This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

He makes a very good point

Posted by: Anonymous Coward on February 16, 2007 04:44 PM

"I currently have 2,100 Debian packages installed. Every time I update my computer, the authors of every one of these packages get to run a shell script of their choice as root on my machine -- even the maintainers of documentation packages, or of packages I installed months ago and never ran again. Even if I trust the packagers to this extent, what about the risk that one of them has their machine compromised?"

And he goes on to remark that Ubuntu will install an unsigned<nobr> <wbr></nobr>.deb from the web without mentioning security at all. This is a security disaster waiting to happen. As soon as any GNU/Linux distro gets a significant share of the total desktop market, look out for the bad guys to start exploiting this. Steve Ballmer will have a field day pointing out that "Linux" is less secure than Windows. Of course Linux is pretty secure and GNU is pretty secure; but the packaging systems used by nearly all distros make the user bypass all security, so his message will be believed.


Return to Zero Install: An executable critique of native package systems