Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Okay, Im still learning about linux so maybe I have got this a little wrong but this is what is concening me -
Problem 1
If I download a program from sourceforge, the download comes from a mirror, who is it that control these mirrors? If it isnt the developers, couldnt the packages have been tampered with?
Problem 2
I download security updates from Yast Online Update, again I can do that from a a bunch of mirrors, couldnt the same problem arise here?
Problem 3
I use Yast to point to rpm download locations like packman or the like that have a huge list of packages, this is great because it makes all the stuff easy to install, but again, isnt there a security risk with this? Couldnt all of these packages have been tampered with.
So far I have only downloaded rpms using yast from the official suse ftp site beacuse I am worried about the above risks, but it is beginning to become very restrictive and I cant get the software I need, anyone got any ideas about the abvove problems?
Maybe I am worrying about nothing with this - it would be good to know either way.
If these are real problems, isnt there a chance of linux becomming a prime target for insecurity as we all believe it is too secure for that to ever happen, maybe we have left our guard down a little too much?
Originally posted by little_penguin Anyone got any ideas on this?
First of all, don't bump your own threads until after about 48 hours. Threads with 0 replies are automatically bumped after 16 and 24 hours.
Secondly for your question: NO, for crying out loud. Did you know the distro you most likely installed obtained 80% of its packages from mirrored sites to package for you for one big download and install..
I would trust an open source package on a mirrored site over a proprietary package any day of the week as the source code is freely available to you..
Go download your packages and stop being a freak about its security or not, its most likely more secure than anything you download from Microsoft.com as they don't give you the code your running..
I disagree with the comment by my counter part here...
Quote:
Secondly for your question: NO, for crying out loud. Did you know the distro you most likely installed obtained 80% of its packages from mirrored sites to package for you for one big download and install..
I would trust an open source package on a mirrored site over a proprietary package any day of the week as the source code is freely available to you..
Mirrors are prime targets and they have been hacked many times in the past... usually it is covered
up, not so long ago even the debian distribution sites were hacked themselves, so I guess you can never be safe, but since mirrors are run by third parties generally, at establishments like .edu's in
Russia I know who I would prefer to download files from.
This is one of the benefits for an enterprise organisation of running a commercial distribution such
as Redhat, volunteer distributions could easily have unscrupulous individuals join on board.
I suggest you go back to Windows or Mac. It doesn't appear you are ever going to be happy with an answer on this.
You also sound like a good customer for Matt.
Different people have different ideas about security. Do I feel good about the security of packages on mirrors? You bet I do. But, I have a really good understanding of the security and what it takes to be compromised.
If my systems did happen to become compromised, you can bet the world would still go on without me.
Don't let fear override your thinking. And don't let those that prey on your fear to control your life.
"The alert, posted to several security and Linux mailing lists, stresses that its archive had not been hacked, sparing thousands of installations a potential security nightmare."
Seems like some editors need to go over "Patrick Gray, ZDNet Australia" journalism, lest we have another Stephen Glass from The New Republic.
If you use the checksums (md5, ect...) from the official sites, and everything equals out, then chances are the package isn't tampered with, and if it's source code it's probably not tampered with (if it is you can easily fix the tampering)
Mirror servers usually use rsync to mirror the main server. The utility rsync uses a checksum to verify the file is correct. Can you depend on the mirrors? Yes, you can but as dosnlinux said verify the file with md5. Adding what dosnlinux said is verify using digital signatures like ASC, GPG, or PGP.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.