[suse-security] Secure updating/installing of packages

["neodaxus@xxxxxxx" <neodaxus@xxxxxxx>]

Hello,

theoretically it is possible that modified packages for Linux 
distributions are made available in order to create backdoors (e.g. 
through a hacked server or mirror, wrong IP routing / DNS resolving, or 
simply someone making available manipulated packages at a site under his 
control).

I wonder how SuSE and other distros protect themselves against this threat.

A MD5 only offers protection if before updating/installation it is 
checked against a list of packages and MD5's.

However, when updating this list, it has to be made sure that the update 
comes from a trusted source and that it has not been tampered with.

I have been told that for some Debian packages there is not even a MD5. 
At Gentoo I'm unsure if the list update is secure.

Who knows about SuSE (YOU + Yast)?

Thanks,

Christian





--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here