[nSLUG] package managers & security
D G Teed
donald.teed at gmail.com
Sat Mar 26 08:16:05 ADT 2011
On Sat, Mar 26, 2011 at 7:45 AM, D G Teed <donald.teed at gmail.com> wrote:
> On Fri, Mar 25, 2011 at 6:17 PM, Peter Dobcsanyi <petrus at ftml.net> wrote:
>> An interesting analysis on the security of popular package managers:
>> A Look In the Mirror: Attacks on Package Managers
Argh. I don't know what I hit, but accidently discovered some command key
for send in gmail. Sorry for the blank email.
Very interesting article on package mirror and security. Hopefully the
distros will get on top of this, as the concepts are now public and
it will become well known one can operate a hosted mirror under a
One aspect which was not in the study's measurements was how often one
has to use a repository outside of the official repos to get essential
(e.g. Denyhosts, or amavisd). For a distribution like Redhat (or Solaris),
this happens often.
I prefer to use a repo and the package manager when I can,
over compiling tarballs, as I'll sooner know when there are issues
with the package we should update. However in some cases a tarball
is all you can get, or getting the latest source is most desirable
and done outside of package management.
When using alterative repos, you are at the mercy of whatever the package
maintainer at the alternative site has for their security and any process
they have for filtering dev contributors. Also, you are at the mercy of
their QA methods and packaging sanity. When this is taken into
account, a distro with a wider breadth of packages, prepared
and QA'ed against a strong set of standards, should be more reliable
than the scenario of adding third party repos. This goes wider
than security, but to me it is the same issue as they can all
interfere with the reliability of services I maintain.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG