“Package managers with download capabilities make it easy to
download and install the latest software releases, bugfixes, and
security patches. Could they also make it easy to download and
install the latest exploits without your knowing about it? In
today’s editorial, I put that question to representatives of Red
Hat and Debian, makers of the two most widely-used Linux package
management systems.”
“Users of certain other operating systems upgrade the software
on their machines every few years (95, 98, 2000…). When you deal
with software that moves at Open Source speeds and have a powerful
package manager at your disposal, you can get in the habit of
updating your system every morning while you sip the first cup of
coffee. It’s certainly convenient to be able to say “Grab anything
new and install it for me”, but do you know what procedures are
place to ensure that you get what you were expecting and not an
unwelcome surprise?”
“Today, I offer the results of an email discussion about package
management security issues that I had with Jason Gunthorpe of
Debian and Jeff Johnson of Red Hat.”