On 29 July 2011 20:39, Arun Khan <[email protected]> wrote: > You have an enterprise Linux installed in your system. It has a > package management system that ensures integrity of the system; > package dependencies as well as trust worthiness of the packages.
It is true that i am running the not so trusted package in enterprise system. But it is not a server, but a system used as my desktop. It has enterprise linux b'cos it is also meant for testing the code i develop and for logging into production machines, since the code i develop must be working in similar environment. and it has to be secure b'cos it is exposed to production machines. But apart from these two reasons this is not a production server by itself. Used more as a testing ground for the perl scripts and bash scripts i develop quite frequently and for which i make heavy use of internet whenever i am stuck. So the browser i use is important b'cos it affects my productivity. > > It is best to install packages that are created from trusted source > and signed by the author(s) with a WoT. Otherwise, it is best to > build your own from source code. > > The package you have downloaded may well have been created from > trusted sources but without a verifiable signature how do you know > that indeed it is the "original" package posted by the author? yes i understand there is a risk of untrusted code being injected into the system b'cos of unsigned package. But the reality is, no one is giving a version of chromium (OSS) that could be run in my version of rhel (which is still active not eol'ed) . And when i try to compile from source it becomes almost impossible to compile b'cos current code in svn of chromium is dependent on a hell a lot of libraries that are not yet made available in rhel 5.4. So which means i have compile those dependency library as well. i am not sure if there are more dependencies for these dependent libs. If true s then i would be in what is popularly know as "dependency hell", further when compiling from source you have no easy way to stay updated with security vulnerabilities as yum wont know about these packages. So in the end i am exposed to security risk either way, compiling from src or using unsigned package. AFAIK what this guy has done is he has taken a legacy code which can work with the exisitng rhel 5.4 libs . So there is a security risk that this chromium is unpatched. But since i am a part of ops team, i have fairly good knowledge on the types of attack and fast enough to identify the malicious sites, etc. It will become difficult for cracker to break through my PC, since it is not directly exposed to internet, and has a layer of firewall in between that does some level of filtering and my PC is fully patched except for this one. Considering the fact the many people are on the internet with windows 2000 and similar. The amount of threat i am exposed to is fairly minimal. In case you know of any specific violation in this version of chromium pkg then please let me know, in which case i am ready to take a dig inside dependency hell and try out my luck. But without that it is just too much effort to achieve too little. Further i have a question, are all signed packages trust worthy ? i think we can take this discussion to another thread, if people are interested. I know a popular thread that happened in late 2004 or early 2005 between the then ilugc's of sridhar ratna and sriram K. where they battled out if linux is better security than windows by design? In the end conclusion was something like linux is not entirely away from security problems of windows. Theoretically atleast what happened to windows can happen to linux as well, as most security vulenrabilites are exploited not purely by technical stuff but involves a fair level of user stupidity. which no matter how secure you build your OS , will be cracked if the user makes stupid moves. So lets not discuss this here, create a separate thread if interested. Please don't discuss this user/tech topic here and contain ourselves to chromium issue. period. Please search ilugc archives if interested. with regards, ashwin _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
