Okay, Im still learning about linux so maybe I have got this a little wrong but this is what is concening me -

Problem 1
If I download a program from sourceforge, the download comes from a mirror, who is it that control these mirrors? If it isnt the developers, couldnt the packages have been tampered with?

Problem 2
I download security updates from Yast Online Update, again I can do that from a a bunch of mirrors, couldnt the same problem arise here?

Problem 3
I use Yast to point to rpm download locations like packman or the like that have a huge list of packages, this is great because it makes all the stuff easy to install, but again, isnt there a security risk with this? Couldnt all of these packages have been tampered with.

So far I have only downloaded rpms using yast from the official suse ftp site beacuse I am worried about the above risks, but it is beginning to become very restrictive and I cant get the software I need, anyone got any ideas about the abvove problems?

Maybe I am worrying about nothing with this - it would be good to know either way.

If these are real problems, isnt there a chance of linux becomming a prime target for insecurity as we all believe it is too secure for that to ever happen, maybe we have left our guard down a little too much?

I hope not as linux is great.

Anyone got any ideas on this?

First of all, don't bump your own threads until after about 48 hours. Threads with 0 replies are automatically bumped after 16 and 24 hours.

Secondly for your question: NO, for crying out loud. Did you know the distro you most likely installed obtained 80% of its packages from mirrored sites to package for you for one big download and install..

I would trust an open source package on a mirrored site over a proprietary package any day of the week as the source code is freely available to you..

Go download your packages and stop being a freak about its security or not, its most likely more secure than anything you download from Microsoft.com as they don't give you the code your running..

I disagree with the comment by my counter part here...

Mirrors are prime targets and they have been hacked many times in the past... usually it is covered
up, not so long ago even the debian distribution sites were hacked themselves, so I guess you can never be safe, but since mirrors are run by third parties generally, at establishments like .edu's in
Russia I know who I would prefer to download files from.

http://www.zdnet.com.au/news/securit...0281310,00.htm

This is one of the benefits for an enterprise organisation of running a commercial distribution such
as Redhat, volunteer distributions could easily have unscrupulous individuals join on board.

little_penguin,

I suggest you go back to Windows or Mac. It doesn't appear you are ever going to be happy with an answer on this.

You also sound like a good customer for Matt.

Different people have different ideas about security. Do I feel good about the security of packages on mirrors? You bet I do. But, I have a really good understanding of the security and what it takes to be compromised.

If my systems did happen to become compromised, you can bet the world would still go on without me.

Don't let fear override your thinking. And don't let those that prey on your fear to control your life.

mattLSO must work for Microsoft FUD^H^H^HMarketing department.

That link says their security update server was compromised, but ZDNET is a "Windoze" based reporting site anyways.

Better to read a respected security website: " Debian servers hacked, archive safe"
http://searchenterpriselinux.techtar...938279,00.html

"The alert, posted to several security and Linux mailing lists, stresses that its archive had not been hacked, sparing thousands of installations a potential security nightmare."

Seems like some editors need to go over "Patrick Gray, ZDNet Australia" journalism, lest we have another Stephen Glass from The New Republic.

If you use the checksums (md5, ect...) from the official sites, and everything equals out, then chances are the package isn't tampered with, and if it's source code it's probably not tampered with (if it is you can easily fix the tampering)

Mirror servers usually use rsync to mirror the main server. The utility rsync uses a checksum to verify the file is correct. Can you depend on the mirrors? Yes, you can but as dosnlinux said verify the file with md5. Adding what dosnlinux said is verify using digital signatures like ASC, GPG, or PGP.

Thanks for the tip. where can I find an ACS verifier? The only things I get in Google is actual .acs files.