On Thu, 26 Oct 2000, Timothy Houck wrote: > With such a system, I can see a whole new crop of cracker attacks as a > result of such ever-user-friendly, "plug-and-play"ish packages. IMHO, > there is a point at which a system automates itself beyond a safe point -- > trying to be more friendly to inexperienced (lazy? maybe) users. This is > the whole reason we have ridiculous things like macro viruses. There's a list of reasons why I think any attacks using this system are unlikely: 1) Debian watches the security of its packages' out-of-the-box configurations very closely. security.debian.org always contains the fixed versions of packages with known vulnerabilities. 2) Debian chooses its maintainers very carefully. It takes five steps, including a GPG key and a photo ID, plus a discussion of philosophy of free software. 3) Installing a package requires conscious action by a user with root access. It's not so simple as getting an e-mail and then suddenly your system is infected/compromised. 4) While it is possible and practical for users to get packages from places other than Debian's central repositories, this isn't standard practice. For example, although you can install HelixGNOME on a Debian 2.2 (current stable release) system, from Helix's own repositories, the next release of Debian will include GNOME 1.2 (a.k.a. HelixGNOME) in the distribution itself. Any package repositories that are outside of Debian's control tend to be only for bleeding-edge stuff, and then users are strongly warned that "this could mess up your system. be careful and don't run with scissors when the moon is full at high tide." :) All in all, I trust Debian to keep my packages more secure than if I'd compiled them myself, since the maintainers have time to think through security concerns. I still tweak configs and remove all unnecessary servers, of course, but on the whole I don't see security as being a major reason to argue against Debian's package management system. That doesn't mean you don't have a valid point. I also tend not to trust any organization to keep my systems secure. But Debian has proven itself to me. Anyways, enough of my opinions for now. Pacem in Terris / Mir / Shanti / Salaam / Heiwa Kevin R. Bullock --------------------------------------------------------------------- To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org For additional commands, e-mail: tclug-list-help at mn-linux.org