Ludwig Nussel wrote on [security-announce] "Package management security on SUSE Linux" on Tue, 15 Jul 2008 17:10:52 +0200 (Reference:) http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00005.html
Dear openSUSE and SUSE Linux Enterprise users,
Several news sites recently published articles citing a report about attacks on package managers. Some unfortunately chose a wording that could be misunderstood as if a rogue mirror server could trick YaST into installing malicious software when applying regular (security-) updates.
This is not the case.... (snip)
----- <Ludwig Nussel's comments heavily trimmed >----
Thank you for taking the time to post your comments on the (Novell) [security-announce] list regarding "Package management security...".
I had seen the original University of Arizona CS article (as you referenced in your footnote) and as cited in either in slash-dot or digg (or may be both) and it was good to get your take on the "Stork project" research.