[EMAIL PROTECTED] (Niels L. Ellegaard) writes: > I have been looking at a few of the the sites that offer unofficial > debian packages, and I am somewhat confused about the security issues. > I am not a great Linux guru, so I wonder how easy it would be to hide > a rootkit in a binary package and submit it to apt-get.org or > backports.org.
Utterly trivial. > Is this a serious risk or am I just being paranoid? It's the reason why Debian has a maintainer application process, requires new maintainer gpg keys to be signed by existing developers, and requires all uploads to be gpg signed by a key in the Debian keyring. Of course this doesn't prevent a Debian developer from doing evil things, but it makes it possible to track and permanently ban whoever did the evil things. -- You win again, gravity! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
