Re: Is this possible in Fedora?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/11/2009 10:49 PM, Greg Woods wrote:
> On Fri, 2009-12-11 at 22:16 +0530, Rahul Sundaram wrote:
>> On 12/11/2009 08:34 PM, Tim wrote:
>>  It'll take quite some effort, not impossible, but very
>>> difficult, to get a signed compromising package into the repos.
>>
>> Unfortunately, I don't think it's that difficult. Why do you believe it is?
> 
> It does at least require the cooperation of an insider. To me, that
> raises the bar quite a bit.

Actually, no it doesn't.  I can pretend to be a useful upstream and
eventually distributions will pick it up. I can also be a package
maintainer and purposefully push a trojan horse in an update. There are
many attack vectors. People who are signing the updates are not going to
be able to do detailed code reviews.

Rahul

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux