[opensuse-factory] how secure is the opensuse packagemanager
hello list: there seems to be some activity regarding package manager security issues: <http://www.cs.arizona.edu/people/justin/packagemanagersecurity/> how secure is the opensuse way in the recent opensuse releases? regards. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Tue, Jul 15, 2008 at 02:22:25PM +0200, ab wrote:
hello list:
there seems to be some activity regarding package manager security issues: <http://www.cs.arizona.edu/people/justin/packagemanagersecurity/>
how secure is the opensuse way in the recent opensuse releases?
We will publish an official clarification statement today. Do not worry, you are not as insecure as it might read ;) That the site lacks a table of who is affected by what, and that our feedback was not timely integrated is pretty bad though. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Tue, Jul 15, 2008 at 9:22 AM, ab <spam@abittner.de> wrote:
hello list:
there seems to be some activity regarding package manager security issues: <http://www.cs.arizona.edu/people/justin/packagemanagersecurity/>
From what I can tell, all the "attack" is based on the premise that the package manager will crazily downgrade your packages, which I hardly believe there is any example of such software doing that in any distribution...
typical slashdot hysteria Marcio --- Druid --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
ab wrote:
there seems to be some activity regarding package manager security issues: <http://www.cs.arizona.edu/people/justin/packagemanagersecurity/>
how secure is the opensuse way in the recent opensuse releases?
If you use http://download.opensuse.org/update/11.0/ as your update repository, then the metadata will be served directly, efectively avoiding the attack AFAICS. The mirrors will only be redirected to for rpm files. Michal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (4)
-
ab -
Druid -
Marcus Meissner -
Michal Marek