/ 2004-07-20 08:11:22 +0200 \ Markus Gaugusch:
On Jul 20, neodaxus@gmx.net
wrote: theoretically it is possible that modified packages for Linux distributions are made available in order to create backdoors (e.g. through a hacked server or mirror, wrong IP routing / DNS resolving, or simply someone making available manipulated packages at a site under his control).
I wonder how SuSE and other distros protect themselves against this threat. [...] Who knows about SuSE (YOU + Yast)?
All SuSE packages are cryptographically signed with the SuSE build key (build@suse.de). It is automatically installed from the CDs.
In addition to that, fou4s (http://fou4s.gaugusch.at/) allows you to install packages that are signed with fully trusted keys, apart from the SuSE key.
sure. but part of the question is, how does SuSE ensure that what they distribute ist not trojaned because the sources of some upstream package already are trojaned? well, I think to some degree you have to trust _someone_ . I like to trust the SuSE people that they know their business, and do some audits. but knowing about the details how they ensure integrity of upstream package sources would be nice anyways ... lge