Anyone can push malware through Windows Update with little effort. Microsoft doesn't perform a useful security audit of published binaries; they simply rely on the fact that signing requires a slew of IDs and secret handshakes which are difficult to fake (i.e. remain an anonymous baddie).
I think Garrett's approach is okay. It's impossible to think of every single possible security breach scenario therefore we should focus on implementing various doodads to mitigate issues if/as they arise. Killbits and revoking certificates are good examples. /rafael On 4/16/2010 1:08 PM, Garrett Serack wrote: > What specifically do you mean by compromised? > > If you mean defective, well, that is a small potential problem. It is in any > system. > > If you mean that a package is published and someone is trying to pass it off > as someone else's package, well that's why we have a requirement for a > publisher to digitally signing the code. If they lose control of their > signing keys, we laugh and all code published with their cert after the loss > of control can be killed by revoking the certificate, and/or implement a > killbit system (since we can identify WinSxS libraries uniquely). > > Actually, we should probably build a killbit system regardless, as it can > assist in the defective case too. > > And, yes WU can install drivers and code from third parties; which is why > they require any binaries passing thru WU to be signed and run thru a bunch > of validation tools. > > > > Garrett Serack | Open Source Software Developer | Microsoft Corporation > I don't make the software you use; I make the software you use better on > Windows. _______________________________________________ Mailing list: https://launchpad.net/~coapp-developers Post to : coapp-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~coapp-developers More help : https://help.launchpad.net/ListHelp
