You are not logged in.

#1 2009-07-30 06:43:56

Nate
Member
Registered: 2008-12-03
Posts: 25

Implications of new 'source' in pacman.conf

I apologize in advance for what seems to be a very basic and FAQ-ish question.

I've always wanted to know, what are the implications of adding new sources
to my pacman.conf (or in the case of Ubuntu/Debian, the /etc/apt/sources.list file?)

Let's say that you put some joker's site in your pacman.conf file, and they put
a malicious FOO version 2 software in their repository.

When I run pacman -Syu, does pacman say "Well, software FOO is at version 1 in
the official Arch repos, but it's at version 2 in Joker's repository, what do you want to do?"

Sorry for the basic question, but often think that if I was trying to proliferate some keylogger or
other malware, what I would do is write some good software FOO, or act as a mirror for some good software FOO,
and then provide updates for software BAR, and have BAR be a new version of some core-software
that takes data from your keyboard and forwards it to my e-mail account.

Is my question/concern valid, or am I totally off track?  I recently thought about this when adding
a repository to my pacman.conf file so that I could get updates for the yaourt application.  I'm not
accusing the author of yaourt of anything at all, and think the product is great.  But I just want to know if
the author of yaourt issues an update to "readline", if Arch will accept this update as a valid update the next time
I run pacman -Syu?

Thanks very much, and links/RTFMs are appreciated.

--Nate

Offline

#2 2009-07-30 08:16:37

arkham
Member
From: Stockholm
Registered: 2008-10-26
Posts: 516
Website

Re: Implications of new 'source' in pacman.conf

Sure, it will.

Some facts that lower the possibility of this kind of behaviour:
1) Anyone that takes the hassle to create and maintain a well-known repository is hardly malicious.
2) Archlinux users are generally smart, paranoid and vindicative: you put a keylogger in a repo, you're DED (D-E-D).

wink


"I'm Winston Wolfe. I solve problems."

~ Need moar games? [arch-games] ~ [aurcheck] AUR haz updates? ~

Offline

#3 2009-07-30 08:48:29

foutrelis
Developer
From: Athens, Greece
Registered: 2008-07-28
Posts: 705
Website

Re: Implications of new 'source' in pacman.conf

In pacman.conf(8) (man pacman.conf), under "REPOSITORY SECTIONS":

The order of repositories in the configuration files matters;
repositories listed first will take precedence over those listed later
in the file when packages in two repositories have identical names,
regardless of version number.

I tested this with a local repo and it appears to work as documented; pacman didn't prompt me to upgrade 'bash' to the newer version I had put in my test repo which was below [core] in pacman.conf. smile

Last edited by foutrelis (2009-07-30 08:50:02)

Offline

#4 2009-07-30 09:13:51

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Implications of new 'source' in pacman.conf

As long as the end-user puts the "malicious" repo below the official repos (core, extra and community) then the malicious repo can never override a package that is in the official repos, unless the user explicitly requests it like:

pacman -Sy malrepo/FOO

Note the "malicious" repo name is prepended with a slash to the package name.

Offline

#5 2009-07-30 20:14:40

Nate
Member
Registered: 2008-12-03
Posts: 25

Re: Implications of new 'source' in pacman.conf

Thank you all for the feedback.

--Nate

Offline

Board footer

Powered by FluxBB