[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Secure updating/installing of packages
Quoting Lars Ellenberg <l.g.e@xxxxxx>:
> >
> > All SuSE packages are cryptographically signed with the SuSE build key
> > (build@xxxxxxx). It is automatically installed from the CDs.
> >
> > In addition to that, fou4s (http://fou4s.gaugusch.at/) allows you to
> > install packages that are signed with fully trusted keys, apart from the
> > SuSE key.
>
> sure. but part of the question is,
> how does SuSE ensure that what they distribute ist not trojaned
> because the sources of some upstream package already are trojaned?
>
> well, I think to some degree you have to trust _someone_ .
> I like to trust the SuSE people that they know their business,
> and do some audits. but knowing about the details how they ensure
> integrity of upstream package sources would be nice anyways ...
>
All SuSE packages are built by SuSE. Security updates are patched by SuSE and
rebuilt in order to keep versions matching. In cases where a new version is
released to fix a security bug, SuSE backports the patch manually. Redhat also
does this, and likely most of the other big linux vendors. If there's a trojan
in those patches, somebody's likely to notice.
Is it conceivable that a trojaned package could get through? Sure, it's
possible. But then, even major closed source vendors have occasionally shipped
a product infected with a virus. And, in this case, it would have to be the
author of the package that deliberately puts the trojan in. Once found, no one
will ever trust that author again, so no programmer is willing to risk it,
because it will be found and posted on bugtraq eventually.
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here