Re: [Fink-users] fink security

Wed, 07 Jul 2004 09:35:03 -0700

To that end, it's important to be aware of the contact information. I use fink commander, which makes getting the package maintainer's info as easy as selecting the package and typing command-i. Recently, in fact, the checksum on the latest rasmol source file failed. I notified the maintainer, and he fixed the problem. So, reporting security issues is as important as reporting bugs.

Payam
---
"Now I have no objection to incompetence, but I do object when incompetence is accompanied by boredom and self-righteousness." Paul Feyerabend
On Jul 7, 2004, at 7:51 AM, Alexander K. Hansen wrote:


On Jul 7, 2004, at 3:21 AM, Claus Atzenbeck wrote:

Hi folks,

I am using fink for quite a long time now and I still think that it is
one of the best things for Mac since Apple has introduced Mac OS X.

However, based on the increasing amount of worms and viruses which are
out there (mainly for Windoze), I am wondering how secure fink is.

I am running selfupdate and update-all as su. Is it possible that
someone installs a virus which is hidden inside a package update?

Keep in mind that we're using source code that is to be built on many platforms. Someone would have to put in Darwin-specific code to create a virus in such a package.

Would
it be even possible that someone writes something like "rm -rf /" in the
install script?


It's possible, but that's why the package maintainers are supposed to test packages to verify that they work properly. And if an initially correct source is modified later, it's highly unlikely that the MD5 signature of the modified tarball will match that of the unmodified one, and the fink command will let you know about this right after you've downloaded the tarball before you actually start building.

What is fink's security policy for that?


I'd assume that if a corrupt tarball is found somewhere, then the upstream site will be notified and a different download location will be used.

Greetings,
Claus


--
Alexander Hansen
Fink Documentarian
[Day Job] Levitated Dipole Experiment
http://www.psfc.mit.edu/LDX



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Fink-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/fink-users




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Fink-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/fink-users

Reply via email to