PDA

View Full Version : Why distribution packages are a good idea



Wolki
September 21st, 2005, 03:47 PM
Take a look here: http://www.viruslist.com/en/weblog?calendar=2005-09

There's some inaccuracies in the article, but it's still clear that you should not trust everything on the net, even if it seems to come from a source you would trust. With linux becoming more popular, it'll be even more important to have trustworthy distributions; everything else is a security risk.

papangul
September 21st, 2005, 04:00 PM
Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.
i had an impression that only linux mail servers need to have anti-virus solutions. Do I need to install anti-virus programs for Ubuntu also ??!!

Wolki
September 21st, 2005, 04:11 PM
i had an impression that only linux mail servers need to have anti-virus solutions. Do I need to install anti-virus programs for Ubuntu also ??!!

Do you install software from outside the ubuntu repositories? If so, it could be a good idea, but probably not necessary. There is a very, very small number of linux viruses, and they are rare. Making software "easier" to install (all the distribution-independent package things) will of course make installing (and thus distribution of) malware easier. Being aware of security issues is important and will become more important as linux becomes popular.

Kvark
September 21st, 2005, 04:22 PM
Thats a mirror that was infected. Always check the download against an MD5 checksum on the official site or in worst case on another mirror.

An Ubuntu or backport mirror could be infected just as well as a Mozilla mirror. Then a lot of people would download the new infected version quickly thanks to the update notifier. But synaptic seems to automatically check against MD5 sums. If thats the case then both the download mirror and the server with the checksums would need to be compromised.

I think there will eventually be a need for download programs that have a list of checksum servers that it checks each download against to see if it is on any blacklists or whitelists. Ubuntu, Mepis and the other distros as well as secuirty companies could probably have checksum servers with huge black/white lists. That way it wouldn't be enough to infect a mirror. There'd a whole load of independant servers to infect before you could get anyone to download the virus or troyan.

papangul
September 21st, 2005, 05:11 PM
Do you install software from outside the ubuntu repositories?
I followed instructions in ubuntuguide.org to add many repositories in my sources.list file, most probably some of them are not official ubuntu repositories. Frankly, I am pissed off by this repository stuff.

Wolki
September 21st, 2005, 05:51 PM
I followed instructions in ubuntuguide.org to add many repositories in my sources.list file, most probably some of them are not official ubuntu repositories. Frankly, I am pissed off by this repository stuff.

Ubuntuguide recommends only official + backports repos. You can consider them safe (especially now that backports is becoming official). The problem are random .debs or source code found on the internet.

Repositories mean that ubuntu guarantees the content is relatively safe (may contain bugs of course ^^;; and a corrupted mirror like Kvark said could still be possible). Without repositories you lose that safety.

poofyhairguy
September 21st, 2005, 06:01 PM
Frankly, I am pissed off by this repository stuff.

Don't hold back. Tell us your true feelings!

az
September 21st, 2005, 06:20 PM
I followed instructions in ubuntuguide.org to add many repositories in my sources.list file, most probably some of them are not official ubuntu repositories. Frankly, I am pissed off by this repository stuff.


So what do you want? To go to a homepage for an application and install it from there? You can do that. You will just have to compile it yourself, using your system's own libraries. You see, since thre is so much choice around, there are many ways to do things. The person who wrote the application cannot possibly know what your computer runs or what it is going to run. And frankly, she shouldn't.

It is far easier for developers to interface at the souce code level than at the binary level. In other operating systems, there is only one way to do things, so one one kind of binary packages is needed.

Now, this is an oversimplification of the issue, but it boils down to you getting *more* choice at the end of the day.

poofyhairguy
September 21st, 2005, 07:55 PM
So what do you want? To go to a homepage for an application and install it from there? You can do that. You will just have to compile it yourself, using your system's own libraries.

The universal installer for Linux is a tar file.

papangul
September 22nd, 2005, 01:39 AM
There was a misunderstanding here as I didn't elaborate, I meant I was pissed off (due to fear of malware being installed from "unofficial repository") when I added additional repositories following ubuntuguide.org. Ideally I shouldn't need to mess with the sources.list file except before dist-upgrading.

zenwhen
September 22nd, 2005, 05:21 AM
There was a misunderstanding here as I didn't elaborate, I meant I was pissed off (due to fear of malware being installed from "unofficial repository") when I added additional repositories following ubuntuguide.org. Ideally I shouldn't need to mess with the sources.list file except before dist-upgrading.


Ideally, there wouldn't be any restrictive licenses in this world that keep the software in those repos out of our main distribution.

stimpack
September 22nd, 2005, 11:40 AM
Hopefully finer grained security such as SElinux will help the silly situation we are in at the moment with the archaic system of only installing from trusted sources, sounds exactly like Windows to me.

Any program I install should NOT be able to affect anything apart from itself, let alone require root that is just crazy. And even with user level access trashing my home dir is not acceptable either, much much finer control needed me thinks.

papangul
September 22nd, 2005, 11:47 AM
Hopefully finer grained security such as SElinux will help the silly situation we are in at the moment with the archaic system of only installing from trusted sources, sounds exactly like Windows to me.

Any program I install should NOT be able to affect anything apart from itself, let alone require root that is just crazy. And even with user level access trashing my home dir is not acceptable either, much much finer control needed me thinks.
That sounds great!

Wolki
September 22nd, 2005, 03:00 PM
Hopefully finer grained security such as SElinux will help the silly situation we are in at the moment with the archaic system of only installing from trusted sources, sounds exactly like Windows to me.

Any program I install should NOT be able to affect anything apart from itself, let alone require root that is just crazy. And even with user level access trashing my home dir is not acceptable either, much much finer control needed me thinks.

I thought about this yesterday, too. You can already run programs as a different user, and that user can have the rights to write nowhere.
But it's still not a perfect solution. Giving out text editors that cannot edit files will not go over well. Or take music players; people will complain if a player doesn't support tag editing. You could have an additional system dialog asking for confirmation each time you edit a file, which will seem very tedious to users; or give it write acess to your entire music library, at which point it can delete them all.
The problem is that the only easy way to manage security risks would be a tcpa-like solution, and we certainly don't want that. But we can't force users to micromanage file access rights; they'd just run as root the whole time because it'll be more "user-freindly". :?