[ubuntu-hardened] Livepatching security considerations
lin.cl.sec.list at gmail.com
Thu Apr 19 13:29:44 UTC 2018
I'm trying to evaluate risks related with Canonical's Livepatch for home
server. Observations lead me to conclusion, the Livepatching helps to
mitigate some risks, but introduces another ones. I've found some issues
which are worth of discussion.
Livepatching subscription uses Ubuntu One SSO account which requires e-mail
address. The e-mail account and the Ubuntu One account are at risk of being
taken over by password reset procedures, smtp traffic capture, and so on.
The subscribed server is at risk.
Another concern with Livepatching is the technology itself. Software
distribution using public signed mirrors has proven their robustness. The
livepatching is less explored, as it's new, proprietary protocol.
Am I missing something?
What can I do to mitigate these risks?
Thanks in advance for feedback.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-hardened