Re: [Evolution] go-gnome installer

From: Thomas "H." Ptacek <tqbf sonicity com>
To: Christopher James Lahey <clahey ximian com>
Cc: Xavier Bestel <n0made free fr>, Chris A "." Henesy <lurker shadowtech org>, evolution ximian com
Subject: Re: [Evolution] go-gnome installer
Date: 27 Apr 2001 19:26:01 -0700

This is true, however, his point about it being just as dangerous to
download a file, untar it, and run it still stands.


No it isn't. This is why virtually every large-scale software
distribution includes MD5 or SHA sigs alongside the files --- 
often via HTTPS --- so you can download the files, compare the
sigs, and then install. What's funny about lynx | sh is not
that it uses Lynx to download files, but that it gives total
control of your machine immediately over to go-gnome.org.

Also, the security of this system has nothing at all to do with
the security of the "go-gnome.org" servers or Ximian or whatever.
By building an install system like this, Ximian is trusting the
recursive DNS servers of EVERY network in the world. Any weak DNS
server can be poisoned with a fake "go-gnome" that will backdoor
gnome installers without them even knowing it.

I agree with everyone else that this is off-topic and I'm sorry
for bringing it up here, but this is a total embarassment.

Excellent hack value. Dumb idea.

References:
- [Evolution] go-gnome installer
  - From: H.
- Re: [Evolution] go-gnome installer
  - From: Chris A. Henesy
- Re: [Evolution] go-gnome installer
  - From: Xavier Bestel
- Re: [Evolution] go-gnome installer
  - From: Christopher James Lahey

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]