On Sun, Jul 13, 2008 at 7:55 PM, Jim Henderson
On Sun, 13 Jul 2008 17:06:15 -0700, John Andersen wrote:
But Repos usually are signed, and in addition to the above you have to convince the masses that the key should be imported and trusted.
How hard is that - really - to do, though? Most people find something they want to install and install it. I wonder how many people just click through the "trust this key and import it" prompt.
Jim
True. I suppose anyone could put a repo out, sign it and await suckers to install compromised software. I always stick to repos mentioned on Opensuse's 3rd party repo page or from names I recognize. The ease with which a userland application can start listening on a port is the main risk (in my opinion) when it comes to rogue software. (This is THE one area where a iptables based firewall is useful IMHO, although I prefer a separate hardware firewall/router for this). Outgoing connections are even more problematic. But bringing it back on topic just a little, NONE of the available scanning packages check for Linux exploits anyway, so unless you are scanning to protect windows machines the anti-virus anti-malware scanners are useless. -- ----------JSA--------- Sig line deleted for the humor impaired. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org