesn't suck if you're just installing one program, ... tool to retrieve packages, but then the developers got "feature envy" ... you've got to face the problem that your distribution isn't going to ... (comp.lang.python)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2004-10