[lug] Package manager vulnerabilities [was Re: Pencast of Trent Hein - Practical Security]
Sean Reifschneider
jafo at tummy.com
Wed Oct 21 16:08:33 MDT 2009
On 10/21/2009 02:00 PM, David L. Anselmi wrote:
>> One interesting point was that not all distros have been tight in
>> vetting public repositories. Basically, a self-sign-up allowed
>
> Seems to me that they overstated the risk from man-in-the-middle
> attacks. RHEL shouldn't need all the protections mentioned in the
I agree that the secure channel is important. I remember being shocked
about Debian's policy that they didn't allow mirrors of security updates
because they couldn't deal with signed packages, so they didn't want people
to insert compromises in security packages. Of course, this also applied
to base packages, but that issue wasn't on their radar.
Sean
--
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20091021/09610a32/attachment.pgp>
More information about the LUG
mailing list