[EMAIL PROTECTED] (Niels L. Ellegaard) writes: > I have been looking at a few of the the sites that offer unofficial > debian packages, and I am somewhat confused about the security > issues.
And that's a healthy attitude to take with unofficial packages (or even official ones if you run sid, which you shouldn't be unless you have some Debian experience and are willing to put up with the brokenness). > I am not a great Linux guru, so I wonder how easy it would be to > hide a rootkit in a binary package and submit it to apt-get.org or > backports.org. Trivial, though I don't know how long your listing will stay up once they get word that it's a dangerous source. > Is this a serious risk or am I just being paranoid? It *is* a risk, however, how much of one depends on the source. When in doubt, search Google's various parts (Groups, Web, News in particular) to see what others are saying about it. Groups tends to have the best discussion about such things (since it picks up not only the Debian mailing lists that get mirrored on USENET, but the rest of USENET as well). Web is good to search the various web discussions as well as any possible information about the sources in question. News will get places like Slashdot and mainstream news sources from the last couple months. Obviously, if a site is appearing in the News catagory for the wrong reasons, it's not a source you want to go with. > PS: I realize that I can often use to apt-source, but I like plug-and-play :) Huh? You don't get much more plug-n-play than apt... -- Paul Johnson <[EMAIL PROTECTED]> Linux. You can find a worse OS, but it costs more.
pgpmYSsxpK9yc.pgp
Description: PGP signature
