| 1 |
Hi, |
| 2 |
|
| 3 |
I'm currently working on a feature article on package security. As there's |
| 4 |
been yet another CERT advisory |
| 5 |
(http://www.cert.org/advisories/CA-2002-28.html) concerning already widely |
| 6 |
distributed packages that containted a trojan horse, I'm contacting several |
| 7 |
major Linux distributors with the following questions: |
| 8 |
|
| 9 |
- How do you make sure, your distribution doesn't contain packages modified |
| 10 |
by people unauthorized to do so? |
| 11 |
|
| 12 |
- If your company uses mirrors to distribute single packages and updates, |
| 13 |
how do you make sure nobody tampers with the packages on those mirrors? |
| 14 |
There are mechanisms to ensure package integrity (e.g. MD5Sum) - are these |
| 15 |
used for all packages or only for ISO images (if you use ISOs at all)? |
| 16 |
|
| 17 |
|
| 18 |
Answers to any of the questions would be greatly appreciated. |
| 19 |
|
| 20 |
|
| 21 |
kind regards, |
| 22 |
|
| 23 |
Peter Kis |
| 24 |
|
| 25 |
editor in chief for |
| 26 |
LinuxGear.info (http://www.linuxgear.info) |
| 27 |
E-Mail: peter.kis@×××××××××.info |
| 28 |
Tel: +41-(0)76 420 1357 or +41-(0)76 561 7870 (after 5 p.m. CET) |
Archives