On Sat, May 21, 2016 at 01:47:41PM +0800, Paul Wise wrote: > On Thu, May 19, 2016 at 11:18 PM, Daniel Pocock wrote: > > > More and more frequently I'm encountering systems where third-party > > repositories have been added into /etc/apt/sources.list or > > /etc/apt/sources.list.d, usually put there by some .deb package that a > > user installed from some third party site. > > This discussion reminds me of this wiki page: > > https://wiki.debian.org/UntrustedDebs
This looks wrong to me: a vast majority of machines these days have a single user, thus pwning root gives you little additional gain. So, for running untrusted code you should execute it solely in a special environment of some kind. And if you're not executing those binaries directly, what's the point in putting them into the standard paths? -- An imaginary friend squared is a real enemy.