codeblog code is freedom — patching my itch

12/9/2009

install from official repositories only

Filed under: Debian,Security,Ubuntu,Ubuntu-Server — kees @ 10:02 am

As quickly pointed out by Rick, don’t install random software that isn’t in the official distribution archive unless you really know what you’re doing (and copy/pasting commands from a website doesn’t count). You’re just asking to be made part of a botnet.

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Technorati
  • Identi.ca
  • Reddit
  • Twitter

7 Comments »

  1. Most software isn’t supplied via the official repositories though. What’s a common user going to do when they need the software? Get it ofc.

    Even installing a screensaver via .deb makes sense if it promises you to keep itself updated.

    Comment by Vadim P. — 12/9/2009 @ 11:07 am

  2. That’s why the botnet business is so good. New suckers are born every second and Ubuntu is getting popular. :)

    Comment by Lamarr Burghess — 12/9/2009 @ 11:27 am

  3. This was a herd of cognitively questionable World-of-Warcraft wannabees installing a screensaver. You really can not expect much from people who install one operating system and then spend their lives in (not) and emulator for another operating system – what a dreadful premise to start from.

    It is not an issue of great concern for people who install reputable software from reputable sources. @Vladim: if you want to install some software then the originator usually provides installers. You wouldn’t download the new Thunderbird from just anywhere, would you? Oh yes, I see the same herd are doing that right now, adding debs and ppas from completely unknown websites – they might be okay, or this might be a new Ubuntu fashion.

    Comment by Stuart — 12/9/2009 @ 11:58 am

  4. The repositories need trusted vendor extensions. People should NEVER have to add other software repos through anything but the software center itself. Also, I need to be able to buy proprietary apps in the software center, like I can on Android. One of the best apps on my Droid is proprietary.

    Once the needed infrastructure is in place, I’d ship Ubuntu with settings that prevented the installation of non-verified software packages by default. I think Android may actually be my favorite operating system right now, just because of the Android Market.

    Comment by ethana2 — 12/9/2009 @ 1:04 pm

  5. You find a ton of software that’s not in USC yet but you want to get. I don’t believe the repository update policy is the the most suitable for certain software, and their selection is rather small (due to the overly complicated personal-relationship based method of induction) for the system to actually do it’s job for the 95% of software out there.

    Works for basics, but extra things that you find – like those screensavers – aren’t there. No secure model in place to deliver that to the user either, just the semi-secure .debs (which are only secure if you’re technologically competent enough to look at the files its installing and understand what’s going on).

    Comment by Vadim P. — 12/9/2009 @ 3:19 pm

  6. I don’t believe the repository update policy is the the most suitable for certain software, and their selection is rather small (due to the overly complicated personal-relationship based method of induction) for the system to actually do it’s job for the 95% of software out there.

    Comment by Mary B. — 12/19/2009 @ 12:08 am

  7. I think there should be a way to rate ppa’s on Launchpad

    Comment by Antonio Roberts — 12/28/2009 @ 6:31 am

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress