Security of compiling and installing many things yourself.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Security of compiling and installing many things yourself.
What kind of difference is there in security if you compile and install things yourself regularly? Some programs they release patches for. Other programs are just updated to the next version. What do you do if you compile and install things yourself regularly to make sure you don't have security problems caused by it? Do you really need to?
Security is much better, theoretically, if you read and understood all the source code, as you would be able to know there are no backdoors and do your own security audit. In practice, most security is gained by (1) using the unix security model, ie permissions, correctly (2) not downloading things you don't understand from sites you don't trust (3) at least checking the GPG on things you do download. Do you need to to? Like any security, including home security, that depends entirely on what you're protecting and what your risk tolerance is.
Well, that or MD5 hashs. The point is, trust but verify. Trust Allah but tie up your camel. Something like that.
Here's an example: Let's say I was downloading from my favorite site http://slackware.cs.utah.edu/pub/slackware
Looking at one of the CHECKSUM files, it says this:
Quote:
These are the MD5 message digests for the files in this directory.
If you want to test your files, use 'md5sum' and compare the values to
the ones listed here.
To test all these files, use this command:
md5sum -c CHECKSUMS.md5 | less
'md5sum' can be found in the GNU coreutils package on ftp.gnu.org in
/pub/gnu, or at any GNU mirror site.
By doing this also compression takes place. This means that the result is not legible. If you want a legible result you can use:
gpg --clearsign [Data]
this will make sure that the results are clearly legible. Furthermore it does the same (signing data).
With
gpg -b (or --detach-sign) [Data]
you can write the signature in a separate file. It is highly recommended to use this option especially when signing binary files (like archives for instance). Also the --armor option can be extremely useful here.
Quite often you find that data is encrypted and signed as well. The full instruction looks like:
The functionality of the options -u (--local-user) and -r (--recipient) are as described before.
When encrypted data has been signed as well, the signature is checked when the data is decrypted. You can check the signature of signed data by using the command:
gpg [--verify] [Data]
This will only work (of course) when you own the public key of the sender.
I thought it was less complicated than it is. I tried doing this with SDL. I ran
Code:
gpg --verify blahblah.tar.gz.sig
then I tried
Code:
gpg --verify blahblah.tar.gz.sig blahblah.tar.gz
and something else.
I have no idea what I'm supposed to do other than that, so I'm going to give up on it until I read more.
---
I was thinking that maybe security would be weakened by downloading and compiling and installing things yourself, possibly.
It could be weakened timewise. If you download & compile from source, then every time there is an update, you have to find time to do it.
The more apps/tools you do that for, the longer that'll take, multiplied by the number of machines (unless identical).
Also multiply by time taken to read & check/think about the src code changes. Unless you are a really(!) sharp programmer, its unlikely you'll spot something no-one else has.
OTOH, if you stick to reliable srcs eg centos/rhel repos, then you can just run yum update and you're done.
There's also the possibility that you'll custom compile/link it slightly differently to the expected way, which theoretically could lessen the security.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
