Ubuntu in the news: Suspected Weekend Hacker Attack on Ubuntu

Derek Broughton news at pointerstop.ca
Mon Jul 24 15:23:45 BST 2006

James Troup wrote:

> Christian Jensen <cj2003 at debian-news.net> writes:
>> If the hackers somehow manage to get Ubuntu to download updates from
>> another, non-conspicuous place, and then somehow hack this other
>> place, they could push updates to Ubuntu and these users would
>> innocently install them.
> This isn't correct: the Ubuntu archive is cryptographically signed.
> Compromising a mirror (or even archive.ubuntu.com itself) wouldn't
> allow an attacker to push out updates as they wouldn't be able to sign
> them with the Ubuntu archive key and as a result the package
> management software on your system would refuse to install them.

No, it wouldn't, and surely you know better.  All the package management
software I've used so far _warns_ you when you install something that's
unsigned.  Virus makers have quite adequately proven that users will ignore
such warnings.

More information about the sounder mailing list