On Thu, 26 Oct 2000, Timothy Houck wrote:

> With such a system, I can see a whole new crop of cracker attacks as a
> result of such ever-user-friendly, "plug-and-play"ish packages.  IMHO,
> there is a point at which a system automates itself beyond a safe point --
> trying to be more friendly to inexperienced (lazy? maybe) users.  This is
> the whole reason we have ridiculous things like macro viruses.

There's a list of reasons why I think any attacks using this system are
unlikely:

1) Debian watches the security of its packages' out-of-the-box
configurations very closely. security.debian.org always contains the fixed
versions of packages with known vulnerabilities.
2) Debian chooses its maintainers very carefully. It takes five steps,
including a GPG key and a photo ID, plus a discussion of philosophy of
free software.
3) Installing a package requires conscious action by a user with root
access. It's not so simple as getting an e-mail and then suddenly your
system is infected/compromised.
4) While it is possible and practical for users to get packages from
places other than Debian's central repositories, this isn't standard
practice. For example, although you can install HelixGNOME on a Debian 2.2
(current stable release) system, from Helix's own repositories, the next
release of Debian will include GNOME 1.2 (a.k.a. HelixGNOME) in the
distribution itself. Any package repositories that are outside of Debian's
control tend to be only for bleeding-edge stuff, and then users are
strongly warned that "this could mess up your system. be careful and don't
run with scissors when the moon is full at high tide." :)

All in all, I trust Debian to keep my packages more secure than if I'd
compiled them myself, since the maintainers have time to think through
security concerns. I still tweak configs and remove all unnecessary
servers, of course, but on the whole I don't see security as being a major
reason to argue against Debian's package management system.

That doesn't mean you don't have a valid point. I also tend not to trust
any organization to keep my systems secure. But Debian has proven itself
to me.

Anyways, enough of my opinions for now.

Pacem in Terris / Mir / Shanti / Salaam / Heiwa
Kevin R. Bullock


---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org