Re: insecurity/threat of rpm, urpmi, apt-get installs?

From: Tim Haynes (usenet-20041014_at_stirfried.vegetable.org.uk)
Date: 10/14/04


Date: Thu, 14 Oct 2004 18:01:03 +0100

Beowulf <beowulf@nowhere.net> writes:

[snip]
> I have to say almost all the packages I have installed via urpmi have had
> bad signatures, and i just go ahead and install them, not understanding
> why they have bad signatures. Have I been installing spyware or hacked
> binaries, or is such an event common and harmless? Without urpmi (apt-get
> equivalent) I end up in dependency hell, but with urpmi I end up
> installing bad signature rpms/libs; seems a no-win situation.

You certainly don't know that you haven't been installing bad things.

If you did get valid signatures for all your packages, you'd know that the
packages were as trustworthy as that signature - ie that you trusted the
signature as being indicative of redhat/mandrake/whoever's approval in the
first place, hoping that it hasn't been cracked or leaked since you first
established trust in it.

If you had only installed packages with correct signatures, you would have
had a *much* lower probability of anything having been wrong.

~Tim

-- 
Headlights flash in the darkness       |piglet@stirfried.vegetable.org.uk
Memories twist in the rain             |http://pig.sty.nu/Pictures/composition/


Relevant Pages

  • Re: RPM is cheating!
    ... > batch of RPMs to deal with. ... installing stuff that gave problems, ... The easiest way is to use Mandrake's excellent urpmi ... You can just use the packages on the Mandrakes disks. ...
    (comp.os.linux.misc)
  • Re: insecurity/threat of rpm, urpmi, apt-get installs?
    ... I have to say almost all the packages I have installed via urpmi have had ... Have I been installing spyware or hacked ... installing bad signature rpms/libs; seems a no-win situation. ...
    (comp.os.linux.security)
  • Re: Where is Phobos P430 QFE X1034A Driver
    ... The following packages are available: ... Installing Phobos P430 Adapter Driver for 32 bit PCI QuadPort ... devfsadm: driver failed to attach: pqfe ...
    (comp.sys.sun.admin)
  • Re: OpenCOBOL/GNUCobol
    ... Did you compile the compiler AND run make check ... packages and it can never seem to resolve all the conflicts. ... GNU Cobol MAY require the following external library to be installed: ... NOTE - libltdl is NOT needed when installing on Linux, ...
    (comp.lang.cobol)
  • Re: Why no R in Fedora (was Statistical Package (like Minitab) for Linux)
    ... > The fedora rpm provided at the CRAN site contains very few add-on ... > packages would provide a large amount of functionality. ... > Users can easily install.packageson top of this more stuff from CRAN. ... > I always seem to end up installing a few packages eg. lineno, ...
    (Fedora)