You are not logged in.
I apologize in advance for what seems to be a very basic and FAQ-ish question.
I've always wanted to know, what are the implications of adding new sources
to my pacman.conf (or in the case of Ubuntu/Debian, the /etc/apt/sources.list file?)
Let's say that you put some joker's site in your pacman.conf file, and they put
a malicious FOO version 2 software in their repository.
When I run pacman -Syu, does pacman say "Well, software FOO is at version 1 in
the official Arch repos, but it's at version 2 in Joker's repository, what do you want to do?"
Sorry for the basic question, but often think that if I was trying to proliferate some keylogger or
other malware, what I would do is write some good software FOO, or act as a mirror for some good software FOO,
and then provide updates for software BAR, and have BAR be a new version of some core-software
that takes data from your keyboard and forwards it to my e-mail account.
Is my question/concern valid, or am I totally off track? I recently thought about this when adding
a repository to my pacman.conf file so that I could get updates for the yaourt application. I'm not
accusing the author of yaourt of anything at all, and think the product is great. But I just want to know if
the author of yaourt issues an update to "readline", if Arch will accept this update as a valid update the next time
I run pacman -Syu?
Thanks very much, and links/RTFMs are appreciated.
--Nate
Offline
Sure, it will.
Some facts that lower the possibility of this kind of behaviour:
1) Anyone that takes the hassle to create and maintain a well-known repository is hardly malicious.
2) Archlinux users are generally smart, paranoid and vindicative: you put a keylogger in a repo, you're DED (D-E-D).
"I'm Winston Wolfe. I solve problems."
~ Need moar games? [arch-games] ~ [aurcheck] AUR haz updates? ~
Offline
In pacman.conf(8) (man pacman.conf), under "REPOSITORY SECTIONS":
The order of repositories in the configuration files matters;
repositories listed first will take precedence over those listed later
in the file when packages in two repositories have identical names,
regardless of version number.
I tested this with a local repo and it appears to work as documented; pacman didn't prompt me to upgrade 'bash' to the newer version I had put in my test repo which was below [core] in pacman.conf.
Last edited by foutrelis (2009-07-30 08:50:02)
Offline
As long as the end-user puts the "malicious" repo below the official repos (core, extra and community) then the malicious repo can never override a package that is in the official repos, unless the user explicitly requests it like:
pacman -Sy malrepo/FOO
Note the "malicious" repo name is prepended with a slash to the package name.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Thank you all for the feedback.
--Nate
Offline