[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[suse-security] Secure updating/installing of packages
theoretically it is possible that modified packages for Linux
distributions are made available in order to create backdoors (e.g.
through a hacked server or mirror, wrong IP routing / DNS resolving, or
simply someone making available manipulated packages at a site under his
I wonder how SuSE and other distros protect themselves against this threat.
A MD5 only offers protection if before updating/installation it is
checked against a list of packages and MD5's.
However, when updating this list, it has to be made sure that the update
comes from a trusted source and that it has not been tampered with.
I have been told that for some Debian packages there is not even a MD5.
At Gentoo I'm unsure if the list update is secure.
Who knows about SuSE (YOU + Yast)?
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here