|
|
Subscribe / Log in / New account

Letters to the editor

gwdg.de contains unsigned rpms: risk of apt repository compromise?

From:  Timur <>
To:  letters-AT-lwn.net
Subject:  gwdg.de contains unsigned rpms: risk of apt repository compromise?
Date:  Tue, 16 Mar 2004 02:41:12 -0800 (PST)

Dear Editor,
 
I found out recently that there is an increasing
number of RPMs in apt repository on gwdg.de which are
not signed. The apt repository on gwdg is very usefull
since it allows people to automagically update their
distribution with latest packages (as you reported in
one of your articles)
 
The lack of RPMs signature generates two issues:
 
a - packages cannot be installed via apt (latest
apt/apt-libs/synaptic refuse to install unsigned
RPMs): it is annoying but a minor issues since you can
always install the downloaded package via rpm -Uhv
 
b - potentially VERY important - we could risk a
situation similar to debian where compromised packages
(i.e. with Trojan horses) are spread on our Linux
systems
 
Is there any reason for having unsigned packages? Is
there the risk that our repository have been
compromise d?
 
Maybe I'm too paranoid, but I think it is better to
verify it... Can you eventually ask it on your weekly
document?
If there is no issue than I think that the maintainer
of those package should start to sign the RPMs once
again...
 
regards,
Timur
 
Note: if possible I would prefer that my address
doesn't appear on your magazine.
 

Comments (1 posted)

You've been mislead a bit here and there, Jim

From:  Leon Brooks <leon-AT-cyberknights.com.au>
To:  jim_kerstetter-AT-businessweek.com
Subject:  You've been mislead a bit here and there, Jim
Date:  Fri, 12 Mar 2004 09:34:55 +0800
Cc:  letters-AT-lwn.net

Quoting:
http://www.businessweek.com/technology/content/mar2004/tc20040311_8915_tc119.htm
 
> Goldfarb wouldn't identify the executives, but says neither Chairman William
> Gates nor CEO Steve Ballmer were among them.
 
Hint: Paul Allen's company Vulcan Capital is BayStar's biggest investor.
Follow the money.
 
> SCO says it inherited control of the original Unix computer server software
> developed at Bell Labs more than 30 years.
 
TSG's (The SCo Group's) own website states that The Open Group own both the
UNIX and UNIXWARE trademarks. The Copyright office have no record of any
copyrighted being conveyed to TSG, TSG own no UNIX-related patents, and TSG
have dropped all claim to trade secrets in their suit against IBM - so what
"control" remains to them? TSG-as-Caldera released a good deal of their
foundations in the "Ancient Unix" sources and elsewhere, too.
 
Contractual rights? But I've signed no contract with them, and nor have Red
Hat, Mandrake, or any other Linux distributor that I know of.
 
> On March 3, 2004, SCO upped the ante, filing suit against two big corporate
> users of Linux software, AutoZone (AZO) and DaimlerChrysler (DCX).
 
The suits aren't actually about Linux. One is about breach of contract and the
other is about the WABI libraries. While this statement is in strict terms
correct, it does leave a very misleading impression.
 
In terms of Linux end users, TSG have so far limited themselves to suing their
own customers (a brilliant business model, no? their shares seem to be losing
a bit under a dollar a day as I type), which represents a rapidly dwindling
pool of targets, and certainly won't encourage new signatories.
 
> Microsoft was also one of the first companies to buy into SCO's licensing
> program, taking two licenses from SCO worth more than $12 million
 
Each. At least.
 
Microsoft have hereby caused themselves a problem. They've so far been unable
to point to any of their own software which justifies that purchase.
 
> Other big tech companies, including Sun Microsystems (SUNW) and Computer
> Associates International (CA), have also bought licenses from SCO.
 
CA hasn't bought a "Linux licence", what they did buy was UnixWare licenses as
a part of a settlement with The Canopy Group, TSG's parent.
 
Sun hasn't bought a "Linux license" either, just insured their own products
against suit. Solaris is unquestionably derived from System V Unix - which,
it seems, is actually owned by Novell. TSG are at best renting it from them.
 
EV1 nee RackShack did in fact buy a "Linux licence", then TSG publicly lied
about the terms of purchase ("worth upwards of seven figures" when in real
life the amount was apparently in the five-figure range) and roughly a
quarter of EV1's rack customers (so far) have abandoned them for other
hosting providers.
 
Remember that "the Linux community" includes everyone from Joe Random
Thirdworlder squeezing in computer time whenever the generator's up and
burning incense to the gods of journalling filesystems, through many small
(iLaw, CyberSource) and medium sized (Google, SGI) companies to behemoths
like Hewlett Pacquard and IBM and even governments. Red Flag Linux is
effectively China's Linux distribution, supported by a government ruling one
and a half billion people. We're not just a gaggle of wild-eyed teenagers,
dole bludgers and retirees; we field scientists, engineers, Admirals and
Generals, millionaire investors, teachers and sometimes even graphic
designers.
 
Cheers; Leon

Comments (2 posted)

Page editor: Jonathan Corbet


Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds