Package Managers As Achilles Heel

An anonymous reader writes "Researchers from the University of Arizona have released a study that takes a look at the security of ten popular package managers. They were able to show all ten were vulnerable to attacks from a mirror or man-in-the-middle that allow an attacker to (along with other things) crash the system or obtain root access. Furthermore, the researchers created a fictitious administrator and company name and were able to lease a server and get it listed as an official mirror for all the distributions they tried (Ubuntu, Debian, Fedora, CentOS, and OpenSUSE). This raised the question: What keeps you up at night, the thought of attacks on your package manager or previously discussed and patched vulnerability in DNS?" justin samuel (one of the Arizona researchers) also points out a synopsis on CERT's blog.

Compile from source yourself!

[suck_burners_rice]

I really don't understand what the big advantage is in using package managers. It's dangerous because you never know what "updates" will come down the pike. Thanks to the good folks who contribute to GNU Autotools, it's very easy to type ./configure followed by make and make install. Even end users can do this with a pretty high success rate. If there is a reason that you really need a package manager (for example, if you're a sysadmin responsible for many computers) then you can easily make your own packages and avoid trusting someone else's package decisions. Updates can be convenient, but they can screw things up really badly.

Re:Compile from source yourself!

[suck_burners_rice]

How in the fscking world does a serious opinion like the parent get modded Troll? Only on /.

It's just a shill

[BhaKi]

You brain-dead slashdot users, are you still unable to understand? Timothy is just a Microsoft shill.