You are not logged in.
- Topics: Active | Unanswered
#1 2008-07-14 20:55:47
- Painless
- Member
- Registered: 2006-02-06
- Posts: 233
pacman in security article
Hi all,
My Dad (who still uses Windows 98 - don't worry he's slowly coming round) sent me this article on software updaters for Linux and BSD. I was interested to see that it specifically mentions pacman:
Package managers are designed to automatically keep software up-to-date and thus safe from known vulnerabilities. The packages analysed in the study were APT, APT-RPM, Pacman, Portage, Ports, Slaktool, Stork, Urpmi, Yast and YUM.
"Given their critical role, the expectation would be for package managers to be extremely secure," said the researchers in the report. "We examined 10 popular package managers for Linux and BSD systems and found vulnerabilities in all of them."
(emphasis added)
Although the zdnet article mentions pacman quite prominently, the linked article only seems to mention pacman in the faq.
I manually re-order my mirrorlist (don't we all 
?), but if an attacker could somehow update the pacman package, the consequences would be quite worrying. In addition, I suppose there is the possiblity that a mirror could be cracked. (Heh, just read those last five words again 
) It occurs to me, now I've read this article, that the non-community AUR packages have the potential to be (in some respects) more secure than binary packages.
One of the reasons I chose Linux was security. I suspect Arch is not mainstream enough to be worth the effort, from a cracker's point of view. Also Arch itself is so minimalist that opportunities for attack will be pretty limited, and since everyone installs different services there will be less common ground for attacks. Other distros by contrast will always tend to run many predictable services unless they are specifically disabled.
Anyway, I just wondered what the general consensus was, and I would be particularly interested in what the Architects (of Arch) think about all this.
Offline
#2 2008-07-14 21:33:37
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,410
- Website
Re: pacman in security article
See http://bbs.archlinux.org/viewtopic.php?id=51570 for a discussion of this and things that are in the pipeline to be done about it.
Offline