Page 5 of 8 FirstFirst ... 34567 ... LastLast
Results 41 to 50 of 76

Thread: Untrusted Repositories

  1. #41
    Join Date
    Oct 2005
    Location
    Rome, Ga
    Beans
    2,339
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Untrusted Repositories

    Java, wine, media codecs, beryl of course, and many lib files are what I remember seeing upgraded. The lib files themselves... well, that could be anything, really.

    And yes, I am thankful that the wallpaper was there! Nice wakeup call for sure, but the other problems totally spooked me. Had it only been the wallpaper with no other indication of anything being wrong, I'd have most likely stuck it out and been of more help to others. Sooo, ... under the circumstance, thank goodness for the wallpaper, huh?

    I would like to make clear at this time, that my intentions in posting have been to throw up a red flag and alert people to what happened "just in case". At any time if I sounded accusatory at all, I want to clear that up. Trevino is just trying to be helpful, for sure.

  2. #42
    Join Date
    Jun 2006
    Beans
    2,310
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Untrusted Repositories

    Quote Originally Posted by cjwatson View Post
    [...]It's possibly worth noting that our package management system has never really supported downgrades properly (at least not without very significant care in the maintainer scripts, which in practice developers don't generally take). Undoing whatever damage was caused here would require somebody to install everything in a sandbox, downgrade all the packages again, and then work out what changes need to be reverted manually ...
    What sort of work is being done by devs like yourself to mitigate these issues? A new and improved, or at least updated, package management system?

  3. #43
    Join Date
    Apr 2006
    Beans
    7
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Untrusted Repositories

    ok i had the same problem with trevino's repo list and my wallpaper being set to the skull and not being able to change it but i believe i have fixed the issue

    remove the text from /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml

    then gconftool-2 --shutdown

  4. #44
    Join Date
    Dec 2005
    Beans
    Hidden!
    Distro
    Gutsy Gibbon Testing

    Re: Untrusted Repositories


  5. #45
    Join Date
    Aug 2006
    Beans
    6

    Re: Untrusted Repositories

    Is there a way in synaptic or apt-get to show what repository a package is coming from? Using some of these bleeding edge repositories has got me thinking about this a lot lately. For example, I can't find any notice in synaptic for whether the repository I added for a music player is upgrading some patched core gnome file. I understand that it would not be ideal to limit a repository to a specific set of packages when you add it. But what is there to stop any of the added repositories from upgrading any other package?

    If you got some notice that a repository that you added for a beryl plugin of the month build was upgrading your wifi drivers or whatever, I think that would go a long way to minimizing the damage of this kind of breach. I'm a relative noob, so if I'm missing something here please let me know.

  6. #46
    Join Date
    Oct 2005
    Location
    Rome, Ga
    Beans
    2,339
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Untrusted Repositories

    Quote Originally Posted by zas View Post
    Is there a way in synaptic or apt-get to show what repository a package is coming from? Using some of these bleeding edge repositories has got me thinking about this a lot lately. For example, I can't find any notice in synaptic for whether the repository I added for a music player is upgrading some patched core gnome file. I understand that it would not be ideal to limit a repository to a specific set of packages when you add it. But what is there to stop any of the added repositories from upgrading any other package?

    If you got some notice that a repository that you added for a beryl plugin of the month build was upgrading your wifi drivers or whatever, I think that would go a long way to minimizing the damage of this kind of breach. I'm a relative noob, so if I'm missing something here please let me know.
    You, and only you are the one in charge of your repos. And that's the whole point. I saw that flame effect in beryl a long while back and have been itching to get it, and was looking all over when I finally found that trevino had a repo listed that would get me the new beryl. My bad, because Price Child had already posted repos in his excellent thread, I just missed them. If I'd have been patient, I'd not have had the problem.

  7. #47
    Join Date
    Dec 2004
    Beans
    743
    Distro
    Edgy Eft Testing

    Re: Untrusted Repositories

    I'd hate to say it, but I agree with the one who made the wallpaper. Simply put, I was wondering why the hell Trevino had that huge sources.list anyhow, generally speaking when you start getting that many third party repositories, it breaks a lot of things. I really only wanted the Beryl-svn and the linux-restricted-modules for the new nvidia driver. There were at least three different versions of the linux-restricted-modules within the sources.list repositories, which is just plain stupid. There were also at least two different Frozen Bubble 2 packages, etc. Duplicate packages from repositories is NOT a good idea in general.

    All these different repositories should actually try to combine themselves and put it on a 'experimental' server, in which people can do code audits. Or there should be submissions to the official repositories.

    This whole "Ooh, there's a scary cult that is controlling our software!" is Bull crap. You honestly don't WANT a list of that many repositories, as already stated, you will start having far too many dependency and conflicting problems.

    Leech
    Wah! Wah! Life was more entertaining when I had 64KB of RAM in my computer.
    Neverwinter Nights Platinum HowTo

  8. #48
    Join Date
    Apr 2006
    Beans
    6

    Re: Untrusted Repositories

    If one wants to downgrade the programs which had been updated through "untrusted repositories" then perhaps if one comments all those repositories, and then opens up synaptic and goes to status and highlight "Installed (local or obsolete)", he or she could then go through each program and library and downgrade them to edgy's version.

  9. #49
    Join Date
    Nov 2005
    Location
    Italy
    Beans
    299
    Distro
    Ubuntu Development Release

    Re: Untrusted Repositories

    Well... Finally I'm here...

    First of all... The wallpaper modification you've got isn't due to my repositories. With «my repositories» I mean the only listed here: http://3v1n0.tuxfamily.org/index.html (those that I really built); so what you see in that html-front end is what I really have in my repo... You only have to check!

    The author of this hack is Jοhan Kiviniemi who wanted to demostrate what everyone can do with a repository... A very known thing, but actually never (?) tested on ubuntu...

    My known Ubuntu Edgy Eft (6.10) Repository List (sources.list) listed his repo (I've found that on the web... So after looking what it was packaged there I added to the list also if it was a small repo)... I coulnd't know that "Ion" whould have used his space to "break" (just graphically, fortunately) the systems of the users using his repo.

    The packages provided using the list above haven't made any other "damage" (I've installed all the packages provided, except the ones which made this and I've no problems; no /etc/fstab or /etc/sudoers have been edited...); so I think that we can trust on these repositories, btw anyone must always know what he does....
    So, don't daemonize me, please... Just use your mind before any action... I can't know/imagine what other people have in their minds about their repositories...

    My list is always on, I cleaned it a little, btw the majoirty of the repositories listed there are really very known in this forum (most are here...) and in the ubuntu community; as I've said use that at your own risk, btw you can always use it only to see the repo available that you may add...

    And, again, remember that the repositories I maintain are, and will always be, “clean”.
    Last edited by Treviño; November 14th, 2006 at 01:36 AM. Reason: typo

  10. #50
    Join Date
    Oct 2005
    Location
    Rome, Ga
    Beans
    2,339
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Untrusted Repositories

    Thank you, Trevino. I tried to make it plain that it is my fault for plowing through without thinking, and not come across as blaming you or anyone, but I was a bit excited as it all unfolded.

Page 5 of 8 FirstFirst ... 34567 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •