[Novalug] linux update security?

Nick Danger nick@hackermonkey.com
Tue Jan 15 10:22:50 EST 2008


Anthony Soucek wrote:
> on my summary comment "I can also see how open source is and invitation to
> trouble."  I think what I was intending there is that accepting
> updates from unrecognized sources is a security risk.  Of which, of
> course, the OS warns me.   Because the process of applying updates
> bypasses the security model, and I am trusting the Add/remove programs
> functionality in Ubuntu to provide me with enough apps to make it a
> useful desktop (so I'll take any repository I can get.) I guess my
> question is how are the community supported apps screened by the OS
> for security before they become available to clueless users like me?
> Or are they not screened at all?

Again, it goes back to which repositories you use. If you use the Ubuntu
one then package administrators (trusted) are the only ones that can
update those sites. If you use "Joe Doe's repository of K-rad Warez"
then maybe Joe Doe does it. So you are trusting these other parties to
monitor your packages for issues and only update when necessary. But
then isn't that the case with almost everything? You either do it
yourself, or you trust someone else.  And you try to limit who you trust
to only those , uh, trustworthy. That was a little circular but I think
you all see what I mean. Eventually you have to trust someone, just how
you choose who to trust, well thats kinda personal and different between
everyone.

Exactly how they are screened I don't know. Since I've never been a site
maintainer :-) I've built a few packages for my own use and even handed
them out, but thats hardly the same thing.



More information about the Novalug mailing list