Mailinglist Archive: opensuse (1728 mails)
| < Previous | Next > |
Re: [opensuse] Re: Carelessness busts Linux security
- From: Marcus Meissner <meissner@xxxxxxx>
- Date: Fri, 11 Dec 2009 13:46:25 +0100
- Message-id: <20091211124625.GA18490@xxxxxxx>
On Fri, Dec 11, 2009 at 11:27:38PM +1100, Basil Chupin wrote:
Well, the general thing here is that if you install Software from person X
person X can gain total control of your system. This is not new.
That installing software is so easy these days and commonly done and
suggested makes it more dangerous for the unexperienced administrator,
who now needs to know which sources he can trust and which he cannot.
Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
On 11/12/09 20:51, Marcus Meissner wrote:
Have you read and understood what was stated in that kubuntu forum posting?For sources to be included in the openSUSE Factory and openSUSE release
Have you understood what I am asking/questioning here?
Novell/openSUSE has pushed out the development of oS unto "the
community" - the "Build Service" - and any upgrades to the oS are
installed with zypper or YaST which ask for root privileges before being
implemented.
As far as I am aware Novell/openSUSE have no way of checking the
benevolence of what is produced in BS - except by user peer-review. And
by the time the review is made the damage to some system is done -- but
Linux keeps claiming, or at least not coming forward to dispel the
impression, that users hold that Linux is not vulnerable to security
breaches.
they have to pass 2-3 review steps.
- The packager itself who submits the package.
(You probably assume he might be malicious).
NEVER! Wouldn't dream of doing this....unless it is a nightmare :-) .
- The reviewing maintainer in the Development Projects of openSUSE Factory.Many thanks, Marcus, for your response.
- The build team who finally checks in the sources into openSUSE Factory.
Things could be slipped by those 2 additional reviewers with enough
subterfugue or obfuscation.
The rest of the openSUSE buildservice repositories are of course under
the control of the people maintaining those projects/repos.
So if you install stuff from home:kevinmitnick:something the
"kevinmitnick" user is totally in control of what is contained there,
be it evil or good. We (as openSUSE project or Novell) do not control that.
So in the end you should apply varying degrees of trust to different
OBS projects.
Ciao, Marcus
Taking into account all that you said above, the most important thing
which I would like to pin down is: is the claim that Linux is 'secure'
and is "unhackable" and that while MS and Mac are vulnerable to hackers
etc something like openSUSE is NOT - unless, of course, a Window's
emulator is being run on the OS in which case of course normal security
crappola used for Windows has to be taken to avoid viruses, trojans, etc
and etc and etc.
From your response, and from other responses I have read, it seems that
all these responses are skirting around this very basic question of
security: is openSUSE impenetrable or not?
OK, the Packager, the Development Project team member, the Build Team
can each cock-up and let through a "nasty". Fine. But are you implying
that if this should happen then the Linux system we are running is not
as wonderful as it is made out to be by some people and can, therefore,
suffer the same hernia as any MS or Apple OS now can suffer from malware?
Yep, I've heard the arguments that Linux is now safe simply because all
the attention is being paid to MS/Mac systems because they are the most
popular, bs, bs, bs - but that Linux OSs are immune from all the
"nasties" which plague the MS/Mac OSs.
Yep, and I also have heard that there is no system which cannot be
penetrated and that while at the moment things are "safe" there is
nothing to say that a week, or so, from now someone will not come up
with a way to circumvent security. However, with Linux, because there
are many, many eyes examining the code - unlike the proprietary OSs -
Linux OSs remains and will remain 'secure'.
But the bottom line is: have we been all living with the misconception
put about by Linux fanatics that Linux systems are secure, unlike MS/Mac
systems, and therefore we can go to sleep peacefully every night without
a worry in the world ? :-) .
Well, the general thing here is that if you install Software from person X
person X can gain total control of your system. This is not new.
That installing software is so easy these days and commonly done and
suggested makes it more dangerous for the unexperienced administrator,
who now needs to know which sources he can trust and which he cannot.
Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |