Why isn't a security issue to add to sources.list?
Clash Royale CLAN TAG#URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
4
down vote
favorite
To install Sublime, it wants me to add a gpg key and a source list so that apt-get can find it. A couple of other programs have asked for the same. Why isn't it a security risk to add more domains to the sources?
That is: suppose package A is supposed to come from host B. I add host C in a new source list. Host C gets subverted, an attacker hosts a malicious package and calls it A. Next time I try to update A, apt-get checks the sources and decides to download it from C instead of B, and I get the malicious version.
security apt package-management
asked 4 hours ago
Sam Jaques
1232
add a comment |Â
up vote
4
down vote
favorite
To install Sublime, it wants me to add a gpg key and a source list so that apt-get can find it. A couple of other programs have asked for the same. Why isn't it a security risk to add more domains to the sources?
That is: suppose package A is supposed to come from host B. I add host C in a new source list. Host C gets subverted, an attacker hosts a malicious package and calls it A. Next time I try to update A, apt-get checks the sources and decides to download it from C instead of B, and I get the malicious version.
security apt package-management
asked 4 hours ago
Sam Jaques
1232
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
To install Sublime, it wants me to add a gpg key and a source list so that apt-get can find it. A couple of other programs have asked for the same. Why isn't it a security risk to add more domains to the sources?
That is: suppose package A is supposed to come from host B. I add host C in a new source list. Host C gets subverted, an attacker hosts a malicious package and calls it A. Next time I try to update A, apt-get checks the sources and decides to download it from C instead of B, and I get the malicious version.
security apt package-management
asked 4 hours ago
Sam Jaques
1232
To install Sublime, it wants me to add a gpg key and a source list so that apt-get can find it. A couple of other programs have asked for the same. Why isn't it a security risk to add more domains to the sources?
That is: suppose package A is supposed to come from host B. I add host C in a new source list. Host C gets subverted, an attacker hosts a malicious package and calls it A. Next time I try to update A, apt-get checks the sources and decides to download it from C instead of B, and I get the malicious version.
security apt package-management
asked 4 hours ago
Sam Jaques
1232
asked 4 hours ago
Sam Jaques
1232
asked 4 hours ago
Sam Jaques
1232
asked 4 hours ago
Sam Jaques
1232
1232
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
8
down vote
accepted
The answer: It is.
It's always a risk in introducing additional sources for packages, irregardless of what distro/OS you're using. The use of GPG keys, in theory, helps to mitigate the risks, since in theory, someone would have to:
- get access to the server where the binaries are being served from
- get access to the private GPG key that was used to sign the binaries
- package new versions of compromised binaries, sign them, and then put on server
In this scenario, someone would have to get through multiple layers to do something nefarious. As is always the case with security. It's all about layers! In order for a community to thrive and stand on the shoulders of others, you have to be willing to forgo isolation, and put your trust in others.
And keep in mind, the servers that serve files have been compromised before to varying degrees, but it's typically caught right away and can be addressed in short order.
Previous Attacks
- Fedora Web Site Hacked, But the Servers Undamaged !
- Malicious Software Packages Found On Arch Linux User Repository
- Malware Found in Arch Linux AUR Package Repository
Tips
- Always scrutinize URLs and make sure they are legit
- Don't add repos unless you absolutely need a package from them
- Periodically vet your sources.list
- Periodically vet the GPG keys used by sites to sign packages
- Be diligent about staying up to date on packages
answered 3 hours ago
slm♦
231k65478647
1
Along with periodically vettingsources.list(andsources.list.d/*, I’d recommend periodically vetting the installed keys.
– Stephen Kitt
3 hours ago
@StephenKitt - excellent point, I'll add it.
– slm♦
3 hours ago
Also, make use of theSigned-Byattribute to place restrictions upon keys rather than adding them globally.
– JdeBP
1 hour ago
By "vet your sources.list", you mean to look through it and remove anything I don't need anymore?
– Sam Jaques
21 mins ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
8
down vote
accepted
The answer: It is.
It's always a risk in introducing additional sources for packages, irregardless of what distro/OS you're using. The use of GPG keys, in theory, helps to mitigate the risks, since in theory, someone would have to:
- get access to the server where the binaries are being served from
- get access to the private GPG key that was used to sign the binaries
- package new versions of compromised binaries, sign them, and then put on server
In this scenario, someone would have to get through multiple layers to do something nefarious. As is always the case with security. It's all about layers! In order for a community to thrive and stand on the shoulders of others, you have to be willing to forgo isolation, and put your trust in others.
And keep in mind, the servers that serve files have been compromised before to varying degrees, but it's typically caught right away and can be addressed in short order.
Previous Attacks
- Fedora Web Site Hacked, But the Servers Undamaged !
- Malicious Software Packages Found On Arch Linux User Repository
- Malware Found in Arch Linux AUR Package Repository
Tips
- Always scrutinize URLs and make sure they are legit
- Don't add repos unless you absolutely need a package from them
- Periodically vet your sources.list
- Periodically vet the GPG keys used by sites to sign packages
- Be diligent about staying up to date on packages
answered 3 hours ago
slm♦
231k65478647
1
Along with periodically vettingsources.list(andsources.list.d/*, I’d recommend periodically vetting the installed keys.
– Stephen Kitt
3 hours ago
@StephenKitt - excellent point, I'll add it.
– slm♦
3 hours ago
Also, make use of theSigned-Byattribute to place restrictions upon keys rather than adding them globally.
– JdeBP
1 hour ago
By "vet your sources.list", you mean to look through it and remove anything I don't need anymore?
– Sam Jaques
21 mins ago
add a comment |Â
up vote
8
down vote
accepted
The answer: It is.
It's always a risk in introducing additional sources for packages, irregardless of what distro/OS you're using. The use of GPG keys, in theory, helps to mitigate the risks, since in theory, someone would have to:
- get access to the server where the binaries are being served from
- get access to the private GPG key that was used to sign the binaries
- package new versions of compromised binaries, sign them, and then put on server
In this scenario, someone would have to get through multiple layers to do something nefarious. As is always the case with security. It's all about layers! In order for a community to thrive and stand on the shoulders of others, you have to be willing to forgo isolation, and put your trust in others.
And keep in mind, the servers that serve files have been compromised before to varying degrees, but it's typically caught right away and can be addressed in short order.
Previous Attacks
- Fedora Web Site Hacked, But the Servers Undamaged !
- Malicious Software Packages Found On Arch Linux User Repository
- Malware Found in Arch Linux AUR Package Repository
Tips
- Always scrutinize URLs and make sure they are legit
- Don't add repos unless you absolutely need a package from them
- Periodically vet your sources.list
- Periodically vet the GPG keys used by sites to sign packages
- Be diligent about staying up to date on packages
answered 3 hours ago
slm♦
231k65478647
1
Along with periodically vettingsources.list(andsources.list.d/*, I’d recommend periodically vetting the installed keys.
– Stephen Kitt
3 hours ago
@StephenKitt - excellent point, I'll add it.
– slm♦
3 hours ago
Also, make use of theSigned-Byattribute to place restrictions upon keys rather than adding them globally.
– JdeBP
1 hour ago
By "vet your sources.list", you mean to look through it and remove anything I don't need anymore?
– Sam Jaques
21 mins ago
add a comment |Â
up vote
8
down vote
accepted
up vote
8
down vote
accepted
The answer: It is.
It's always a risk in introducing additional sources for packages, irregardless of what distro/OS you're using. The use of GPG keys, in theory, helps to mitigate the risks, since in theory, someone would have to:
- get access to the server where the binaries are being served from
- get access to the private GPG key that was used to sign the binaries
- package new versions of compromised binaries, sign them, and then put on server
In this scenario, someone would have to get through multiple layers to do something nefarious. As is always the case with security. It's all about layers! In order for a community to thrive and stand on the shoulders of others, you have to be willing to forgo isolation, and put your trust in others.
And keep in mind, the servers that serve files have been compromised before to varying degrees, but it's typically caught right away and can be addressed in short order.
Previous Attacks
- Fedora Web Site Hacked, But the Servers Undamaged !
- Malicious Software Packages Found On Arch Linux User Repository
- Malware Found in Arch Linux AUR Package Repository
Tips
- Always scrutinize URLs and make sure they are legit
- Don't add repos unless you absolutely need a package from them
- Periodically vet your sources.list
- Periodically vet the GPG keys used by sites to sign packages
- Be diligent about staying up to date on packages
answered 3 hours ago
slm♦
231k65478647
The answer: It is.
It's always a risk in introducing additional sources for packages, irregardless of what distro/OS you're using. The use of GPG keys, in theory, helps to mitigate the risks, since in theory, someone would have to:
- get access to the server where the binaries are being served from
- get access to the private GPG key that was used to sign the binaries
- package new versions of compromised binaries, sign them, and then put on server
In this scenario, someone would have to get through multiple layers to do something nefarious. As is always the case with security. It's all about layers! In order for a community to thrive and stand on the shoulders of others, you have to be willing to forgo isolation, and put your trust in others.
And keep in mind, the servers that serve files have been compromised before to varying degrees, but it's typically caught right away and can be addressed in short order.
Previous Attacks
- Fedora Web Site Hacked, But the Servers Undamaged !
- Malicious Software Packages Found On Arch Linux User Repository
- Malware Found in Arch Linux AUR Package Repository
Tips
- Always scrutinize URLs and make sure they are legit
- Don't add repos unless you absolutely need a package from them
- Periodically vet your sources.list
- Periodically vet the GPG keys used by sites to sign packages
- Be diligent about staying up to date on packages
answered 3 hours ago
slm♦
231k65478647
edited 3 hours ago
answered 3 hours ago
slm♦
231k65478647
answered 3 hours ago
slm♦
231k65478647
answered 3 hours ago
slm♦
231k65478647
231k65478647
1
Along with periodically vettingsources.list(andsources.list.d/*, I’d recommend periodically vetting the installed keys.
– Stephen Kitt
3 hours ago
@StephenKitt - excellent point, I'll add it.
– slm♦
3 hours ago
Also, make use of theSigned-Byattribute to place restrictions upon keys rather than adding them globally.
– JdeBP
1 hour ago
By "vet your sources.list", you mean to look through it and remove anything I don't need anymore?
– Sam Jaques
21 mins ago
add a comment |Â
1
Along with periodically vettingsources.list(andsources.list.d/*, I’d recommend periodically vetting the installed keys.
– Stephen Kitt
3 hours ago
@StephenKitt - excellent point, I'll add it.
– slm♦
3 hours ago
Also, make use of theSigned-Byattribute to place restrictions upon keys rather than adding them globally.
– JdeBP
1 hour ago
By "vet your sources.list", you mean to look through it and remove anything I don't need anymore?
– Sam Jaques
21 mins ago
1
1
Along with periodically vetting
sources.list (and sources.list.d/*, I’d recommend periodically vetting the installed keys.– Stephen Kitt
3 hours ago
Along with periodically vetting
sources.list (and sources.list.d/*, I’d recommend periodically vetting the installed keys.– Stephen Kitt
3 hours ago
@StephenKitt - excellent point, I'll add it.
– slm♦
3 hours ago
@StephenKitt - excellent point, I'll add it.
– slm♦
3 hours ago
Also, make use of the
Signed-By attribute to place restrictions upon keys rather than adding them globally.– JdeBP
1 hour ago
Also, make use of the
Signed-By attribute to place restrictions upon keys rather than adding them globally.– JdeBP
1 hour ago
By "vet your sources.list", you mean to look through it and remove anything I don't need anymore?
– Sam Jaques
21 mins ago
By "vet your sources.list", you mean to look through it and remove anything I don't need anymore?
– Sam Jaques
21 mins ago
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f460525%2fwhy-isnt-a-security-issue-to-add-to-sources-list%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password