Attacks on package managers
Posted Apr 10, 2009 1:07 UTC (Fri) by Alan_Hicks
Parent article: Attacks on package managers
What in the world?!Slaktool is not the package management utility used by Slackware! In fact, it isn't even included in Slackware!
Justin Samuel said that he has the impression that the Slackware community is not currently focused on securing their package manager
It would help if he had actually reviewed pkgtool and its supporting utlities like installpkg and upgradepkg which are the real package manager for Slackware rather than some unsupported and (at least to me, a member of the Slackware core team) unheard of. There are lots of these third party tools, but few are included in Slackware. In fact, until very recently none were real parts of Slackware and had only ever been included in the extra/ subset, which is reserved for packages that aren't for testing/ but aren't yet dubbed worthy of being included in one of the disksets for various reasons.
Now, the -current branch includes slackpkg which is the only utility ever officially supported by Slackware or the "Slackware community" that handles automatic download and install/upgrade of packages. This seems to me to be the method by which most of these such vulnerabilities could be exploited. Traditionally, packages had to be downloaded via another utility such as wget, then the user could verify the md5sum or the integrity against a .asc file using RSA. slackpkg should support this in the future. It currently is capable only of downloading the GPG public key used to sign the packages. Future versions of slackpkg should be able to check the downloaded package against the RSA signature in the .asc files and the project's public key.
So in short, Mr. Samuel is dead wrong on a number of levels for simply reviewing the wrong thing. This causes me to question how much diligence he put forth into this review. Had he taken the time to determine what is actually included in Slackware and supported by the community, he might have taken away an entirely different impression.
P.S. Shame on the editors for not catching that Slaktool isn't a part of Slackware at all, but that's forgiveable. After all, this is still the damned best source for news in the open source community.
to post comments)