Hi, Does know of an official note on how software ends up in the universe repository on ubuntu. Given it's community maintained and not officially supported, is it considered safe enough for production use....safe in the sense of being free of malevolent elements. Stability is not an issue. Regards Chandra
On 26 July 2012 13:48, Chandra Amarasingham <camarasingham@yahoo.com> wrote:
Does know of an official note on how software ends up in the universe repository on ubuntu. Given it's community maintained and not officially supported, is it considered safe enough for production use....safe in the sense of being free of malevolent elements. Stability is not an issue.
https://help.ubuntu.com/community/Repositories/#Universe Most (if not all) of those packages originate from Debian (which in turn, originate somewhere upstream), thus ask yourself, "do I trust..."; - The community of Ubuntu maintainers (MotU), and the security of their build environment - Debian developers/maintainers - Upstream software developers That said, "given enough eyeballs, all bugs are shallow", and there are many people along that chain, but even that didn't stop a fairly grave OpenSSH bug[1] slipping through unnoticed for *years*... [1] - http://helvick.blogspot.com.au/2008/05/debian-opensslopenssh-prng-bug.html -- Joel Shea <jwshea@gmail.com>
Joel W Shea wrote:
On 26 July 2012 13:48, Chandra Amarasingham <camarasingham@yahoo.com> wrote:
Does know of an official note on how software ends up in the universe repository on ubuntu. Given it's community maintained and not officially supported, is it considered safe enough for production use....safe in the sense of being free of malevolent elements. Stability is not an issue.
https://help.ubuntu.com/community/Repositories/#Universe
Most (if not all) of those packages originate from Debian (which in turn, originate somewhere upstream), thus ask yourself, "do I trust...";
- The community of Ubuntu maintainers (MotU), and the security of their build environment - Debian developers/maintainers - Upstream software developers
From about 2007 onwards, apt has checked repository signatures[*], so if you are concerned about injection attacks you should be looking into that.
You probably also want to consider how Ubuntu issues security updates for their packages -- for universe packages, I believe the answer is "they don't". That means you'll need to watch mitre.org or whatever to see any potential issues, and manually apply security fixes yourself. [**] FWIW, Ubuntu servers I maintain have main on, and restricted and multiverse off. I find it is impossible to avoid relying on universe, so I generally grump a bit, then turn it on and stop worrying. There are plenty of other more important security issues, like the idiot webdev who's about to install PHP on the server. [*] not individual package signatures, though. [**] http://cyber.com.au/~twb/snarf/vtwb
Joel W Shea wrote:
That said, "given enough eyeballs, all bugs are shallow", and there are many people along that chain, but even that didn't stop a fairly grave OpenSSH bug[1] slipping through unnoticed for *years*...
[1] - http://helvick.blogspot.com.au/2008/05/debian-opensslopenssh-prng-bug.html
Knee-jerk reaction: that URL doesn't make particularly clear that 1) it's not just SSH; and 2) IMO the blame does not lie solely with Debian. Ref. http://wiki.debian.org/SSLkeys#Causes (and that article as a whole). BTW, Debian/Ubuntu SSH is patched to reject keys from an arbitrary blacklist. In addition to the usual blacklist per above, I also include the (known) keys of ex-staff. AFAIK current RHEL and upstream sshd is not similarly patched, so those systems are actually MORE vulnerable to to the above issue; nor can I blacklist ex-staff on them. (I welcome any corrections to that "AFAIK"!)
participants (3)
-
Chandra Amarasingham -
Joel W Shea -
Trent W. Buck