On Thu, Mar 06, 2003 at 09:21:21PM -0500, Gary MacDougall wrote: [snip]
> This is silly to blame the FBI. I'd be far more concerned about the > average knucklehead > trying to do this maliciously than thinking the FBI would do it... please. I wasn't that worried about the FBI, being Australian, but what about an unscrupulous ISP? What about a compromised mirror? > As I agree that there should be a level of protection on apt-get, or any > "auto update" system, > its up to the person doing the update to check the things they're > updating if they are that > paranoid. If your really concerned about this, don't apt-get, download > the deb's and > eyeball the deb's yourself. > [snip] > > The article was written in December 2001, two years ago and over 100 IIS > patches later. In hindsight, > had the author concentrated on IIS and its lack of security, and pointed > out that the Internet is slowed > to a crawl since every IT idiot maintaing IIS won't patch they're > software or do > AN AUTO UPDATE!!! It's a contradiction to the original problem being > stated!!! hahahahaha. The article may have been written in December 2001, but I don't think anything has fundamentally changed in the way Debian's packaging operates, or how packages are rolled out. [snip] > This stuff is silly. I'll take my chances with apt-get and know that my > system is update to date. I can't take that attitude. I work in a secure environment. I've got to determine the appropriate level of paranoia to employ for ensuring a largish Debian infrastructure is kept up to date with legitimate patches. Andrew