1 |
Hi, |
2 |
|
3 |
I'm currently working on a feature article on package security. As there's |
4 |
been yet another CERT advisory |
5 |
(http://www.cert.org/advisories/CA-2002-28.html) concerning already widely |
6 |
distributed packages that containted a trojan horse, I'm contacting several |
7 |
major Linux distributors with the following questions: |
8 |
|
9 |
- How do you make sure, your distribution doesn't contain packages modified |
10 |
by people unauthorized to do so? |
11 |
|
12 |
- If your company uses mirrors to distribute single packages and updates, |
13 |
how do you make sure nobody tampers with the packages on those mirrors? |
14 |
There are mechanisms to ensure package integrity (e.g. MD5Sum) - are these |
15 |
used for all packages or only for ISO images (if you use ISOs at all)? |
16 |
|
17 |
|
18 |
Answers to any of the questions would be greatly appreciated. |
19 |
|
20 |
|
21 |
kind regards, |
22 |
|
23 |
Peter Kis |
24 |
|
25 |
editor in chief for |
26 |
LinuxGear.info (http://www.linuxgear.info) |
27 |
E-Mail: peter.kis@×××××××××.info |
28 |
Tel: +41-(0)76 420 1357 or +41-(0)76 561 7870 (after 5 p.m. CET) |