-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/7/10 18:53 , Darrin Chandler wrote: > On Tue, Dec 07, 2010 at 11:04:04PM +0100, Ketil Malde wrote: >> It's not obvious to me that adding a mirror makes the infrastructure >> more more insecure. Any particular concerns? (I hope I qualify as >> naïve here :-) > > If you run a mirror people will come to you for software to run on their > machines. I see a way to take advantage of that immediately.
Exactly. And this isn't theoretical; fake packages and packages with extra payloads injected into them are fairly common. - -- brandon s. allbery [linux,solaris,freebsd,perl] [email protected] system administrator [openafs,heimdal,too many hats] [email protected] electrical and computer engineering, carnegie mellon university KF8NH -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/AMYACgkQIn7hlCsL25WCuwCgyuhbb6Q1eMbatUX5mxDp6Avi dDoAnj49sj73cDTVp0+8BXxi6oir3zAq =x2Gr -----END PGP SIGNATURE----- _______________________________________________ Haskell-Cafe mailing list [email protected] http://www.haskell.org/mailman/listinfo/haskell-cafe
