Freshmeat: Security Issues of Auto-upgradesMay 13, 2000, 15:08 (2 Talkback[s])
(Other stories by Jeff Covey)
"Package managers with download capabilities make it easy to download and install the latest software releases, bugfixes, and security patches. Could they also make it easy to download and install the latest exploits without your knowing about it? In today's editorial, I put that question to representatives of Red Hat and Debian, makers of the two most widely-used Linux package management systems."
"Users of certain other operating systems upgrade the software on their machines every few years (95, 98, 2000...). When you deal with software that moves at Open Source speeds and have a powerful package manager at your disposal, you can get in the habit of updating your system every morning while you sip the first cup of coffee. It's certainly convenient to be able to say "Grab anything new and install it for me", but do you know what procedures are place to ensure that you get what you were expecting and not an unwelcome surprise?"
"Today, I offer the results of an email discussion about package management security issues that I had with Jason Gunthorpe of Debian and Jeff Johnson of Red Hat."