Is this possible in Fedora?
Rahul Sundaram
sundaram at fedoraproject.org
Fri Dec 11 17:23:11 UTC 2009
On 12/11/2009 10:49 PM, Greg Woods wrote:
> On Fri, 2009-12-11 at 22:16 +0530, Rahul Sundaram wrote:
>> On 12/11/2009 08:34 PM, Tim wrote:
>> It'll take quite some effort, not impossible, but very
>>> difficult, to get a signed compromising package into the repos.
>>
>> Unfortunately, I don't think it's that difficult. Why do you believe it is?
>
> It does at least require the cooperation of an insider. To me, that
> raises the bar quite a bit.
Actually, no it doesn't. I can pretend to be a useful upstream and
eventually distributions will pick it up. I can also be a package
maintainer and purposefully push a trojan horse in an update. There are
many attack vectors. People who are signing the updates are not going to
be able to do detailed code reviews.
Rahul
More information about the fedora-list
mailing list